[Webkit-unassigned] [Bug 173303] New: Function constructor bug enables injection attacks

Mon Jun 12 23:36:44 PDT 2017

https://bugs.webkit.org/show_bug.cgi?id=173303

            Bug ID: 173303
           Summary: Function constructor bug enables injection attacks
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: erights at gmail.com

In the JavaScript console:

> Function('/*', '*/){')
< function anonymous(/*) {
*/){
}

This violates the spec and enables injection attacks. According to the spec, the code above should be rejected with a syntax error because the last argument does not parse as a valid function body. This can be used, and has been used, by secure frameworks to ensure that untrusted strings parse as valid function bodies. Such secure frameworks can be fooled on JSC because of this bug.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20170613/31419b1a/attachment.html>