Closed
Bug 1281194
Opened 8 years ago
Closed 8 years ago
for-of iteration over module import list in ResolveRequestedModules is visible to web pages
Categories
(Core :: DOM: Core & HTML, defect)
Core
DOM: Core & HTML
Tracking
()
RESOLVED
FIXED
mozilla50
Tracking | Status | |
---|---|---|
firefox50 | --- | fixed |
People
(Reporter: bzbarsky, Assigned: jonco)
References
Details
(Whiteboard: btpp-active)
Attachments
(1 file)
(deleted),
patch
|
bzbarsky
:
review+
|
Details | Diff | Splinter Review |
Consider a page that does this:
1) Run a script that sets [].values().__proto__.next to a function it controls.
2) Load a module with some imports.
We will end up in ResolveRequestedModules in nsScriptLoader.cpp doing a for-of loop over the return value of JS::GetRequestedModules. But that will invoke the page-controlled function on the array iterator prototype, for what I'm told is an implementation detail. That seems bad.
What we should probably do here is use a loop from 0 to length and JS_GetElement instead (especially since we're already getting the array length but not using it for anything right now). I _think_ that should be safe. If we want to be very sure it's safe, we can use something like the self-hosted List() type: an object with null prototype, a "length" property, and indexed props. That will ensure that no one can observe the gets.
Flags: needinfo?(jcoppeard)
Assignee | ||
Updated•8 years ago
|
Flags: needinfo?(jcoppeard)
QA Contact: jcoppeard
Assignee | ||
Updated•8 years ago
|
Assignee: nobody → jcoppeard
QA Contact: jcoppeard
Assignee | ||
Comment 1•8 years ago
|
||
As suggested, use JS_GetElement rather than for-of iteration.
Attachment #8764273 -
Flags: review?(bzbarsky)
Reporter | ||
Comment 2•8 years ago
|
||
Comment on attachment 8764273 [details] [diff] [review]
bug1281194-array-iteration
r=me though it might make sense to make the comments a bit more dire about how you should not trust anything other than going 0 to length-1.
Attachment #8764273 -
Flags: review?(bzbarsky) → review+
Pushed by jcoppeard@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/b2eb6f3b5c5e
Don't use for-of iteration over requested modules array r=bz
Updated•8 years ago
|
Whiteboard: btpp-active
Comment 4•8 years ago
|
||
bugherder |
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla50
Updated•6 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•