W3C home > Mailing lists > Public > public-html-bugzilla@w3.org > March 2011

[Bug 12101] "Structured clone" can be passed an object with a hostile getter that returns an object identical to itself; "structured clone" does not prevent such an infinite regression.

From: <bugzilla@jessica.w3.org>
Date: Tue, 08 Mar 2011 04:26:40 +0000
To: public-html-bugzilla@w3.org
Message-Id: <E1PwoVM-0006g2-2C@jessica.w3.org>
http://www.w3.org/Bugs/Public/show_bug.cgi?id=12101

Ian 'Hixie' Hickson <ian@hixie.ch> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |ASSIGNED
                 CC|                            |bzbarsky@mit.edu

--- Comment #2 from Ian 'Hixie' Hickson <ian@hixie.ch> 2011-03-08 04:26:39 UTC ---
The makeAnother() case is the one to which this bug is referring.

The solution could indeed be as simple as just saying that there is some
defined depth to which the algorithm will recurse; it seems unfortunate to
hard-code such limits into the platform, though. I guess we could also
hard-code a limit that is only increased when getting data from a property with
a getter.

In bug 12248 comment 3 Boris mentions some other specific edge cases that come
up in this context, such as what happens if such an API is invoked reentrantly
or if the event loop is spun during the API call. I think we can probably
resolve those problems pretty easily by just making sure that the structured
clone algorithm is the very first thing that is run for any API that will
eventually invoke it. That way, the problem is reduced to a previously solved
problem (showModalDialog).

-- 
Configure bugmail: http://www.w3.org/Bugs/Public/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.
Received on Tuesday, 8 March 2011 04:26:41 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 March 2011 04:26:46 GMT