My RegExp is still leaking

Thursday, 4 March 2010

The great thing about standards is that sometimes they are blindly followed and it’s not until maybe years down the line that you realise they got it wrong. Personally I think standards should be organically developed in code then defined in a standard once the various flaws have been ironed out. Every standard should use code samples for every single thing they define, this way it is quite easy to spot the intention and how to abuse it.

You could argue this is already done but I disagree, we should have standard prototypes with testing code for each then we can use the code samples and the specification. The W3 decided to release a security list which is a fantastic idea but why did we take so long?

Anyway things are changing and that is cool but onto my RegExp I think. Why the standards rant? Well the RegExp object was defined in the specification as a global object that can access the last result among other things of a regular expression literal. I have no idea why, the same result could be achieved using a reference to the regular expression like so:-

a=/a/;
a.test('a');
a.lastMatch;// This doesn't work
//RegExp.lastMatch this does work but shouldn't

So as you can see we can access the result of a expression even without reference to the variable. This is bad when we start mixing untrusted javascript in the future as we don’t want to expose other matches to different untrusted code. What new I hear you say? I posted about this before…well don’t you know that some browsers had the crazy idea of supporting regular expressions as a function, yeah true for some crazy reason rather than a regular expression being a regexp object it is a function! I would like for example the following code to return my user agent string please:-

javascript:alert(/.+/());

I’m not a crazy man honest 🙂 Lets visit mmm apples and lets use Safari and type the string above in the url bar. What do we get? The user agent! If you look at the source code of the page, you’ll find that they use a external javascript file which runs a regexp match on the user agent because this is the lastMatch and we didn’t provide a string to the regexp in the function arguments it decides to return the lastMatch instead of the input we provide. Nice.

This works on Google Chrome too, you might get different results with Firefox if you have noscript installed because it runs RegExp matches on parts of the page.

The entry 'My RegExp is still leaking' was posted on March 4th, 2010 at 11:10 am and last modified on March 4th, 2010 at 8:50 pm, and is filed under javascript, Security, standards. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

Comments are closed :( too much spam. If you want to contact me about any article please email or tweet me.

«
»