Bug 51097 - Primordial privilege escalation from bad this-coercion
Summary: Primordial privilege escalation from bad this-coercion
Status: RESOLVED DUPLICATE of bug 64250
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: 528+ (Nightly build)
Hardware: All All
: P1 Major
Assignee: Nobody
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2010-12-15 00:09 PST by Mark S. Miller
Modified: 2011-07-20 19:18 PDT (History)
5 users (show)

See Also:


Attachments
'valueOf()' in a script tag still does bad this coercion (205 bytes, text/html)
2011-04-23 19:06 PDT, Mark S. Miller
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Mark S. Miller 2010-12-15 00:09:47 PST
To avoid privilege escalation bugs by global object leakage, ES5 repaired Ch15 to coerce the this-bindings of its methods by "ToObject". Thus, primitive values wrap but null and undefined throw an exception instead. For example, 15.4.4.10 Array.prototype.slice step 1 says:

    1. Let O be the result of calling ToObject passing the this value as the argument.

However, on WebKit nightly (Safari Version 5.0.1 (5533.17.8, r73886))

  window[0] = 'a';
  window[1] = 'b';
  window[2] = 'c';
  window.length = 3;
  [].slice.call(null, 0); // prints a,b,c

showing that slice still leaks access to the global object.

Even though this is a security bug, I have entered this as a WebKit bug, not a security bug, because no released Safari yet implements ES5, so there is time to fix this before it causes harm.

See also https://bugzilla.mozilla.org/show_bug.cgi?id=619283
Comment 1 Alexey Proskuryakov 2011-01-20 16:57:41 PST
<rdar://problem/8895966>
Comment 2 Mark S. Miller 2011-04-23 19:06:08 PDT
Created attachment 90865 [details]
'valueOf()' in a script tag still does bad this coercion

The attachment should alert 'ok' and does so correctly on FF4. On Safari Version 5.0.4 (5533.20.27, r84622) it alerts 'bad value: [object DOMWindow]' instead. Should this case be reported as part of this bug 51097, or should I file a distinct bug?

See https://bugzilla.mozilla.org/show_bug.cgi?id=652375
Comment 3 Mark S. Miller 2011-06-08 10:40:59 PDT
Should this be merged with https://bugs.webkit.org/show_bug.cgi?id=58338 ?
Comment 4 Gavin Barraclough 2011-07-20 19:18:52 PDT

*** This bug has been marked as a duplicate of bug 64250 ***