New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security issue with dart:io + dart:mirrors #10963
Comments
This is expected. Native code needs to validate arguments. It should be fairly simple to implement a secure class for storing native pointers in the heap. |
Removed Area-Library label. |
It is simple enough to store the native pointer in a native field of a Dart object (by extending NativeFieldWrapperClass1). This will easily work for the direct/sync calls. However for async file operations this pointer is send through a native port to the handler thread. So we need to fix the serialization of this as well. |
Removed Area-IO label. |
Removed this from the Later milestone. |
Removed Oldschool-Milestone-Later label. |
This issue was originally filed by podivilov@google.com
The code below sets arbitrary pointer as _RandomAccessFile._id, which is then reinterpret casted as File* in File_Close.
import 'dart:io';
import 'dart:mirrors';
main() {
var file = new File('test.dart').openSync();
findSymbol(list, name) => list.firstWhere(
(symbol) => symbol.toString() == 'Symbol("$name")');
var ms = currentMirrorSystem();
var library = ms.libraries[Uri.parse('dart:io')];
var clazz = findSymbol(library.classes.keys, '_RandomAccessFile');
var member = findSymbol(library.classes[clazz].members.keys, '_id');
reflect(file).setField(member, 0xdeadbeef);
file.close();
}
The text was updated successfully, but these errors were encountered: