Issue 202140043: Make taming membrane distrust Object.prototype.toString.

Keyboard Shortcuts

	File
u :	up to issue
m :	publish + mail comments
M :	edit review message
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line
<Enter> :	respond to / edit current comment
d :	mark current comment as done

	Issue
u :	up to list of issues
m :	publish + mail comments
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue
# :	close issue

	Comment/message editing
<Ctrl> + s or <Ctrl> + Enter :	save comment
<Esc> :	cancel edit

Issue 202140043: Make taming membrane distrust Object.prototype.toString. (Closed)

Can't Edit
Can't Publish+Mail
Start Review

Created:
9 years, 2 months ago by kpreid_google

Modified:
9 years, 2 months ago

Reviewers:
MarkM

CC:
google-caja-discuss_googlegroups.com

Base URL:
http://google-caja.googlecode.com/svn/trunk/

Visibility:
Public.

More Reviews

Description

The taming membrane uses Object.prototype.toString to detect builtin objects (Date, Float32Array, etc.) and copy them across the membrane as the same type. ES6 allows objects to change their "toStringTag", thus making this spoofable. Therefore, harden each special copy case so that if the toString result is spoofed, the membrane cannot be punctured. Also fixed some ineffective tests in test-taming-inout-guest.js. @r5710

Patch Set 1 #

Total comments: 1

Created: 9 years, 2 months ago

Download [raw] [tar.bz2]

		Unified diffs	Side-by-side diffs	Delta from patch set	Stats (+51 lines, -18 lines)			Patch
	M	src/com/google/caja/plugin/taming-membrane.js	View		3 chunks	+47 lines, -14 lines	0 comments	Download
	M	tests/com/google/caja/plugin/test-taming-inout-guest.js	View		2 chunks	+4 lines, -4 lines	1 comment	Download

Messages

Total messages: 4

Expand All Messages | Collapse All Messages

MarkM

Do you intend to fix cajaTamingGoogleLoader in a separate CL? Or did you conclude it ...

9 years, 2 months ago (2015-02-18 23:20:53 UTC) #2

kpreid_google

On 2015/02/18 23:20:53, MarkM wrote: > Do you intend to fix cajaTamingGoogleLoader in a separate ...

9 years, 2 months ago (2015-02-18 23:36:26 UTC) #3

LGTM

Expand All Messages | Collapse All Messages