Issue 1956 in google-caja: JS minifier (optimizer) transforms comma expressions invalidly

[googl...@googlecode.com]

Status: New
Owner: mikes...@gmail.com
Labels: Type-Defect Priority-High Component-Build

New issue 1956 by kpr...@google.com: JS minifier (optimizer) transforms
comma expressions invalidly
https://code.google.com/p/google-caja/issues/detail?id=1956

The minifier incorrectly transforms
q = (1,y.z)();
to
q = y.z();

Additionally, I tried writing the obvious test case for this (in
JsOptimizerTest.java) and it hung in an infinite loop inside
ParseTreeKB.optimize:

+ public final void testCommaNotChanged() throws Exception {
+ assertOptimized(
+ js(fromString("q = (1,y.z)();")),
+ js(fromString("q = (1,y.z)();")));
+ }

This is not currently a vulnerability as we never use the (1,o.m)() form
statically in any critical location. However, it is a significant hazard
for future code changes (because we use this pattern in other ways and so
it looks like a fine thing to do).

--
You received this message because this project is configured to send all
issue notifications to this address.
You may adjust your notification preferences at:
https://code.google.com/hosting/settings

[googl...@googlecode.com]

Updates:
Status: Fixed

Comment #1 on issue 1956 by mikes...@gmail.com: JS minifier (optimizer)

transforms comma expressions invalidly
https://code.google.com/p/google-caja/issues/detail?id=1956

Fixed at r5713

https://code.google.com/p/google-caja/source/detail?r=5713