Ahh right, my memory is off. I forgot that {} is in the wrong scope so doesn't trigger __defineSetter__ due to syntax error.
On May 17, 2012, at 10:07 AM, Daniel Friesen wrote:
On Wed, 16 May 2012 19:46:26 -0700, Roan Kattouw roan.kattouw@gmail.com wrote:
On Wed, May 16, 2012 at 7:32 PM, Terry Chay tchay@wikimedia.org wrote:
I thought http://www.mediawiki.org/wiki/Manual:Edit_token protects against this as it is required for an edit: http://www.mediawiki.org/wiki/API:Edit
Not if you can read the data using the Object/Array constructor hacks you described. The potential for data leakage includes token leakage, and once you get the API to leak a token you can create a hidden form on the page that POSTs all the right data (including the token) to the action=edit API and call .submit() on the form.
Roan
Actually I don't think the object constructor or getter hacks work.
jQuery('<script />', {src: "https://en.wikipedia.org/w/api.php?action=query&prop=info&titles=Mai...'); api.php:1 Uncaught SyntaxError: Unexpected token :
We don't wrap the JSON in ()'s (it would be invalid JSON). And as a result the {} is in a statement scope instead of an expression scope. As a result the JavaScript engine tries to parse this as a block of code rather than an object. Naturally since "asdf": is not valid code the JavaScript engine quickly fatals considering this a SyntaxError before it can evaluate anything.
It only works for array because [] doesn't have the ambiguity that {} has.
-- ~Daniel Friesen (Dantman, Nadir-Seen-Fire) [http://daniel.friesen.name]
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l