| Sign in

A source-to-source translator for securing Javascript-based web content

Project Home		Downloads		Wiki		Issues		Source

Search

End-user's Guide

Integration Guide

Developer's Guide

Design Decisions

Releases

CajaVersions

Community

External articles about caja
Containers that use caja
Mailing lists
Ideas and feature requests

RefactoringToolFeatureRequests

Glossary of common terms
All wiki pages

Updated Jun 04, 2008 by mikesamuel
Labels:	Attack-Vector

FunctionMemberCrossScopeParameterAccess

myFn.arguments[0] changes local variables while call in progress

function object's arguments array expose arguments while call in progress

Effect

Untrusted code can steal the arguments passed to any function it can reference while that function is being called.

Background

The arguments passed in the most recent uncompleted call to a function are exposed via its arguments property. This is not documented in EcmaScript 262

Assumptions

The arguments property of Function objects is accessible.

Untrusted code can reference a function whose parameters are sensitive.

Versions

FF and IE 6 at least

Example

function f(a) {
  g();
  alert(a);
}

function g() {
  f.arguments[0] = 1;
}

f(0)

Note: the above has f call g. This is not necessary. If f and g occur concurrently, then g can steal/change f's parameters without being called by it. Code can run concurrently if one is the handler from an XmlHttpResponse, or can occur if there are two window's event threads -- create a new iframe, and use its setTimeout.

Comment by andrea.campi, Oct 14, 2007

are exposed via it's arguments property

You want "its" not "it's"

Comment by andrea.campi, Oct 14, 2007

and use it's setTimeout.

Same.

Comment by mikesamuel, Oct 25, 2007

Quite right. Fixed

Sign in to add a comment