Comments (9)
A small add-on - this might be safer - even in case an attacker managed to tamper with the existing constructors:
delete Object;
window instanceof ({}).constructor; // true
from forge.
Is there a specific reason why these kinds of checks are being used? Why not make use of instanceof?
This is a result of very old code that needs updating. A shared isArray
call is in forge.util
(but it still needs to be updated itself). Also, see:
http://perfectionkills.com/instanceof-considered-harmful-or-how-to-write-a-robust-isarray/
We need to update forge.util.isArray()
and use it where applicable.
from forge.
@kangax is - from what I can see - mainly concerned about cross-origin/-frame scenarios and the fragility of instanceof therein. Are they relevant in this situation?
from forge.
@x00mario, well, forge was actually originally created specifically to be used in cross-origin/-frame scenarios -- however, the point of linking to that article was that we should probably adopt the solution given at the end (it has worked well elsewhere):
function isArray(o) {
return Object.prototype.toString.call(o) === '[object Array]';
}
A combination of Array.isArray (if it exists) and then falling back to the above check would probably be best/most compatible.
from forge.
There is also the hideous mess found here:
http://stackoverflow.com/questions/1058427/how-to-detect-if-a-variable-is-an-array
from forge.
@dlongley You can also: util.isArray = Array.isArray || function(){ ... }
since Array.isArray
does the same check (against [[Class]]) and is pretty widely supported by now — http://kangax.github.io/es5-compat-table/#Array.isArray
from forge.
@kangax -- yeah, that's what I went with, thanks.
from forge.
@dlongley Ah cool. Didn't notice first condition.
from forge.
Yeah, I consolidated that to make it more clear.
from forge.
Related Issues (20)
- Add support for RSASSA-PSS as scheme to sign CMS message (PKCS#7)
- Add support for pkcs encryption with secret key for recipient
- node-forge AES-GCM fails to decrypt from .NET core 5.0 HOT 1
- forge/prime.worker.js 404 (Not Found)
- Bug in signcms code
- how can add AIA data to cert?
- Cannot read X.509 certificate. ASN.1 object is not an X509v3 Certificate
- PKCS12 File Password with ISO-8859-9 Encoding
- Can't create a CSR with extKeyUsage extension HOT 1
- Invalid RSAES-OAEP padding WHY
- Inconsistent Key Generation using seed value HOT 6
- License Clarification
- TypeError: i.randomBytes is not a function
- When creating self-signed certificate how can I add subjectAltName HOT 1
- [jsbn] Node 21 introduced `navigator` global object which has changed jsbn behaviour
- node:crypto to node-forge HMAC convertion HOT 1
- Should not assume TLS certificate chain is provided in order
- Randomly thrown "Invalid RSAES-OAEP padding." error with a valid key HOT 1
- Verifying PKCS#7 Signatures
- How to decode certificate extension value?
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from forge.