| /wiki/EvalArbitraryCodeExecution.wiki r15 | /wiki/EvalArbitraryCodeExecution.wiki r1657 | ||
| 1 | #labels Attack-Vector | ||
|---|---|---|---|
| 1 | =Eval and Function Constructor allow Execution of Unrewritten Javascript= | 2 | =Eval and Function Constructor allow Execution of Unrewritten Javascript= |
| 2 | 3 | ||
| 3 | ==Effect== | 4 | ==Effect== |
| 4 | Execute arbitrary code with access to the global environment, and the local members of the stack frame in which it is called. | 5 | Execute arbitrary code with access to the global environment, and the local members of the stack frame in which it is called. |
| 5 | 6 | ||
| 6 | 7 | ||
| 7 | ==Background== | 8 | ==Background== |
| 8 | eval is described at 15.1.2.1, and parses its argument as a Program, and executes it in it's caller's environment. | 9 | {{{eval}}} is described at 15.1.2.1, and parses its argument as a Program, and executes it in it's caller's environment. |
| 9 | 10 | ||
| 10 | The Function constructor allows creation of a function given a string body. It will execute in the global scope as described at EcmaScript 262 section 15.3.2.1 | 11 | The {{{Function}}} constructor allows creation of a function given a string body. It will execute in the global scope as described at EcmaScript 262 section 15.3.2.1 |
| 11 | 12 | ||
| 12 | EcmaScript 262 specifically requires that the global eval method be assignable, so it can be replaced. The Function constructor is available via the 'constructor' property of any function object. | 13 | EcmaScript 262 specifically requires that the global eval method be assignable, so it can be replaced. The Function constructor is available via the 'constructor' property of any function object. |
| 13 | 14 | ||
| 15 | The proposed EcmaScript 4 standard attenuates {{{eval}}} somewhat: | ||
| 16 | If the code that is using eval is compiled in strict mode, eval is prohibited from introducing new names. This is the one case in ES4 where the run-time meaning of a program changes in strict mode. | ||
| 17 | ES4 still has an {{{eval}}} function that may be aliased, but that always resolves references in the global scope so in ES4, {{{eval('(' + x + ')') ≡ (new Function('return ' + x))()}}} for all strings x that are well formed javascript expressions. | ||
| 18 | |||
| 14 | 19 | ||
| 15 | ==Assumptions== | 20 | ==Assumptions== |
| 16 | window.eval and/or the Function constructor are accessible. The function constructor is available if any function is available and a function's constructor property is readable. | 21 | {{{window.eval}}} and/or the {{{Function}}} constructor are accessible and callable. The function constructor is available if any function is available and a function's {{{constructor}}} property is readable. |
| 17 | 22 | ||
| 18 | 23 | ||
| 19 | ==Versions== | 24 | ==Versions== |
| 20 | All interpreters that obey the referenced sections of EcmaScript. | 25 | All interpreters that obey the referenced sections of EcmaScript. |
| 21 | 26 | ||
| 22 | 27 | ||
| 23 | ==Example== | 28 | ==Example== |
| 24 | {{{ | 29 | {{{ |
| 25 | eval('alert("your cookie is " + document.cookie)'); | 30 | eval('alert("your cookie is " + document.cookie)'); |
| 26 | 31 | ||
| 27 | (new Function('alert("your cookie is " + document.cookie)'))(); | 32 | (new Function('alert("your cookie is " + document.cookie)'))(); |
| 28 | }}} | 33 | }}} |