Changeset 129629 in webkit
- Timestamp:
- Sep 26, 2012 6:21:07 AM (12 years ago)
- Location:
- trunk
- Files:
-
- 11 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r129626 r129629 1 2012-09-26 Sheriff Bot <webkit.review.bot@gmail.com> 2 3 Unreviewed, rolling out r129592. 4 http://trac.webkit.org/changeset/129592 5 https://bugs.webkit.org/show_bug.cgi?id=97670 6 7 Failures in Chromium security tests (Requested by schenney on 8 #webkit). 9 10 * fast/js/eval-cross-window-expected.txt: 11 * fast/js/eval-cross-window.html: 12 * http/tests/security/cross-frame-access-call-expected.txt: 13 * http/tests/security/cross-frame-access-call.html: 14 * http/tests/security/resources/xss-eval2.html: 15 * http/tests/security/resources/xss-eval3.html: 16 * http/tests/security/xss-eval-expected.txt: 17 * http/tests/security/xss-eval.html: 18 1 19 2012-09-25 Vsevolod Vlasov <vsevik@chromium.org> 2 20 -
trunk/LayoutTests/fast/js/eval-cross-window-expected.txt
r129592 r129629 8 8 PASS: window.eval("x") should be 0 and is. 9 9 PASS: frames[0].eval("x") should be 1 and is. 10 PASS: window.eval("x") should be 1and is.11 PASS: frames[0].eval("x") should be undefinedand is.10 PASS: window.eval("x") should be EvalError and is. 11 PASS: frames[0].eval("x") should be EvalError and is. 12 12 13 13 ----- Scope Chain for Getters: ----- … … 15 15 PASS: window.eval("xx") should be ReferenceError and is. 16 16 PASS: frames[0].eval("xx") should be ReferenceError and is. 17 PASS: window.eval("xx") should be ReferenceError and is.18 PASS: frames[0].eval("xx") should be ReferenceError and is.17 PASS: window.eval("xx") should be EvalError and is. 18 PASS: frames[0].eval("xx") should be EvalError and is. 19 19 20 20 ----- Variable Object: ----- … … 22 22 PASS: window.eval("var y; "y" in top") should be true and is. 23 23 PASS: frames[0].eval("var y; "y" in top.frames[0]") should be true and is. 24 PASS: window.eval("var y; "y" in top.frames[0]") should be undefinedand is.25 PASS: frames[0].eval("var y; "y" in top") should be undefinedand is.24 PASS: window.eval("var y; "y" in top.frames[0]") should be EvalError and is. 25 PASS: frames[0].eval("var y; "y" in top") should be EvalError and is. 26 26 27 27 ----- Scope Chain for Setters: ----- … … 29 29 PASS: window.eval("z = 1; top.z") should be 1 and is. 30 30 PASS: frames[0].eval("z = 2; top.frames[0].z") should be 2 and is. 31 PASS: window.eval("z = 3; top.frames[0].z") should be undefinedand is.32 PASS: frames[0].eval("z = 4; top.z") should be undefinedand is.31 PASS: window.eval("z = 3; top.frames[0].z") should be EvalError and is. 32 PASS: frames[0].eval("z = 4; top.z") should be EvalError and is. 33 33 34 34 ----- This Object: ----- … … 36 36 PASS: window.eval("this") should be [object Window] and is. 37 37 PASS: frames[0].eval("this") should be [object Window] and is. 38 PASS: window.eval("this") should be undefinedand is.39 PASS: frames[0].eval("this") should be undefinedand is.38 PASS: window.eval("this") should be EvalError and is. 39 PASS: frames[0].eval("this") should be EvalError and is. 40 40 -
trunk/LayoutTests/fast/js/eval-cross-window.html
r129592 r129629 43 43 44 44 window.eval = frameEval; 45 shouldBe('window.eval("x")', (function() { try { return window.eval("x") } catch(e) { return e.name; } })(), 1);45 shouldBe('window.eval("x")', (function() { try { return window.eval("x") } catch(e) { return e.name; } })(), "EvalError"); 46 46 window.eval = topEval; 47 47 48 48 frames[0].eval = topEval; 49 shouldBe('frames[0].eval("x")', (function() { try { frames[0].eval("x") } catch(e) { return e.name; } })(), undefined);49 shouldBe('frames[0].eval("x")', (function() { try { frames[0].eval("x") } catch(e) { return e.name; } })(), "EvalError"); 50 50 frames[0].eval = frameEval; 51 51 } … … 59 59 60 60 window.eval = frameEval; 61 shouldBe('window.eval("xx")', (function() { try { return window.eval("xx") } catch(e) { return e.name; } })(), " ReferenceError");61 shouldBe('window.eval("xx")', (function() { try { return window.eval("xx") } catch(e) { return e.name; } })(), "EvalError"); 62 62 window.eval = topEval; 63 63 64 64 frames[0].eval = topEval; 65 shouldBe('frames[0].eval("xx")', (function() { try { return frames[0].eval("xx") } catch(e) { return e.name; } })(), " ReferenceError");65 shouldBe('frames[0].eval("xx")', (function() { try { return frames[0].eval("xx") } catch(e) { return e.name; } })(), "EvalError"); 66 66 frames[0].eval = frameEval; 67 67 } … … 78 78 79 79 window.eval = frameEval; 80 shouldBe('window.eval("var y; \"y\" in top.frames[0]")', (function() { try { window.eval("var y; \"y\" in top.frames[0]") } catch(e) { return e.name; } })(), undefined);80 shouldBe('window.eval("var y; \"y\" in top.frames[0]")', (function() { try { window.eval("var y; \"y\" in top.frames[0]") } catch(e) { return e.name; } })(), "EvalError"); 81 81 delete window.y; 82 82 delete frames[0].y; … … 84 84 85 85 frames[0].eval = topEval; 86 shouldBe('frames[0].eval("var y; \"y\" in top")', (function() { try { frames[0].eval("var y; \"y\" in top") } catch(e) { return e.name; } })(), undefined);86 shouldBe('frames[0].eval("var y; \"y\" in top")', (function() { try { frames[0].eval("var y; \"y\" in top") } catch(e) { return e.name; } })(), "EvalError"); 87 87 delete window.y; 88 88 delete frames[0].y; … … 100 100 101 101 window.eval = frameEval; 102 shouldBe('window.eval("z = 3; top.frames[0].z")', (function() { try { window.eval("z = 3; top.frames[0].z") } catch(e) { return e.name; } })(), undefined);102 shouldBe('window.eval("z = 3; top.frames[0].z")', (function() { try { window.eval("z = 3; top.frames[0].z") } catch(e) { return e.name; } })(), "EvalError"); 103 103 window.eval = topEval; 104 104 105 105 frames[0].eval = topEval; 106 shouldBe('frames[0].eval("z = 4; top.z")', (function() { try { frames[0].eval("z = 4; top.z") } catch(e) { return e.name; } })(), undefined);106 shouldBe('frames[0].eval("z = 4; top.z")', (function() { try { frames[0].eval("z = 4; top.z") } catch(e) { return e.name; } })(), "EvalError"); 107 107 frames[0].eval = frameEval; 108 108 } … … 110 110 function testThis() 111 111 { 112 shouldBe('window.eval("this")', window.eval .call("wrong","this"), window);113 shouldBe('frames[0].eval("this")', frames[0].eval .call("wrong","this"), frames[0]);112 shouldBe('window.eval("this")', window.eval("this"), window); 113 shouldBe('frames[0].eval("this")', frames[0].eval("this"), frames[0]); 114 114 115 115 window.eval = frameEval; 116 shouldBe('window.eval("this")', (function() { try { window.eval .call("wrong", "this"), frames[0] } catch(e) { return e.name; } })(), undefined);116 shouldBe('window.eval("this")', (function() { try { window.eval("this"), frames[0] } catch(e) { return e.name; } })(), "EvalError"); 117 117 window.eval = topEval; 118 118 119 119 frames[0].eval = topEval; 120 shouldBe('frames[0].eval("this")', (function() { try { frames[0].eval .call("wrong", "this"), window } catch(e) { return e.name; } })(), undefined);120 shouldBe('frames[0].eval("this")', (function() { try { frames[0].eval("this"), window } catch(e) { return e.name; } })(), "EvalError"); 121 121 frames[0].eval = frameEval; 122 122 } -
trunk/LayoutTests/http/tests/security/cross-frame-access-call-expected.txt
r129592 r129629 86 86 PASS: window.resizeTo.call(targetWindow, 0, 0); should be 'undefined' and is. 87 87 PASS: window.showModalDialog.call(targetWindow); should be 'undefined' and is. 88 PASS: window.eval.call(targetWindow, '1+2'); should be ' 3' and is.88 PASS: window.eval.call(targetWindow, '1+2'); should be 'EvalError: The "this" value passed to eval must be the global object from which eval originated' and is. 89 89 PASS: window.location.toString.call(targetWindow.location) should be 'undefined' and is. 90 90 -
trunk/LayoutTests/http/tests/security/cross-frame-access-call.html
r129592 r129629 58 58 59 59 // Throws an EvalError and logs to the error console 60 shouldBe("window.eval.call(targetWindow, '1+2');", ' 3');60 shouldBe("window.eval.call(targetWindow, '1+2');", '"EvalError: The \\"this\\" value passed to eval must be the global object from which eval originated"'); 61 61 62 62 // - Tests for the Location object - -
trunk/LayoutTests/http/tests/security/resources/xss-eval2.html
r129592 r129629 1 1 <script> 2 document.testExpando = "It's me too!";3 4 2 parent.childEval = eval; 5 3 -
trunk/LayoutTests/http/tests/security/resources/xss-eval3.html
r129592 r129629 1 1 <script> 2 document.testExpando = "It's me three!";3 4 2 parent.postMessage("done", "*"); 5 3 </script> -
trunk/LayoutTests/http/tests/security/xss-eval-expected.txt
r129592 r129629 5 5 If the test passes, you'll see a pass message below. 6 6 7 PASS: eval.call(frames[0], 'document') .testExpando should be It's me!and is.8 PASS: childEval.call(frames[0], 'document') .testExpando should be It's me too!and is.9 PASS: childEvalCaller('document') .testExpandoshould be TypeError and is.10 PASS: childLocalEvalCaller('document') .testExpando should be It's me too!and is.7 PASS: eval.call(frames[0], 'document') should be EvalError and is. 8 PASS: childEval.call(frames[0], 'document') should be EvalError and is. 9 PASS: childEvalCaller('document') should be TypeError and is. 10 PASS: childLocalEvalCaller('document') should be EvalError and is. 11 11 -
trunk/LayoutTests/http/tests/security/xss-eval.html
r129592 r129629 30 30 addEventListener("message", function() 31 31 { 32 shouldBe("eval.call(frames[0], 'document').testExpando", 33 (function() { try { 34 return eval.call(frames[0], 'document').testExpando; 35 } catch(e) { return e.name; } })(), "It's me!") 32 (function() { 33 try { 34 var doc = eval.call(frames[0], 'document'); 35 // V8 execute the eval our scope, which is safe. 36 shouldBe("documentFromEval", doc.testExpando, "It's me!") 37 } catch(e) { 38 // JSC throws an exception, which is also safe. 39 shouldBe("eval.call(frames[0], 'document')", e.name, "EvalError"); 40 } 41 })(); 36 42 37 shouldBe("childEval.call(frames[0], 'document').testExpando", 38 (function() { try { 39 return childEval.call(frames[0], 'document').testExpando; 40 } catch(e) { return e.name; } })(), "It's me too!"); 43 shouldBe("childEval.call(frames[0], 'document')", (function() { try { return childEval.call(frames[0], 'document'); } catch(e) { return e.name; } })(), "EvalError"); 41 44 42 shouldBe("childEvalCaller('document').testExpando", 43 (function() { try { 44 return childEvalCaller('document').testExpando; 45 } catch(e) { return e.name; } })(), "TypeError"); 45 shouldBe("childEvalCaller('document')", (function() { try { return childEvalCaller('document'); } catch(e) { return e.name; } })(), "TypeError"); 46 46 47 shouldBe("childLocalEvalCaller('document').testExpando", 48 (function() { try { 49 return childLocalEvalCaller('document').testExpando; 50 } catch(e) { return e.name; } })(), "It's me too!"); 47 shouldBe("childLocalEvalCaller('document')", (function() { try { return childLocalEvalCaller('document'); } catch(e) { return e.name; } })(), "EvalError"); 51 48 52 49 if (window.testRunner) -
trunk/Source/JavaScriptCore/ChangeLog
r129592 r129629 1 2012-09-26 Sheriff Bot <webkit.review.bot@gmail.com> 2 3 Unreviewed, rolling out r129592. 4 http://trac.webkit.org/changeset/129592 5 https://bugs.webkit.org/show_bug.cgi?id=97670 6 7 Failures in Chromium security tests (Requested by schenney on 8 #webkit). 9 10 * runtime/JSGlobalObjectFunctions.cpp: 11 (JSC::globalFuncEval): 12 1 13 2012-09-25 Gavin Barraclough <barraclough@apple.com> 2 14 -
trunk/Source/JavaScriptCore/runtime/JSGlobalObjectFunctions.cpp
r129592 r129629 498 498 EncodedJSValue JSC_HOST_CALL globalFuncEval(ExecState* exec) 499 499 { 500 JSObject* thisObject = exec->hostThisValue().toThisObject(exec); 501 JSGlobalObject* calleeGlobalObject = exec->callee()->globalObject(); 502 if (thisObject != exec->callee()->globalObject()->globalThis()) 503 return throwVMError(exec, createEvalError(exec, ASCIILiteral("The \"this\" value passed to eval must be the global object from which eval originated"))); 504 500 505 JSValue x = exec->argument(0); 501 506 if (!x.isString()) … … 514 519 } 515 520 516 JSGlobalObject* calleeGlobalObject = exec->callee()->globalObject();517 521 EvalExecutable* eval = EvalExecutable::create(exec, makeSource(s), false); 518 522 JSObject* error = eval->compile(exec, calleeGlobalObject); … … 520 524 return throwVMError(exec, error); 521 525 522 return JSValue::encode(exec->interpreter()->execute(eval, exec, calleeGlobalObject->globalThis(), calleeGlobalObject));526 return JSValue::encode(exec->interpreter()->execute(eval, exec, thisObject, calleeGlobalObject)); 523 527 } 524 528
Note: See TracChangeset
for help on using the changeset viewer.