|
PostIncrementAndDecrementCanReturnNonNumber
Post-increment and post-decrement expressions might not evaluate to a number, in violation of the ES3 specification
Attack-Vector EffectProperties that should not be readable may be read (and possibly written). It may be possible to combine this with other attack vectors such as EvalArbitraryCodeExecution to run arbitrary code. Assumptions
BackgroundThe postincrement and postdecrement operators are specified in ECMA-262 sections 13.3.1 and 13.3.2 to always return a number. Caja, ADsafe, and Jacaranda unconditionally allow reading of properties named by "stringified numbers", that is, strings that can be the result of ToString(ToNumber(x)) for some x. However, in Internet Explorer, if x is a local variable or parameter of the current function, then x++ or x-- incorrectly evaluates to x without coercing to a number. For example, (function() { var x = 'foo'; return x++; })(); will return 'foo', when it should return NaN. This means that a property access of the form a[x++] or a[x--] might be allowed under the assumption that it is accessing a stringified number property, but actually access a different property that should not have been readable (or writable when the access is a LeftHandSideExpression). For discussion of the general problem of which this is a special case, see MisOptimizations. Versions
ExampleThe following example uses this to get the constructor property of a function object (i.e. what the global Function normally refers to), and then evals arbitrary code: (function() {
var c = 'constructor';
var F = (function(){})[c++]; // Function constructor
F('alert("toast")')();
})();Jacaranda 0.3 was vulnerable to this attack (only on IE). See also this google-caja-discuss thread. | |
► Sign in to add a comment