Public disclosure of responsibly disclosed SES bugs

[Mark Miller]

Explained at 

https://github.com/tc39/proposal-realms/issues/193

and

https://github.com/Agoric/SES/issues/27

Thanks Matt Austin for finding and reporting these!

This is all now fully public. The first should affect Caja/original-SES as well. For both, the impact is small. If you know of any projects using SES or original-SES that are not on the addressee list for this message, please forward.

On SES-strategy, let's have a public conversation about what kind of shared responsible disclosure process we want to set up for vulnerabilities that potentially affect both SES and original-SES. Thanks.

--

  Cheers,
  --MarkM

[Kevin Reid]

[bcc all lists except main Caja to reduce complexity since this is strictly Caja]

On Tue, Jan 15, 2019 at 4:14 PM Mark Miller <eri...@gmail.com> wrote:

https://github.com/tc39/proposal-realms/issues/193 ... The first should affect Caja/original-SES as well.

If I understand correctly, this should not affect Caja's SES because the patched implementation of Function constructs a single source string from the given strings and sends it into the now-mandatory parser-rewriter, which does not allow template strings of any kind.

[Mark Miller]

That's a good point. I missed that. Yes, if the mandatory parse rejects template strings, I don't think this particular injection attack is an issue. However, my confidence in the absence of any injection attacks here is now shaken. The new SES code with the RegExp over the params list is still belt-and-suspenders you may be interested in.

--
--
---
You received this message because you are subscribed to the Google Groups "caja-discuss-undisclosed" group.
To unsubscribe from this group and stop receiving emails from it, send an email to caja-discuss-undis...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

  Cheers,
  --MarkM