JSON.stringify breaks when Array.prototype.toJSON is defined

RESOLVED INVALID

Status

()

Product:
Core
Component:
JavaScript Engine
Status:
RESOLVED INVALID
Reported:
6 years ago
Modified:
5 years ago

People

(Reporter: leohorie, Unassigned)

Tracking

Version:
24 Branch
Platform:
x86_64
Windows 7
Points:
---

Firefox Tracking Flags

(Not tracked)

Details
(Reporter)

Description

6 years ago 
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.64 Safari/537.31

Steps to reproduce:

JSON.stringify([1]) // "[1]"
Array.prototype.toJSON // undefined
Array.prototype.toJSON = function() {alert(1)}
JSON.stringify([1]) // undefined, alerts 1


Actual results:

JSON.stringify returns wrong value if Array.prototype.toJSON is defined (which is the case if Prototype.js is included in the page, for example). A malicious party could use this to steal data via XSS.


Expected results:

JSON.stringify([1]) should always return "[1]" regardless of what is done to Array.prototype

Comment 1

6 years ago 
If you let somebody add things to Array.prototype, you've lost; there's nothing security-sensitive about this.

I tend to think that allowing code to override toJSON on arrays is a feature, not a bug, and so this is probably WONTFIX.
Assignee: nobody → general
Group: core-security
Component: Untriaged → JavaScript Engine
Product: Firefox → Core

Comment 2

5 years ago 
This is the required behavior by my reading of the ECMAScript 5 specification[1]. Chrome does the same thing.

[1] http://www.ecma-international.org/ecma-262/5.1/#sec-15.12.3

Comment 3

5 years ago 
Indeed, this is by-design/by-spec and not a bug.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.