[Webkit-unassigned] [Bug 51097] New: Primordial privilege escalation from bad this-coercion
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Dec 15 00:09:47 PST 2010
https://bugs.webkit.org/show_bug.cgi?id=51097
Summary: Primordial privilege escalation from bad this-coercion
Product: WebKit
Version: 528+ (Nightly build)
Platform: PC
OS/Version: Mac OS X 10.5
Status: UNCONFIRMED
Severity: Blocker
Priority: P3
Component: JavaScriptCore
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: erights at gmail.com
To avoid privilege escalation bugs by global object leakage, ES5 repaired Ch15 to coerce the this-bindings of its methods by "ToObject". Thus, primitive values wrap but null and undefined throw an exception instead. For example, 15.4.4.10 Array.prototype.slice step 1 says:
1. Let O be the result of calling ToObject passing the this value as the argument.
However, on WebKit nightly (Safari Version 5.0.1 (5533.17.8, r73886))
window[0] = 'a';
window[1] = 'b';
window[2] = 'c';
window.length = 3;
[].slice.call(null, 0); // prints a,b,c
showing that slice still leaks access to the global object.
Even though this is a security bug, I have entered this as a WebKit bug, not a security bug, because no released Safari yet implements ES5, so there is time to fix this before it causes harm.
See also https://bugzilla.mozilla.org/show_bug.cgi?id=619283
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list