The minifier incorrectly transforms
q = (1,y.z)();
to
q = y.z();
Additionally, I tried writing the obvious test case for this (in
JsOptimizerTest.java) and it hung in an infinite loop inside
ParseTreeKB.optimize:
+ public final void testCommaNotChanged() throws Exception {
+ assertOptimized(
+ js(fromString("q = (1,y.z)();")),
+ js(fromString("q = (1,y.z)();")));
+ }
This is not currently a vulnerability as we never use the (1,o.m)() form
statically in any critical location. However, it is a significant hazard for
future code changes (because we use this pattern in other ways and so it looks
like a fine thing to do).
Original issue reported on code.google.com by kpreid@google.com on 26 Feb 2015 at 12:54
Original issue reported on code.google.com by
kpreid@google.com
on 26 Feb 2015 at 12:54