Nowadays if you need to embed a JS engine, you’d probably use Duktape or Microvium. Vendoring ancient SpiderMonkey made sense a long time ago, but it seems like a security liability now. Especially when PAC files can come from untrusted networks. I wonder what the project is considering…
What’s crazy is that the linked pacparser library written in C is still using an old spidermonkey, albeit “only” a year old. But still with numerous security flaws that have since been identified and fixed.
That’s the project I was referring to. Changing it to use Duktape or something else seems pretty wise (polkit was the other famous SM user and they use Duktape now, so), and I can’t imagine PAC files are complex enough they need a crazy sophisticated JS interpreter (On the contrary, they probably have to target Windows’ decrepit old JScript engine). I don’t have the time or energy to fix it myself since I don’t use the library, but it’s probably worth reporting there.
Nowadays if you need to embed a JS engine, you’d probably use Duktape or Microvium. Vendoring ancient SpiderMonkey made sense a long time ago, but it seems like a security liability now. Especially when PAC files can come from untrusted networks. I wonder what the project is considering…
What’s crazy is that the linked pacparser library written in C is still using an old spidermonkey, albeit “only” a year old. But still with numerous security flaws that have since been identified and fixed.
Good news! I got delirious enough to write a patch to replace it with Duktape. Turns out it wasn’t hard to replace a Bush-era JS runtime after all…
That’s the project I was referring to. Changing it to use Duktape or something else seems pretty wise (polkit was the other famous SM user and they use Duktape now, so), and I can’t imagine PAC files are complex enough they need a crazy sophisticated JS interpreter (On the contrary, they probably have to target Windows’ decrepit old JScript engine). I don’t have the time or energy to fix it myself since I don’t use the library, but it’s probably worth reporting there.