js/src/tests/js1_5/extensions/regress-390598.js@129ffea94266
js/src/tests/js1_5/extensions/regress-390598.js
Sat, 03 Jan 2015 20:18:00 +0100
- author
- Michael Schloh von Bennewitz <michael@schloh.com>
- date
- Sat, 03 Jan 2015 20:18:00 +0100
- branch
- TOR_BUG_3246
- changeset 7
- 129ffea94266
- permissions
- -rwxr-xr-x
Conditionally enable double key logic according to:
private browsing mode or privacy.thirdparty.isolate preference and
implement in GetCookieStringCommon and FindCookie where it counts...
With some reservations of how to convince FindCookie users to test
condition and pass a nullptr when disabling double key logic.
1 /* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
2 /* This Source Code Form is subject to the terms of the Mozilla Public
3 * License, v. 2.0. If a copy of the MPL was not distributed with this
4 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
7 //-----------------------------------------------------------------------------
8 var BUGNUMBER = 390598;
9 var summary = 'array_length_setter is exploitable';
10 var actual = 'No Crash';
11 var expect = 'No Crash';
13 //-----------------------------------------------------------------------------
14 test();
15 //-----------------------------------------------------------------------------
17 function test()
18 {
19 enterFunc ('test');
20 printBugNumber(BUGNUMBER);
21 printStatus (summary);
23 function exploit() {
24 var fun = function () {};
25 fun.__proto__ = [];
26 fun.length = 0x50505050 >> 1;
27 fun();
28 }
29 exploit();
31 reportCompare(expect, actual, summary);
33 exitFunc ('test');
34 }
