Usage of `new Function` in third-party library jszip.js
Categories
(Core :: DOM: Security, enhancement, P3)
Tracking
()
Tracking | Status | |
---|---|---|
firefox70 | --- | fixed |
People
(Reporter: jallmann, Assigned: jdescottes)
References
(Blocks 1 open bug)
Details
(Whiteboard: [domsecurity-backlog1])
Attachments
(2 files)
All eval()
-like functions (eval(), new Function(), setTimeout("")
) are being removed from code running with system privileges, see Bug 1473549. An assertion is active to enforce this.
There are two occurences of new Function
in jszip.js that require the file to be whitelisted for this assertion. In order to clear jszip.js from the whitelist, new Function
needs to be removed or refactored.
new Function
to get the global object:
https://searchfox.org/mozilla-central/source/devtools/client/shared/vendor/jszip.js#4298
Not sure about second ocurence:
https://searchfox.org/mozilla-central/source/devtools/client/shared/vendor/jszip.js#4393
Assignee | ||
Comment 1•5 years ago
|
||
Thankfully the latest version of JSZip doesn't rely on the very old setImmediate polyfill that was present in our old version. Let's update it.
Assignee | ||
Comment 2•5 years ago
|
||
Depends on D38516
The new version of JSZip doesn't rely on any eval like code.
Assignee | ||
Comment 3•5 years ago
|
||
Depends on D38517
Comment 5•5 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/cad92991c22e
https://hg.mozilla.org/mozilla-central/rev/22539b8e0829
Description
•