lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-id: <4BE39904.16850.B0248A32@nick.virus-l.demon.co.uk>
Date: Fri, 07 May 2010 16:37:24 +1200
From: Nick FitzGerald <nick@...us-l.demon.co.uk>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: JavaScript exploits via source code disclosure

Christian Sciberras wrote:

> This is a seriously flawed argument.

Correct...

> JS == plain text. Full Stop.

...but that has nothing to do with the reasons why.

First, because it is simply wrong (FSVO "plain text").

For just one trivial example, the following Javascript doesn't look 
anything like anything normally considered "plain text":

   http://cecil.auckland.ac.nz/scripts/menu.js

yet it runs as designed (and there's no need for anyone to provide an 
explanation of what it is, what it does, how it works, etc).

In the contexts in which Javascript is typically relevant, and 
specifically in this case, the colloquial "plain text" is generally 
expected to be material that can be safely transferred across the 
internet under text/plain character encoding.  While the above example 
may survive that on a binary-clean transport (like HTTP) it just might 
not on other common internet protocol transports.

And, FWIW, the ECMAScript standard says, in the first sentence of 
Section 6 ("Source Text"):

   ECMAScript source text is represented as a sequence of characters
   in the Unicode character encoding, version 3.0 or later.

Again, close-minded as it is, Unicode and "plain text" typically do NOT 
mean the same thing on the Internet (an oversight that will probably be 
"fixed" within another generation or so).

I think you confused "plain text" with "necessarily scrutable", or 
similar.



Regards,

Nick FitzGerald


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ