Bug 51097

Summary: Primordial privilege escalation from bad this-coercion
Product: WebKit Reporter: Mark S. Miller <erights>
Component: JavaScriptCoreAssignee: Nobody <webkit-unassigned>
Status: RESOLVED DUPLICATE    
Severity: Major CC: barraclough, erights, ggaren, jwalden+bwo, oliver
Priority: P1 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: All   
OS: All   
Attachments:
Description Flags
'valueOf()' in a script tag still does bad this coercion none

Mark S. Miller
Reported 2010-12-15 00:09:47 PST
To avoid privilege escalation bugs by global object leakage, ES5 repaired Ch15 to coerce the this-bindings of its methods by "ToObject". Thus, primitive values wrap but null and undefined throw an exception instead. For example, 15.4.4.10 Array.prototype.slice step 1 says: 1. Let O be the result of calling ToObject passing the this value as the argument. However, on WebKit nightly (Safari Version 5.0.1 (5533.17.8, r73886)) window[0] = 'a'; window[1] = 'b'; window[2] = 'c'; window.length = 3; [].slice.call(null, 0); // prints a,b,c showing that slice still leaks access to the global object. Even though this is a security bug, I have entered this as a WebKit bug, not a security bug, because no released Safari yet implements ES5, so there is time to fix this before it causes harm. See also https://bugzilla.mozilla.org/show_bug.cgi?id=619283
Attachments
'valueOf()' in a script tag still does bad this coercion (205 bytes, text/html)
2011-04-23 19:06 PDT, Mark S. Miller 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Alexey Proskuryakov
Comment 1 2011-01-20 16:57:41 PST
<rdar://problem/8895966>
Mark S. Miller
Comment 2 2011-04-23 19:06:08 PDT
Created attachment 90865 [details] 'valueOf()' in a script tag still does bad this coercion The attachment should alert 'ok' and does so correctly on FF4. On Safari Version 5.0.4 (5533.20.27, r84622) it alerts 'bad value: [object DOMWindow]' instead. Should this case be reported as part of this bug 51097, or should I file a distinct bug? See https://bugzilla.mozilla.org/show_bug.cgi?id=652375
Mark S. Miller
Comment 3 2011-06-08 10:40:59 PDT
Should this be merged with https://bugs.webkit.org/show_bug.cgi?id=58338 ?
Gavin Barraclough
Comment 4 2011-07-20 19:18:52 PDT
*** This bug has been marked as a duplicate of bug 64250 ***
Note You need to log in before you can comment on or make changes to this bug.