Skip to site navigation (Press enter)

[webkit-changes] [96031] branches/chromium/835

cdn Mon, 26 Sep 2011 16:22:26 -0700

Title: [96031] branches/chromium/835

Revision: 96031
Author: c...@chromium.org
Date: 2011-09-26 16:23:27 -0700 (Mon, 26 Sep 2011)

Log Message

Merge 95488 - Named property confusion with __proto__

BUG=95671
Review URL: http://codereview.chromium.org/8036045


Modified Paths

branches/chromium/835/Source/WebCore/bindings/v8/custom/V8DOMWindowCustom.cpp


Added Paths

branches/chromium/835/LayoutTests/http/tests/security/resources/innocent-victim-with-iframe.html
branches/chromium/835/LayoutTests/http/tests/security/window-named-proto-expected.txt
branches/chromium/835/LayoutTests/http/tests/security/window-named-proto.html

Diff

Copied: branches/chromium/835/LayoutTests/http/tests/security/resources/innocent-victim-with-iframe.html (from rev 95488, trunk/LayoutTests/http/tests/security/resources/innocent-victim-with-iframe.html) (0 => 96031)


--- branches/chromium/835/LayoutTests/http/tests/security/resources/innocent-victim-with-iframe.html	                        (rev 0)
+++ branches/chromium/835/LayoutTests/http/tests/security/resources/innocent-victim-with-iframe.html	2011-09-26 23:23:27 UTC (rev 96031)
@@ -0,0 +1,6 @@
+<html>
+<body>
+This page doesn't do anything special except have an iframe:<br>
+<iframe src=""
+</body>
+</html>

Copied: branches/chromium/835/LayoutTests/http/tests/security/window-named-proto-expected.txt (from rev 95488, trunk/LayoutTests/http/tests/security/window-named-proto-expected.txt) (0 => 96031)


--- branches/chromium/835/LayoutTests/http/tests/security/window-named-proto-expected.txt	                        (rev 0)
+++ branches/chromium/835/LayoutTests/http/tests/security/window-named-proto-expected.txt	2011-09-26 23:23:27 UTC (rev 96031)
@@ -0,0 +1,4 @@
+CONSOLE MESSAGE: line 1: Unsafe _javascript_ attempt to access frame with URL http://localhost:8080/security/resources/innocent-victim-with-iframe.html from frame with URL data:text/html,<script>(function () {            setTimeout(function() {                if (window.layoutTestController)                    layoutTestController.notifyDone();            }, 0);            window.name = "__proto__";            parent.__proto__.alert.constructor("alert(document.body.innerHTML)")();        })()</script>. Domains, protocols and ports must match.
+
+CONSOLE MESSAGE: line 1: Uncaught TypeError: Cannot read property 'alert' of undefined
+

Copied: branches/chromium/835/LayoutTests/http/tests/security/window-named-proto.html (from rev 95488, trunk/LayoutTests/http/tests/security/window-named-proto.html) (0 => 96031)


--- branches/chromium/835/LayoutTests/http/tests/security/window-named-proto.html	                        (rev 0)
+++ branches/chromium/835/LayoutTests/http/tests/security/window-named-proto.html	2011-09-26 23:23:27 UTC (rev 96031)
@@ -0,0 +1,26 @@
+<script>
+if (window.layoutTestController) {
+    layoutTestController.dumpAsText();
+    layoutTestController.waitUntilDone();
+}
+
+window._onload_ = function()
+{
+    frame = document.body.appendChild(document.createElement("iframe"));
+    frame.src = ""
+    frame._onload_ = function() {
+        frame._onload_ = null;
+
+        frame.contentWindow[0].location = "data:text/html,<script>(" + function() {
+
+            setTimeout(function() {
+                if (window.layoutTestController)
+                    layoutTestController.notifyDone();
+            }, 0);
+
+            window.name = "__proto__";
+            parent.__proto__.alert.constructor("alert(document.body.innerHTML)")();
+        } + ")()</scr" + "ipt>";
+    }
+}
+</script>

Modified: branches/chromium/835/Source/WebCore/bindings/v8/custom/V8DOMWindowCustom.cpp (96030 => 96031)


--- branches/chromium/835/Source/WebCore/bindings/v8/custom/V8DOMWindowCustom.cpp	2011-09-26 23:21:42 UTC (rev 96030)
+++ branches/chromium/835/Source/WebCore/bindings/v8/custom/V8DOMWindowCustom.cpp	2011-09-26 23:23:27 UTC (rev 96031)
@@ -549,12 +549,17 @@
         return false;
 
     if (key->IsString()) {
+        DEFINE_STATIC_LOCAL(AtomicString, nameOfProtoProperty, ("__proto__"));
+
         String name = toWebCoreString(key);
         // Notice that we can't call HasRealNamedProperty for ACCESS_HAS
         // because that would generate infinite recursion.
         if (type == v8::ACCESS_HAS && target->tree()->child(name))
             return true;
-        if (type == v8::ACCESS_GET && target->tree()->child(name) && !host->HasRealNamedProperty(key->ToString()))
+        // We need to explicitly compare against nameOfProtoProperty because
+        // V8's JSObject::LocalLookup finds __proto__ before
+        // interceptors and even when __proto__ isn't a "real named property".
+        if (type == v8::ACCESS_GET && target->tree()->child(name) && !host->HasRealNamedProperty(key->ToString()) && name != nameOfProtoProperty)
             return true;
     }

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes