Changeset 129712 in webkit

Timestamp:

Sep 26, 2012 4:25:21 PM (12 years ago)

Author:

barraclough@apple.com

Message:

REGRESSION (r129456): http/tests/security/xss-eval.html is failing on JSC platforms
​https://bugs.webkit.org/show_bug.cgi?id=97529

Reviewed by Filip Pizlo.

A recent patch changed JSC's EvalError behaviour; bring this more into line with other browsers.

Source/JavaScriptCore:

JSC currently throws an EvalError if you try to call eval with a this object that doesn't
match the given eval function. This does not match other browsers, which generally just
ignore the this value that was passed, and eval the string in the eval function's environment.

• runtime/JSGlobalObjectFunctions.cpp:

(JSC::globalFuncEval):

• Remove EvalError, ignore passed this value.

LayoutTests:

• fast/js/eval-cross-window-expected.txt:
• fast/js/eval-cross-window.html:
  • Changed not to expect EvalErrors (this matches other browsers), and modified testThis to check that the this object is always set to the global object.
• http/tests/security/resources/xss-eval2.html:
• http/tests/security/resources/xss-eval3.html:
• http/tests/security/xss-eval-expected.txt:
• http/tests/security/xss-eval.html:
  • Updated. Access via the global environment is not a security risk, since the eval is accessing it's own document's informantion. Access via the shell attempts to access the navigated pages document, tripping an access check & throwing a TypeError.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/fast/js/eval-cross-window-expected.txt (modified) (5 diffs)
• LayoutTests/fast/js/eval-cross-window.html (modified) (6 diffs)
• LayoutTests/http/tests/security/cross-frame-access-call-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/cross-frame-access-call.html (modified) (1 diff)
• LayoutTests/http/tests/security/resources/xss-eval2.html (modified) (1 diff)
• LayoutTests/http/tests/security/resources/xss-eval3.html (modified) (1 diff)
• LayoutTests/http/tests/security/xss-eval-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/xss-eval.html (modified) (1 diff)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSGlobalObjectFunctions.cpp (modified) (3 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2012-09-26  Gavin Barraclough  <barraclough@apple.com>
+
+        REGRESSION (r129456): http/tests/security/xss-eval.html is failing on JSC platforms
+        https://bugs.webkit.org/show_bug.cgi?id=97529
+
+        Reviewed by Filip Pizlo.
+
+        A recent patch changed JSC's EvalError behaviour; bring this more into line with other browsers.
+
+        * fast/js/eval-cross-window-expected.txt:
+        * fast/js/eval-cross-window.html:
+            - Changed not to expect EvalErrors (this matches other browsers), and modified testThis
+              to check that the this object is always set to the global object.
+        * http/tests/security/resources/xss-eval2.html:
+        * http/tests/security/resources/xss-eval3.html:
+        * http/tests/security/xss-eval-expected.txt:
+        * http/tests/security/xss-eval.html:
+            - Updated. Access via the global environment is not a security risk, since the eval is
+              accessing it's own document's informantion. Access via the shell attempts to access
+              the navigated pages document, tripping an access check & throwing a TypeError.
+
 2012-09-26  Emil A Eklund  <eae@chromium.org>
 

trunk/LayoutTests/fast/js/eval-cross-window-expected.txt

@@ -8 +8 @@
 PASS: window.eval("x") should be 0 and is.
 PASS: frames[0].eval("x") should be 1 and is.
-PASS: window.eval("x") should be EvalError and is.
-PASS: frames[0].eval("x") should be EvalError and is.
+PASS: window.eval("x") should be 1 and is.
+PASS: frames[0].eval("x") should be undefined and is.
 
 ----- Scope Chain for Getters: -----
@@ -15 +15 @@
 PASS: window.eval("xx") should be ReferenceError and is.
 PASS: frames[0].eval("xx") should be ReferenceError and is.
-PASS: window.eval("xx") should be EvalError and is.
-PASS: frames[0].eval("xx") should be EvalError and is.
+PASS: window.eval("xx") should be ReferenceError and is.
+PASS: frames[0].eval("xx") should be ReferenceError and is.
 
 ----- Variable Object: -----
@@ -22 +22 @@
 PASS: window.eval("var y; "y" in top") should be true and is.
 PASS: frames[0].eval("var y; "y" in top.frames[0]") should be true and is.
-PASS: window.eval("var y; "y" in top.frames[0]") should be EvalError and is.
-PASS: frames[0].eval("var y; "y" in top") should be EvalError and is.
+PASS: window.eval("var y; "y" in top.frames[0]") should be undefined and is.
+PASS: frames[0].eval("var y; "y" in top") should be undefined and is.
 
 ----- Scope Chain for Setters: -----
@@ -29 +29 @@
 PASS: window.eval("z = 1; top.z") should be 1 and is.
 PASS: frames[0].eval("z = 2; top.frames[0].z") should be 2 and is.
-PASS: window.eval("z = 3; top.frames[0].z") should be EvalError and is.
-PASS: frames[0].eval("z = 4; top.z") should be EvalError and is.
+PASS: window.eval("z = 3; top.frames[0].z") should be undefined and is.
+PASS: frames[0].eval("z = 4; top.z") should be undefined and is.
 
 ----- This Object: -----
@@ -36 +36 @@
 PASS: window.eval("this") should be [object Window] and is.
 PASS: frames[0].eval("this") should be [object Window] and is.
-PASS: window.eval("this") should be EvalError and is.
-PASS: frames[0].eval("this") should be EvalError and is.
+PASS: window.eval("this") should be undefined and is.
+PASS: frames[0].eval("this") should be undefined and is.
 

trunk/LayoutTests/fast/js/eval-cross-window.html

@@ -43 +43 @@
 
     window.eval = frameEval;
-    shouldBe('window.eval("x")', (function() { try { return window.eval("x") } catch(e) { return e.name; } })(), "EvalError");
+    shouldBe('window.eval("x")', (function() { try { return window.eval("x") } catch(e) { return e.name; } })(), 1);
     window.eval = topEval;
 
     frames[0].eval = topEval;
-    shouldBe('frames[0].eval("x")', (function() { try { frames[0].eval("x") } catch(e) { return e.name; } })(), "EvalError");
+    shouldBe('frames[0].eval("x")', (function() { try { frames[0].eval("x") } catch(e) { return e.name; } })(), undefined);
     frames[0].eval = frameEval;
 }
@@ -59 +59 @@
 
     window.eval = frameEval;
-    shouldBe('window.eval("xx")', (function() { try { return window.eval("xx") } catch(e) { return e.name; } })(), "EvalError");
+    shouldBe('window.eval("xx")', (function() { try { return window.eval("xx") } catch(e) { return e.name; } })(), "ReferenceError");
     window.eval = topEval;
 
     frames[0].eval = topEval;
-    shouldBe('frames[0].eval("xx")', (function() { try { return frames[0].eval("xx") } catch(e) { return e.name; } })(), "EvalError");
+    shouldBe('frames[0].eval("xx")', (function() { try { return frames[0].eval("xx") } catch(e) { return e.name; } })(), "ReferenceError");
     frames[0].eval = frameEval;
 }
@@ -78 +78 @@
 
     window.eval = frameEval;
-    shouldBe('window.eval("var y; \"y\" in top.frames[0]")', (function() { try { window.eval("var y; \"y\" in top.frames[0]") } catch(e) { return e.name; } })(), "EvalError");
+    shouldBe('window.eval("var y; \"y\" in top.frames[0]")', (function() { try { window.eval("var y; \"y\" in top.frames[0]") } catch(e) { return e.name; } })(), undefined);
     delete window.y;
     delete frames[0].y;
@@ -84 +84 @@
 
     frames[0].eval = topEval;
-    shouldBe('frames[0].eval("var y; \"y\" in top")', (function() { try { frames[0].eval("var y; \"y\" in top") } catch(e) { return e.name; } })(), "EvalError");
+    shouldBe('frames[0].eval("var y; \"y\" in top")', (function() { try { frames[0].eval("var y; \"y\" in top") } catch(e) { return e.name; } })(), undefined);
     delete window.y;
     delete frames[0].y;
@@ -100 +100 @@
 
     window.eval = frameEval;
-    shouldBe('window.eval("z = 3; top.frames[0].z")', (function() { try { window.eval("z = 3; top.frames[0].z") } catch(e) { return e.name; } })(), "EvalError");
+    shouldBe('window.eval("z = 3; top.frames[0].z")', (function() { try { window.eval("z = 3; top.frames[0].z") } catch(e) { return e.name; } })(), undefined);
     window.eval = topEval;
 
     frames[0].eval = topEval;
-    shouldBe('frames[0].eval("z = 4; top.z")', (function() { try { frames[0].eval("z = 4; top.z") } catch(e) { return e.name; } })(), "EvalError");
+    shouldBe('frames[0].eval("z = 4; top.z")', (function() { try { frames[0].eval("z = 4; top.z") } catch(e) { return e.name; } })(), undefined);
     frames[0].eval = frameEval;
 }
@@ -110 +110 @@
 function testThis()
 {
-    shouldBe('window.eval("this")', window.eval("this"), window);
-    shouldBe('frames[0].eval("this")', frames[0].eval("this"), frames[0]);
+    shouldBe('window.eval("this")', window.eval.call("wrong", "this"), window);
+    shouldBe('frames[0].eval("this")', frames[0].eval.call("wrong", "this"), frames[0]);
 
     window.eval = frameEval;
-    shouldBe('window.eval("this")', (function() { try { window.eval("this"), frames[0] } catch(e) { return e.name; } })(), "EvalError");
+    shouldBe('window.eval("this")', (function() { try { window.eval.call("wrong", "this"), frames[0] } catch(e) { return e.name; } })(), undefined);
     window.eval = topEval;
 
     frames[0].eval = topEval;
-    shouldBe('frames[0].eval("this")', (function() { try { frames[0].eval("this"), window } catch(e) { return e.name; } })(), "EvalError");
+    shouldBe('frames[0].eval("this")', (function() { try { frames[0].eval.call("wrong", "this"), window } catch(e) { return e.name; } })(), undefined);
     frames[0].eval = frameEval;
 }

trunk/LayoutTests/http/tests/security/cross-frame-access-call-expected.txt

@@ -86 +86 @@
 PASS: window.resizeTo.call(targetWindow, 0, 0); should be 'undefined' and is.
 PASS: window.showModalDialog.call(targetWindow); should be 'undefined' and is.
-PASS: window.eval.call(targetWindow, '1+2'); should be 'EvalError: The "this" value passed to eval must be the global object from which eval originated' and is.
+PASS: window.eval.call(targetWindow, '1+2'); should be '3' and is.
 PASS: window.location.toString.call(targetWindow.location) should be 'undefined' and is.
 

trunk/LayoutTests/http/tests/security/cross-frame-access-call.html

@@ -58 +58 @@
 
     // Throws an EvalError and logs to the error console
-    shouldBe("window.eval.call(targetWindow, '1+2');", '"EvalError: The \\"this\\" value passed to eval must be the global object from which eval originated"');
+    shouldBe("window.eval.call(targetWindow, '1+2');", '3');
 
     // - Tests for the Location object -

trunk/LayoutTests/http/tests/security/resources/xss-eval2.html

@@ -1 +1 @@
 <script>
+document.testExpando = "It's me too!";
+
 parent.childEval = eval;
 

trunk/LayoutTests/http/tests/security/resources/xss-eval3.html

@@ -1 +1 @@
 <script>
+document.testExpando = "It's me three!";
+
 parent.postMessage("done", "*");
 </script>

trunk/LayoutTests/http/tests/security/xss-eval-expected.txt

@@ -5 +5 @@
 If the test passes, you'll see a pass message below.
 
-PASS: eval.call(frames[0], 'document') should be EvalError and is.
-PASS: childEval.call(frames[0], 'document') should be EvalError and is.
-PASS: childEvalCaller('document') should be TypeError and is.
-PASS: childLocalEvalCaller('document') should be EvalError and is.
+PASS: eval.call(frames[0], 'document').testExpando should be It's me! and is.
+PASS: childEval.call(frames[0], 'document').testExpando should be It's me too! and is.
+PASS: childEvalCaller('document').testExpando should be TypeError and is.
+PASS: childLocalEvalCaller('document').testExpando should be It's me too! and is.
 

trunk/LayoutTests/http/tests/security/xss-eval.html

@@ -30 +30 @@
 addEventListener("message", function()
 {
-    (function() {
-        try {
-            var doc = eval.call(frames[0], 'document');
-            // V8 execute the eval our scope, which is safe.
-            shouldBe("documentFromEval", doc.testExpando, "It's me!")
-        } catch(e) {
-            // JSC throws an exception, which is also safe.
-            shouldBe("eval.call(frames[0], 'document')", e.name, "EvalError");
-        }
-    })();
+    shouldBe("eval.call(frames[0], 'document').testExpando",
+        (function() { try {
+            return eval.call(frames[0], 'document').testExpando;
+        } catch(e) { return e.name; } })(), "It's me!")
 
-    shouldBe("childEval.call(frames[0], 'document')", (function() { try { return childEval.call(frames[0], 'document'); } catch(e) { return e.name; } })(), "EvalError");
+    shouldBe("childEval.call(frames[0], 'document').testExpando",
+        (function() { try {
+            return childEval.call(frames[0], 'document').testExpando;
+        } catch(e) { return e.name; } })(), "It's me too!");
 
-    shouldBe("childEvalCaller('document')", (function() { try { return childEvalCaller('document'); } catch(e) { return e.name; } })(), "TypeError");
+    shouldBe("childEvalCaller('document').testExpando",
+        (function() { try {
+            return childEvalCaller('document').testExpando;
+        } catch(e) { return e.name; } })(), "TypeError");
 
-    shouldBe("childLocalEvalCaller('document')", (function() { try { return childLocalEvalCaller('document'); } catch(e) { return e.name; } })(), "EvalError");
+    shouldBe("childLocalEvalCaller('document').testExpando",
+        (function() { try { return childLocalEvalCaller('document').testExpando; } catch(e) { return e.name; } })(), "It's me too!");
 
     if (window.testRunner)

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2012-09-26  Gavin Barraclough  <barraclough@apple.com>
+
+        REGRESSION (r129456): http/tests/security/xss-eval.html is failing on JSC platforms
+        https://bugs.webkit.org/show_bug.cgi?id=97529
+
+        Reviewed by Filip Pizlo.
+
+        A recent patch changed JSC's EvalError behaviour; bring this more into line with other browsers.
+
+        JSC currently throws an EvalError if you try to call eval with a this object that doesn't
+        match the given eval function. This does not match other browsers, which generally just
+        ignore the this value that was passed, and eval the string in the eval function's environment.
+
+        * runtime/JSGlobalObjectFunctions.cpp:
+        (JSC::globalFuncEval):
+            - Remove EvalError, ignore passed this value.
+
 2012-09-26  Gavin Barraclough  <barraclough@apple.com>
 

trunk/Source/JavaScriptCore/runtime/JSGlobalObjectFunctions.cpp

@@ -498 +498 @@
 EncodedJSValue JSC_HOST_CALL globalFuncEval(ExecState* exec)
 {
-    JSObject* thisObject = exec->hostThisValue().toThisObject(exec);
-    JSGlobalObject* calleeGlobalObject = exec->callee()->globalObject();
-    if (thisObject != exec->callee()->globalObject()->globalThis())
-        return throwVMError(exec, createEvalError(exec, ASCIILiteral("The \"this\" value passed to eval must be the global object from which eval originated")));
-
     JSValue x = exec->argument(0);
     if (!x.isString())
@@ -519 +514 @@
     }
 
+    JSGlobalObject* calleeGlobalObject = exec->callee()->globalObject();
     EvalExecutable* eval = EvalExecutable::create(exec, makeSource(s), false);
     JSObject* error = eval->compile(exec, calleeGlobalObject);
@@ -524 +520 @@
         return throwVMError(exec, error);
 
-    return JSValue::encode(exec->interpreter()->execute(eval, exec, thisObject, calleeGlobalObject));
+    return JSValue::encode(exec->interpreter()->execute(eval, exec, calleeGlobalObject->globalThis(), calleeGlobalObject));
 }