[Webkit-unassigned] [Bug 51097] New: Primordial privilege escalation from bad this-coercion

[bugzilla-daemon at webkit.org]

https://bugs.webkit.org/show_bug.cgi?id=51097

           Summary: Primordial privilege escalation from bad this-coercion
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: PC
        OS/Version: Mac OS X 10.5
            Status: UNCONFIRMED
          Severity: Blocker
          Priority: P3
         Component: JavaScriptCore
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: erights at gmail.com


To avoid privilege escalation bugs by global object leakage, ES5 repaired Ch15 to coerce the this-bindings of its methods by "ToObject". Thus, primitive values wrap but null and undefined throw an exception instead. For example, 15.4.4.10 Array.prototype.slice step 1 says:

    1. Let O be the result of calling ToObject passing the this value as the argument.

However, on WebKit nightly (Safari Version 5.0.1 (5533.17.8, r73886))

  window[0] = 'a';
  window[1] = 'b';
  window[2] = 'c';
  window.length = 3;
  [].slice.call(null, 0); // prints a,b,c

showing that slice still leaks access to the global object.

Even though this is a security bug, I have entered this as a WebKit bug, not a security bug, because no released Safari yet implements ES5, so there is time to fix this before it causes harm.

See also https://bugzilla.mozilla.org/show_bug.cgi?id=619283

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.