Wednesday, July 2nd, 2008

eval(’foo=a’, obj.fn); How you will be private in Firefox 3.1

Category: Firefox, JavaScript

Peter realized that the eval(string, scope) support in Firefox meant that the private pattern could be gotten around and developers came out saying “doh!”

Mozilla was quick on the case, and Firefox has taken out support which we should see in Firefox 3.1.

What is interesting is John’s look at what happened. He points to Brendan:

3.2 <fur> 1998-04-23 17:30: Initial checkin of JavaScript 1.3, migrated from JSFUN13_BRANCH in /m/ src repository

This eval extension, if memory serves (I was in at the time, not in the JS group at Netscape) originated in conversations with Microsoft’s rep during ECMA-262 standardization, trying to reach agreement on a way to eval in other scopes.

Your privates are safe again (well, soon).

Posted by Dion Almaer at 2:58 pm

3.9 rating from 20 votes


Comments feed TrackBack URI

Whew! Don’t want anyone coming near *my* privates (although matanlurey came close to kicking me in them earlier).

Comment by uize — July 2, 2008

It is good that Mozilla is fixing this. But don’t imagine that this makes JavaScript any safer. The language still has eval and it still has the global object. Fixing this bit of netscapiness is clearly a step in the right direction, but we have miles to go before we’re safe.

Comment by crock — July 2, 2008

Why is this coming as a surprise to everyone? Its obvious when you look at it… Scope is any object… Functions are objects… duh.

Eval may be evil, but its no more evil because of this.

I think the main evil comes from misused. When its used correctly, then there is no other proper way to do something, its extremely powerful and useful. Of course, it also makes it incredibly easy to shoot yourself in the foot. With a shotgun.

Comment by Unfocused — July 2, 2008

What always got to me was the people using eval because they didn’t realise that they could do [] indexing into any object in order to use expressions or variables to determine what was indexed in the object.
That, and code like…
var blah = new Array ();
array [0] = ….;
array [1] = …;
array [2] = …;
array [3] = …;

Comment by uize — July 2, 2008

@Andrea – looks like a really solid solution.

I can’t find any holes in it, yet. But with this topic, I’ve already been burned by speaking too soon, so I’m cautiously optimistic.

Also, apparently FF3.1 is going to disable this “bug” (ie, feature), to the dismay of some.

I agree that it should be kept and has some really interesting benefits for introspection of closures and such. Again, my original idea is that we could make a “smarter” eval where it would default to allowing access, but objects instances could specifically opt themselves out in some way, and the smart eval would respect that request.

That way, most objects could benefit from it, and those which really need to keep things “private” for some reason could in fact do that.

Comment by shadedecho — July 2, 2008

I don’t get the love for eval. I see tons of “cool stuff with eval” examples, and universally they look like crude hacks to me. Andrea, no offense, but that scoped alert example you posted that was supposed to convince me of the power of scoped eval, I think it’s a really bad design, because it changes expected built-in behavior to something completely different, which to me is always a bad idea. Maybe it’s because I’ve fixed too many bugs that were caused by “magic” code.

Comment by Joeri — July 3, 2008

I’m still amazed at how people see this as a some sort of security threat. It’s not like you’re not serving the entire source code publicly…

Say an untrusted script does setTimeout(“obj.fn = evilFunction”, 1000), now what?

Comment by LeoHorie — July 3, 2008

Leave a comment

You must be logged in to post a comment.