| Summary: | Primordial privilege escalation from bad this-coercion | ||||||
|---|---|---|---|---|---|---|---|
| Product: | WebKit | Reporter: | Mark S. Miller <erights> | ||||
| Component: | JavaScriptCore | Assignee: | Nobody <webkit-unassigned> | ||||
| Status: | RESOLVED DUPLICATE | ||||||
| Severity: | Major | CC: | barraclough, erights, ggaren, jwalden+bwo, oliver | ||||
| Priority: | P1 | Keywords: | InRadar | ||||
| Version: | 528+ (Nightly build) | ||||||
| Hardware: | All | ||||||
| OS: | All | ||||||
| Attachments: |
|
||||||
Created attachment 90865 [details] 'valueOf()' in a script tag still does bad this coercion The attachment should alert 'ok' and does so correctly on FF4. On Safari Version 5.0.4 (5533.20.27, r84622) it alerts 'bad value: [object DOMWindow]' instead. Should this case be reported as part of this bug 51097, or should I file a distinct bug? See https://bugzilla.mozilla.org/show_bug.cgi?id=652375 Should this be merged with https://bugs.webkit.org/show_bug.cgi?id=58338 ? |
To avoid privilege escalation bugs by global object leakage, ES5 repaired Ch15 to coerce the this-bindings of its methods by "ToObject". Thus, primitive values wrap but null and undefined throw an exception instead. For example, 15.4.4.10 Array.prototype.slice step 1 says: 1. Let O be the result of calling ToObject passing the this value as the argument. However, on WebKit nightly (Safari Version 5.0.1 (5533.17.8, r73886)) window[0] = 'a'; window[1] = 'b'; window[2] = 'c'; window.length = 3; [].slice.call(null, 0); // prints a,b,c showing that slice still leaks access to the global object. Even though this is a security bug, I have entered this as a WebKit bug, not a security bug, because no released Safari yet implements ES5, so there is time to fix this before it causes harm. See also https://bugzilla.mozilla.org/show_bug.cgi?id=619283