From 07c0a974afc7227c60203e09184b93e6ca6483bf Mon Sep 17 00:00:00 2001
From: Mike Gerwitz <mikegerwitz@gnu.org>
Date: Mon, 7 Jul 2014 23:09:58 -0400
Subject: [PATCH] FIXME added for possibly leaking private symbol during tctor
 call

This is a security-related issue: we want to ensure that the user cannot,
without debugging tools, retrieve certain internal details that may be used
to compromise an implementation.
---
 lib/ClassBuilder.js | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/lib/ClassBuilder.js b/lib/ClassBuilder.js
index c5c0a4c..11bda6b 100644
--- a/lib/ClassBuilder.js
+++ b/lib/ClassBuilder.js
@@ -882,6 +882,8 @@ exports.prototype.createConcreteCtor = function( cname, members )
         // handle internal trait initialization logic, if provided
         if ( typeof this.___$$tctor$$ === 'function' )
         {
+            // FIXME: we're exposing _priv to something that can be
+            // malicously set by the user; encapsulate tctor
             this.___$$tctor$$.call( this, _priv );
         }