Changeset 129629 in webkit

Timestamp:

Sep 26, 2012 6:21:07 AM (12 years ago)

Author:

commit-queue@webkit.org

Message:

Unreviewed, rolling out r129592.
​http://trac.webkit.org/changeset/129592
​https://bugs.webkit.org/show_bug.cgi?id=97670

Failures in Chromium security tests (Requested by schenney on
#webkit).

Patch by Sheriff Bot <​webkit.review.bot@gmail.com> on 2012-09-26

Source/JavaScriptCore:

• runtime/JSGlobalObjectFunctions.cpp:

(JSC::globalFuncEval):

LayoutTests:

• fast/js/eval-cross-window-expected.txt:
• fast/js/eval-cross-window.html:
• http/tests/security/cross-frame-access-call-expected.txt:
• http/tests/security/cross-frame-access-call.html:
• http/tests/security/resources/xss-eval2.html:
• http/tests/security/resources/xss-eval3.html:
• http/tests/security/xss-eval-expected.txt:
• http/tests/security/xss-eval.html:

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/fast/js/eval-cross-window-expected.txt (modified) (5 diffs)
• LayoutTests/fast/js/eval-cross-window.html (modified) (6 diffs)
• LayoutTests/http/tests/security/cross-frame-access-call-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/cross-frame-access-call.html (modified) (1 diff)
• LayoutTests/http/tests/security/resources/xss-eval2.html (modified) (1 diff)
• LayoutTests/http/tests/security/resources/xss-eval3.html (modified) (1 diff)
• LayoutTests/http/tests/security/xss-eval-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/xss-eval.html (modified) (1 diff)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSGlobalObjectFunctions.cpp (modified) (3 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2012-09-26  Sheriff Bot  <webkit.review.bot@gmail.com>
+
+        Unreviewed, rolling out r129592.
+        http://trac.webkit.org/changeset/129592
+        https://bugs.webkit.org/show_bug.cgi?id=97670
+
+        Failures in Chromium security tests (Requested by schenney on
+        #webkit).
+
+        * fast/js/eval-cross-window-expected.txt:
+        * fast/js/eval-cross-window.html:
+        * http/tests/security/cross-frame-access-call-expected.txt:
+        * http/tests/security/cross-frame-access-call.html:
+        * http/tests/security/resources/xss-eval2.html:
+        * http/tests/security/resources/xss-eval3.html:
+        * http/tests/security/xss-eval-expected.txt:
+        * http/tests/security/xss-eval.html:
+
 2012-09-25  Vsevolod Vlasov  <vsevik@chromium.org>
 

trunk/LayoutTests/fast/js/eval-cross-window-expected.txt

@@ -8 +8 @@
 PASS: window.eval("x") should be 0 and is.
 PASS: frames[0].eval("x") should be 1 and is.
-PASS: window.eval("x") should be 1 and is.
-PASS: frames[0].eval("x") should be undefined and is.
+PASS: window.eval("x") should be EvalError and is.
+PASS: frames[0].eval("x") should be EvalError and is.
 
 ----- Scope Chain for Getters: -----
@@ -15 +15 @@
 PASS: window.eval("xx") should be ReferenceError and is.
 PASS: frames[0].eval("xx") should be ReferenceError and is.
-PASS: window.eval("xx") should be ReferenceError and is.
-PASS: frames[0].eval("xx") should be ReferenceError and is.
+PASS: window.eval("xx") should be EvalError and is.
+PASS: frames[0].eval("xx") should be EvalError and is.
 
 ----- Variable Object: -----
@@ -22 +22 @@
 PASS: window.eval("var y; "y" in top") should be true and is.
 PASS: frames[0].eval("var y; "y" in top.frames[0]") should be true and is.
-PASS: window.eval("var y; "y" in top.frames[0]") should be undefined and is.
-PASS: frames[0].eval("var y; "y" in top") should be undefined and is.
+PASS: window.eval("var y; "y" in top.frames[0]") should be EvalError and is.
+PASS: frames[0].eval("var y; "y" in top") should be EvalError and is.
 
 ----- Scope Chain for Setters: -----
@@ -29 +29 @@
 PASS: window.eval("z = 1; top.z") should be 1 and is.
 PASS: frames[0].eval("z = 2; top.frames[0].z") should be 2 and is.
-PASS: window.eval("z = 3; top.frames[0].z") should be undefined and is.
-PASS: frames[0].eval("z = 4; top.z") should be undefined and is.
+PASS: window.eval("z = 3; top.frames[0].z") should be EvalError and is.
+PASS: frames[0].eval("z = 4; top.z") should be EvalError and is.
 
 ----- This Object: -----
@@ -36 +36 @@
 PASS: window.eval("this") should be [object Window] and is.
 PASS: frames[0].eval("this") should be [object Window] and is.
-PASS: window.eval("this") should be undefined and is.
-PASS: frames[0].eval("this") should be undefined and is.
+PASS: window.eval("this") should be EvalError and is.
+PASS: frames[0].eval("this") should be EvalError and is.
 

trunk/LayoutTests/fast/js/eval-cross-window.html

@@ -43 +43 @@
 
     window.eval = frameEval;
-    shouldBe('window.eval("x")', (function() { try { return window.eval("x") } catch(e) { return e.name; } })(), 1);
+    shouldBe('window.eval("x")', (function() { try { return window.eval("x") } catch(e) { return e.name; } })(), "EvalError");
     window.eval = topEval;
 
     frames[0].eval = topEval;
-    shouldBe('frames[0].eval("x")', (function() { try { frames[0].eval("x") } catch(e) { return e.name; } })(), undefined);
+    shouldBe('frames[0].eval("x")', (function() { try { frames[0].eval("x") } catch(e) { return e.name; } })(), "EvalError");
     frames[0].eval = frameEval;
 }
@@ -59 +59 @@
 
     window.eval = frameEval;
-    shouldBe('window.eval("xx")', (function() { try { return window.eval("xx") } catch(e) { return e.name; } })(), "ReferenceError");
+    shouldBe('window.eval("xx")', (function() { try { return window.eval("xx") } catch(e) { return e.name; } })(), "EvalError");
     window.eval = topEval;
 
     frames[0].eval = topEval;
-    shouldBe('frames[0].eval("xx")', (function() { try { return frames[0].eval("xx") } catch(e) { return e.name; } })(), "ReferenceError");
+    shouldBe('frames[0].eval("xx")', (function() { try { return frames[0].eval("xx") } catch(e) { return e.name; } })(), "EvalError");
     frames[0].eval = frameEval;
 }
@@ -78 +78 @@
 
     window.eval = frameEval;
-    shouldBe('window.eval("var y; \"y\" in top.frames[0]")', (function() { try { window.eval("var y; \"y\" in top.frames[0]") } catch(e) { return e.name; } })(), undefined);
+    shouldBe('window.eval("var y; \"y\" in top.frames[0]")', (function() { try { window.eval("var y; \"y\" in top.frames[0]") } catch(e) { return e.name; } })(), "EvalError");
     delete window.y;
     delete frames[0].y;
@@ -84 +84 @@
 
     frames[0].eval = topEval;
-    shouldBe('frames[0].eval("var y; \"y\" in top")', (function() { try { frames[0].eval("var y; \"y\" in top") } catch(e) { return e.name; } })(), undefined);
+    shouldBe('frames[0].eval("var y; \"y\" in top")', (function() { try { frames[0].eval("var y; \"y\" in top") } catch(e) { return e.name; } })(), "EvalError");
     delete window.y;
     delete frames[0].y;
@@ -100 +100 @@
 
     window.eval = frameEval;
-    shouldBe('window.eval("z = 3; top.frames[0].z")', (function() { try { window.eval("z = 3; top.frames[0].z") } catch(e) { return e.name; } })(), undefined);
+    shouldBe('window.eval("z = 3; top.frames[0].z")', (function() { try { window.eval("z = 3; top.frames[0].z") } catch(e) { return e.name; } })(), "EvalError");
     window.eval = topEval;
 
     frames[0].eval = topEval;
-    shouldBe('frames[0].eval("z = 4; top.z")', (function() { try { frames[0].eval("z = 4; top.z") } catch(e) { return e.name; } })(), undefined);
+    shouldBe('frames[0].eval("z = 4; top.z")', (function() { try { frames[0].eval("z = 4; top.z") } catch(e) { return e.name; } })(), "EvalError");
     frames[0].eval = frameEval;
 }
@@ -110 +110 @@
 function testThis()
 {
-    shouldBe('window.eval("this")', window.eval.call("wrong", "this"), window);
-    shouldBe('frames[0].eval("this")', frames[0].eval.call("wrong", "this"), frames[0]);
+    shouldBe('window.eval("this")', window.eval("this"), window);
+    shouldBe('frames[0].eval("this")', frames[0].eval("this"), frames[0]);
 
     window.eval = frameEval;
-    shouldBe('window.eval("this")', (function() { try { window.eval.call("wrong", "this"), frames[0] } catch(e) { return e.name; } })(), undefined);
+    shouldBe('window.eval("this")', (function() { try { window.eval("this"), frames[0] } catch(e) { return e.name; } })(), "EvalError");
     window.eval = topEval;
 
     frames[0].eval = topEval;
-    shouldBe('frames[0].eval("this")', (function() { try { frames[0].eval.call("wrong", "this"), window } catch(e) { return e.name; } })(), undefined);
+    shouldBe('frames[0].eval("this")', (function() { try { frames[0].eval("this"), window } catch(e) { return e.name; } })(), "EvalError");
     frames[0].eval = frameEval;
 }

trunk/LayoutTests/http/tests/security/cross-frame-access-call-expected.txt

@@ -86 +86 @@
 PASS: window.resizeTo.call(targetWindow, 0, 0); should be 'undefined' and is.
 PASS: window.showModalDialog.call(targetWindow); should be 'undefined' and is.
-PASS: window.eval.call(targetWindow, '1+2'); should be '3' and is.
+PASS: window.eval.call(targetWindow, '1+2'); should be 'EvalError: The "this" value passed to eval must be the global object from which eval originated' and is.
 PASS: window.location.toString.call(targetWindow.location) should be 'undefined' and is.
 

trunk/LayoutTests/http/tests/security/cross-frame-access-call.html

@@ -58 +58 @@
 
     // Throws an EvalError and logs to the error console
-    shouldBe("window.eval.call(targetWindow, '1+2');", '3');
+    shouldBe("window.eval.call(targetWindow, '1+2');", '"EvalError: The \\"this\\" value passed to eval must be the global object from which eval originated"');
 
     // - Tests for the Location object -

trunk/LayoutTests/http/tests/security/resources/xss-eval2.html

@@ -1 +1 @@
 <script>
-document.testExpando = "It's me too!";
-
 parent.childEval = eval;
 

trunk/LayoutTests/http/tests/security/resources/xss-eval3.html

@@ -1 +1 @@
 <script>
-document.testExpando = "It's me three!";
-
 parent.postMessage("done", "*");
 </script>

trunk/LayoutTests/http/tests/security/xss-eval-expected.txt

@@ -5 +5 @@
 If the test passes, you'll see a pass message below.
 
-PASS: eval.call(frames[0], 'document').testExpando should be It's me! and is.
-PASS: childEval.call(frames[0], 'document').testExpando should be It's me too! and is.
-PASS: childEvalCaller('document').testExpando should be TypeError and is.
-PASS: childLocalEvalCaller('document').testExpando should be It's me too! and is.
+PASS: eval.call(frames[0], 'document') should be EvalError and is.
+PASS: childEval.call(frames[0], 'document') should be EvalError and is.
+PASS: childEvalCaller('document') should be TypeError and is.
+PASS: childLocalEvalCaller('document') should be EvalError and is.
 

trunk/LayoutTests/http/tests/security/xss-eval.html

@@ -30 +30 @@
 addEventListener("message", function()
 {
-    shouldBe("eval.call(frames[0], 'document').testExpando",
-        (function() { try {
-            return eval.call(frames[0], 'document').testExpando;
-        } catch(e) { return e.name; } })(), "It's me!")
+    (function() {
+        try {
+            var doc = eval.call(frames[0], 'document');
+            // V8 execute the eval our scope, which is safe.
+            shouldBe("documentFromEval", doc.testExpando, "It's me!")
+        } catch(e) {
+            // JSC throws an exception, which is also safe.
+            shouldBe("eval.call(frames[0], 'document')", e.name, "EvalError");
+        }
+    })();
 
-    shouldBe("childEval.call(frames[0], 'document').testExpando",
-        (function() { try {
-            return childEval.call(frames[0], 'document').testExpando;
-        } catch(e) { return e.name; } })(), "It's me too!");
+    shouldBe("childEval.call(frames[0], 'document')", (function() { try { return childEval.call(frames[0], 'document'); } catch(e) { return e.name; } })(), "EvalError");
 
-    shouldBe("childEvalCaller('document').testExpando",
-        (function() { try {
-            return childEvalCaller('document').testExpando;
-        } catch(e) { return e.name; } })(), "TypeError");
+    shouldBe("childEvalCaller('document')", (function() { try { return childEvalCaller('document'); } catch(e) { return e.name; } })(), "TypeError");
 
-    shouldBe("childLocalEvalCaller('document').testExpando",
-        (function() { try {
-            return childLocalEvalCaller('document').testExpando;
-        } catch(e) { return e.name; } })(), "It's me too!");
+    shouldBe("childLocalEvalCaller('document')", (function() { try { return childLocalEvalCaller('document'); } catch(e) { return e.name; } })(), "EvalError");
 
     if (window.testRunner)

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2012-09-26  Sheriff Bot  <webkit.review.bot@gmail.com>
+
+        Unreviewed, rolling out r129592.
+        http://trac.webkit.org/changeset/129592
+        https://bugs.webkit.org/show_bug.cgi?id=97670
+
+        Failures in Chromium security tests (Requested by schenney on
+        #webkit).
+
+        * runtime/JSGlobalObjectFunctions.cpp:
+        (JSC::globalFuncEval):
+
 2012-09-25  Gavin Barraclough  <barraclough@apple.com>
 

trunk/Source/JavaScriptCore/runtime/JSGlobalObjectFunctions.cpp

@@ -498 +498 @@
 EncodedJSValue JSC_HOST_CALL globalFuncEval(ExecState* exec)
 {
+    JSObject* thisObject = exec->hostThisValue().toThisObject(exec);
+    JSGlobalObject* calleeGlobalObject = exec->callee()->globalObject();
+    if (thisObject != exec->callee()->globalObject()->globalThis())
+        return throwVMError(exec, createEvalError(exec, ASCIILiteral("The \"this\" value passed to eval must be the global object from which eval originated")));
+
     JSValue x = exec->argument(0);
     if (!x.isString())
@@ -514 +519 @@
     }
 
-    JSGlobalObject* calleeGlobalObject = exec->callee()->globalObject();
     EvalExecutable* eval = EvalExecutable::create(exec, makeSource(s), false);
     JSObject* error = eval->compile(exec, calleeGlobalObject);
@@ -520 +524 @@
         return throwVMError(exec, error);
 
-    return JSValue::encode(exec->interpreter()->execute(eval, exec, calleeGlobalObject->globalThis(), calleeGlobalObject));
+    return JSValue::encode(exec->interpreter()->execute(eval, exec, thisObject, calleeGlobalObject));
 }