[Project_owners] Storing configuration

eric.jung at yahoo.com eric.jung at yahoo.com
Sat Jul 15 09:25:16 EDT 2006


Vladimir--you should thank Nickolay because he pointed me to that solution some time in the past.
Nickolay--does evalInSandbox() scope the created objects non-globally? Does it ignore CC and CI calls? I've heard your comment before, I'm just curious what makes it safer than eval().  (I'm not questioning you, I'm only trying to learn why it's safer)


----- Original Message ----
From: Nickolay Ponomarev <asqueella at gmail.com>
To: Mozdev Project Owners List <project_owners at mozdev.org>
Sent: Saturday, July 15, 2006 7:54:56 AM
Subject: Re: [Project_owners] Storing configuration

On 7/15/06, Vladimír Marek <vlmarek at volny.cz> wrote:
> Hi Eric,
>
> > You can use Object.toSource() to serialize the source to a string. To
> > read the string back into objects, use eval(string);
>
> That's excellent, exactly what I was looking for ! :)
>
Not that it matters much in the case of reading from the preferences,
but evalInSandbox is safer/better generally, because a simple eval()
executes the code with the chrome privileges, so if the attacker can
make you eval() his string, he gains full control over the system.

Nickolay
_______________________________________________
Project_owners mailing list
Project_owners at mozdev.org
http://mozdev.org/mailman/listinfo/project_owners




-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mozdev.org/pipermail/project_owners/attachments/20060715/e29a7be2/attachment.htm


More information about the Project_owners mailing list