Changeset 25534 in webkit

Timestamp:

Sep 13, 2007 6:54:12 AM (17 years ago)

Author:

antti

Message:

JavaScriptCore:

Reviewed by Geoff, Maciej.

Fix <rdar://problem/5445058>
REGRESSION: Unable to upload picture to eBay auction due to domain security check

eBay uses window.eval() between windows. In Firefox window.eval() switches execution
and security context to the target window, something WebKit did not do. With WebKit
security tightening in r24781, this broke picture uploads.

Fix by making WebKit switch context in window.eval().

• kjs/Context.cpp: (KJS::Context::Context): (KJS::Context::~Context):
• kjs/context.h: Save and restore interpreter context independently from calling context.

• kjs/function.cpp: (KJS::GlobalFuncImp::callAsFunction): If eval is called for global object different than current one, switch execution context to that object and push it to scope.

LayoutTests:

Reviewed by Geoff, Maciej.

Test for <rdar://problem/5445058>
REGRESSION: Unable to upload picture to eBay auction due to domain security check

• fast/js/window-eval-context-expected.txt: Added.
• fast/js/window-eval-context.html: Added.

Location:

trunk

Files:

• JavaScriptCore/ChangeLog (modified) (1 diff)
• JavaScriptCore/kjs/Context.cpp (modified) (2 diffs)
• JavaScriptCore/kjs/context.h (modified) (1 diff)
• JavaScriptCore/kjs/function.cpp (modified) (2 diffs)
• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/fast/js/window-eval-context-expected.txt (added)
• LayoutTests/fast/js/window-eval-context.html (added)

trunk/JavaScriptCore/ChangeLog

@@ +1 @@
+2007-09-12  Antti Koivisto  <antti@apple.com>
+
+        Reviewed by Geoff, Maciej.
+        
+        Fix <rdar://problem/5445058>
+        REGRESSION: Unable to upload picture to eBay auction due to domain security check
+        
+        eBay uses window.eval() between windows. In Firefox window.eval() switches execution
+        and security context to the target window, something WebKit did not do. With WebKit
+        security tightening in r24781, this broke picture uploads.
+        
+        Fix by making WebKit switch context in window.eval().
+        
+        * kjs/Context.cpp:
+        (KJS::Context::Context):
+        (KJS::Context::~Context):
+        * kjs/context.h:
+        Save and restore interpreter context independently from calling context.
+        
+        * kjs/function.cpp:
+        (KJS::GlobalFuncImp::callAsFunction):
+        If eval is called for global object different than current one, switch execution context
+        to that object and push it to scope.
+
 2007-09-12  Sam Weinig  <sam@webkit.org>
 

trunk/JavaScriptCore/kjs/Context.cpp

@@ -32 +32 @@
                  FunctionImp* func, const List* args)
     : m_interpreter(interpreter)
+    , m_savedContext(interpreter->context())
     , m_currentBody(currentBody)
     , m_function(func)
@@ -84 +85 @@
 Context::~Context()
 {
-    m_interpreter->setContext(m_callingContext);
+    m_interpreter->setContext(m_savedContext);
 
     // The arguments list is only needed to potentially create the  arguments object, 

trunk/JavaScriptCore/kjs/context.h

@@ -130 +130 @@
     Interpreter* m_interpreter;
     Context* m_callingContext;
+    Context* m_savedContext;
     FunctionBodyNode* m_currentBody;
     ExecState* m_execState;

trunk/JavaScriptCore/kjs/function.cpp

@@ -771 +771 @@
 }
 
-JSValue* GlobalFuncImp::callAsFunction(ExecState* exec, JSObject* /*thisObj*/, const List& args)
+JSValue* GlobalFuncImp::callAsFunction(ExecState* exec, JSObject* thisObj, const List& args)
 {
   JSValue* res = jsUndefined();
@@ -818 +818 @@
           return throwError(exec, SyntaxError, errMsg, errLine, sid, NULL);
 
+        bool switchGlobal = exec->dynamicInterpreter()->isGlobalObject(thisObj) && thisObj != exec->dynamicInterpreter()->globalObject();
+          
         // enter a new execution context
+        Interpreter* interpreter = switchGlobal ? exec->dynamicInterpreter()->interpreterForGlobalObject(thisObj) : exec->dynamicInterpreter();
         JSObject* thisVal = static_cast<JSObject*>(exec->context()->thisValue());
-        Context ctx(exec->dynamicInterpreter()->globalObject(),
-                       exec->dynamicInterpreter(),
+        Context ctx(interpreter->globalObject(),
+                       interpreter,
                        thisVal,
                        progNode.get(),
                        EvalCode,
                        exec->context());
-        ExecState newExec(exec->dynamicInterpreter(), &ctx);
+        ExecState newExec(interpreter, &ctx);
         if (exec->hadException())
             newExec.setException(exec->exception());
         ctx.setExecState(&newExec);
+          
+        if (switchGlobal)
+            ctx.pushScope(thisObj);
         
         // execute the code
         progNode->processVarDecls(&newExec);
         Completion c = progNode->execute(&newExec);
+          
+        if (switchGlobal)
+            ctx.popScope();
 
         // if an exception occured, propogate it back to the previous execution object

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2007-09-12  Antti Koivisto  <antti@apple.com>
+
+        Reviewed by Geoff, Maciej.
+        
+        Test for <rdar://problem/5445058>
+        REGRESSION: Unable to upload picture to eBay auction due to domain security check
+
+        * fast/js/window-eval-context-expected.txt: Added.
+        * fast/js/window-eval-context.html: Added.
+
 2007-09-12  John Seif <johneseif@gmail.com>