Changeset 29174 in webkit


Ignore:
Timestamp:
Jan 4, 2008, 1:02:16 PM (17 years ago)
Author:
timothy@apple.com
Message:

Reviewed by Darin Adler.

<rdar://problem/5604409> JavaScript privilege escalation when Web Inspector accesses page unsafely (16011)

Check if the property is a getter before asking for the value.
If the property is a getter, we no longer show the value.

  • page/inspector/PropertiesSidebarPane.js:
  • page/inspector/inspector.css:
Location:
trunk/WebCore
Files:
3 edited

Legend:

Unmodified
Added
Removed

  • trunk/WebCore/ChangeLog

    r29170 r29174  
     12008-01-04  Timothy Hatcher  <timothy@apple.com>
     2
     3        Reviewed by Darin Adler.
     4
     5        <rdar://problem/5604409> JavaScript privilege escalation when Web Inspector accesses page unsafely (16011)
     6
     7        Check if the property is a getter before asking for the value.
     8        If the property is a getter, we no longer show the value.
     9
     10        * page/inspector/PropertiesSidebarPane.js:
     11        * page/inspector/inspector.css:
     12
    1132008-01-04  Dan Bernstein  <mitz@apple.com>
    214

  • trunk/WebCore/page/inspector/PropertiesSidebarPane.js

    r27883 r29174  
    8383WebInspector.ObjectPropertiesSection.prototype.__proto__ = WebInspector.PropertiesSection.prototype;
    8484
    85 WebInspector.ObjectPropertyTreeElement = function(object, propertyName)
     85WebInspector.ObjectPropertyTreeElement = function(parentObject, propertyName)
    8686{
     87    this.parentObject = parentObject;
     88    this.propertyName = propertyName;
     89
     90    var childObject = this.safePropertyValue(parentObject, propertyName);
     91    var isGetter = parentObject.__lookupGetter__(propertyName);
     92
    8793    var title = "<span class=\"name\">" + propertyName.escapeHTML() + "</span>: ";
    88     title += "<span class=\"value\">" + Object.describe(object[propertyName], true).escapeHTML() + "</span>";
     94    if (!isGetter)
     95        title += "<span class=\"value\">" + Object.describe(childObject, true).escapeHTML() + "</span>";
     96    else
     97        // FIXME: this should show something like "getter" once we can change localization (bug 16734).
     98        title += "<span class=\"value dimmed\">&mdash;</span>";
    8999
    90100    var hasSubProperties = false;
    91     var type = typeof object[propertyName];
    92     if (object[propertyName] && (type === "object" || type === "function")) {
    93         for (subPropertyName in object[propertyName]) {
     101    var type = typeof childObject;
     102    if (childObject && (type === "object" || type === "function")) {
     103        for (subPropertyName in childObject) {
    94104            if (subPropertyName === "__treeElementIdentifier")
    95105                continue;
     
    99109    }
    100110
    101     this.object = object;
    102     this.propertyName = propertyName;
    103 
    104111    TreeElement.call(this, title, null, hasSubProperties);
    105112}
    106113
    107114WebInspector.ObjectPropertyTreeElement.prototype = {
     115    safePropertyValue: function(object, propertyName)
     116    {
     117        var getter = object.__lookupGetter__(propertyName);
     118        if (getter)
     119            return;
     120        return object[propertyName];
     121    },
     122
    108123    onpopulate: function()
    109124    {
     
    111126            return;
    112127
    113         var object = this.object[this.propertyName];
    114         var properties = Object.sortedProperties(object);
     128        var childObject = this.safePropertyValue(this.parentObject, this.propertyName);
     129        var properties = Object.sortedProperties(childObject);
    115130        for (var i = 0; i < properties.length; ++i) {
    116131            var propertyName = properties[i];
    117132            if (propertyName === "__treeElementIdentifier")
    118133                continue;
    119             this.appendChild(new WebInspector.ObjectPropertyTreeElement(object, propertyName));
     134            this.appendChild(new WebInspector.ObjectPropertyTreeElement(childObject, propertyName));
    120135        }
    121136    }

  • trunk/WebCore/page/inspector/inspector.css

    r28918 r29174  
    11901190    margin-top: 0;
    11911191    padding-right: 2px;
     1192    -webkit-user-select: none;
    11921193}
    11931194
     
    12351236}
    12361237
     1238.section .properties .value.dimmed {
     1239    color: rgb(100, 100, 100);
     1240}
     1241
    12371242.section .properties .number {
    12381243    color: blue;
     
    14551460    vertical-align: middle;
    14561461    opacity: 0.75;
     1462    -webkit-user-select: none;
    14571463}
    14581464
     
    14701476    left: 5px;
    14711477    top: 2px;
     1478    -webkit-user-select: none;
    14721479}
    14731480
     
    14771484    left: 4px;
    14781485    top: 2px;
     1486    -webkit-user-select: none;
    14791487}
    14801488
     
    14921500    left: 8px;
    14931501    top: 1px;
     1502    -webkit-user-select: none;
    14941503}
    14951504
Note: See TracChangeset for help on using the changeset viewer.