ECMAScript ("Javascript") Version 4 - Official Overview
Ian Petersen
ispeters-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org
Thu Oct 25 15:39:24 UTC 2007
On 10/25/07, Walter Dnes <waltdnes-SLHPyeZ9y/tg9hUCZPvPmw at public.gmane.org> wrote:
> The mere fact that all these features are easier to use is part of the
> reason.
I suppose that's valid, but only one smart person has to figure it out
and share it with the rest. I don't think it'll make that much
difference.
> Another factor is more possibility for obfuscation. When
> overloading can change what the same code means on-the-fly, it gets a
> lot harder to de-obfuscate malicious web pages for investigators to
> figure out where they're downloading trojans from.
I think this is probably false. I guess overloading can make the
specified script more complex, but it _doesn't_ make it any easier to
change meaning "on-the-fly". Functions are first class objects in all
existing implementations of Javascript so it's trivial to reassign
names to new implementations during execution. In fact,
self-modifying code is the norm to get around browser
incompatibilities. (You write a wrapper function that, in its first
invocation, checks to see which browser you're in, replaces the
definition of itself with a compatible version, and then invokes the
compatible version to get the real work done. Further invocations of
the same function skip the browser-detection by jumping directly to
the compatible implementation.)
> And on general principle, I am very uncomfortable with the concept of
> Joe Random Webmaster being able to download code to my machine and
> execute it. I go out of my way to *NOT* run a server.
You make complete sense here, and you're certainly not alone in your
concerns. A user who browses the web with scripting enabled is
essentially walking around asking other people to take advantage of
the opportunity to execute some code remotely. In other
circumstances, it's called a remote execution exploit, or something.
It _is_ a valid concern. I fail to see how the new language being
proposed widens the opportunity for exploitation.
Ian
--
Tired of pop-ups, security holes, and spyware?
Try Firefox: http://www.getfirefox.com
--
The Toronto Linux Users Group. Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists
More information about the Legacy
mailing list