Changeset 129712 in webkit
- Timestamp:
- Sep 26, 2012 4:25:21 PM (12 years ago)
- Location:
- trunk
- Files:
-
- 11 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r129710 r129712 1 2012-09-26 Gavin Barraclough <barraclough@apple.com> 2 3 REGRESSION (r129456): http/tests/security/xss-eval.html is failing on JSC platforms 4 https://bugs.webkit.org/show_bug.cgi?id=97529 5 6 Reviewed by Filip Pizlo. 7 8 A recent patch changed JSC's EvalError behaviour; bring this more into line with other browsers. 9 10 * fast/js/eval-cross-window-expected.txt: 11 * fast/js/eval-cross-window.html: 12 - Changed not to expect EvalErrors (this matches other browsers), and modified testThis 13 to check that the this object is always set to the global object. 14 * http/tests/security/resources/xss-eval2.html: 15 * http/tests/security/resources/xss-eval3.html: 16 * http/tests/security/xss-eval-expected.txt: 17 * http/tests/security/xss-eval.html: 18 - Updated. Access via the global environment is not a security risk, since the eval is 19 accessing it's own document's informantion. Access via the shell attempts to access 20 the navigated pages document, tripping an access check & throwing a TypeError. 21 1 22 2012-09-26 Emil A Eklund <eae@chromium.org> 2 23 -
trunk/LayoutTests/fast/js/eval-cross-window-expected.txt
r129629 r129712 8 8 PASS: window.eval("x") should be 0 and is. 9 9 PASS: frames[0].eval("x") should be 1 and is. 10 PASS: window.eval("x") should be EvalErrorand is.11 PASS: frames[0].eval("x") should be EvalErrorand is.10 PASS: window.eval("x") should be 1 and is. 11 PASS: frames[0].eval("x") should be undefined and is. 12 12 13 13 ----- Scope Chain for Getters: ----- … … 15 15 PASS: window.eval("xx") should be ReferenceError and is. 16 16 PASS: frames[0].eval("xx") should be ReferenceError and is. 17 PASS: window.eval("xx") should be EvalError and is.18 PASS: frames[0].eval("xx") should be EvalError and is.17 PASS: window.eval("xx") should be ReferenceError and is. 18 PASS: frames[0].eval("xx") should be ReferenceError and is. 19 19 20 20 ----- Variable Object: ----- … … 22 22 PASS: window.eval("var y; "y" in top") should be true and is. 23 23 PASS: frames[0].eval("var y; "y" in top.frames[0]") should be true and is. 24 PASS: window.eval("var y; "y" in top.frames[0]") should be EvalErrorand is.25 PASS: frames[0].eval("var y; "y" in top") should be EvalErrorand is.24 PASS: window.eval("var y; "y" in top.frames[0]") should be undefined and is. 25 PASS: frames[0].eval("var y; "y" in top") should be undefined and is. 26 26 27 27 ----- Scope Chain for Setters: ----- … … 29 29 PASS: window.eval("z = 1; top.z") should be 1 and is. 30 30 PASS: frames[0].eval("z = 2; top.frames[0].z") should be 2 and is. 31 PASS: window.eval("z = 3; top.frames[0].z") should be EvalErrorand is.32 PASS: frames[0].eval("z = 4; top.z") should be EvalErrorand is.31 PASS: window.eval("z = 3; top.frames[0].z") should be undefined and is. 32 PASS: frames[0].eval("z = 4; top.z") should be undefined and is. 33 33 34 34 ----- This Object: ----- … … 36 36 PASS: window.eval("this") should be [object Window] and is. 37 37 PASS: frames[0].eval("this") should be [object Window] and is. 38 PASS: window.eval("this") should be EvalErrorand is.39 PASS: frames[0].eval("this") should be EvalErrorand is.38 PASS: window.eval("this") should be undefined and is. 39 PASS: frames[0].eval("this") should be undefined and is. 40 40 -
trunk/LayoutTests/fast/js/eval-cross-window.html
r129629 r129712 43 43 44 44 window.eval = frameEval; 45 shouldBe('window.eval("x")', (function() { try { return window.eval("x") } catch(e) { return e.name; } })(), "EvalError");45 shouldBe('window.eval("x")', (function() { try { return window.eval("x") } catch(e) { return e.name; } })(), 1); 46 46 window.eval = topEval; 47 47 48 48 frames[0].eval = topEval; 49 shouldBe('frames[0].eval("x")', (function() { try { frames[0].eval("x") } catch(e) { return e.name; } })(), "EvalError");49 shouldBe('frames[0].eval("x")', (function() { try { frames[0].eval("x") } catch(e) { return e.name; } })(), undefined); 50 50 frames[0].eval = frameEval; 51 51 } … … 59 59 60 60 window.eval = frameEval; 61 shouldBe('window.eval("xx")', (function() { try { return window.eval("xx") } catch(e) { return e.name; } })(), " EvalError");61 shouldBe('window.eval("xx")', (function() { try { return window.eval("xx") } catch(e) { return e.name; } })(), "ReferenceError"); 62 62 window.eval = topEval; 63 63 64 64 frames[0].eval = topEval; 65 shouldBe('frames[0].eval("xx")', (function() { try { return frames[0].eval("xx") } catch(e) { return e.name; } })(), " EvalError");65 shouldBe('frames[0].eval("xx")', (function() { try { return frames[0].eval("xx") } catch(e) { return e.name; } })(), "ReferenceError"); 66 66 frames[0].eval = frameEval; 67 67 } … … 78 78 79 79 window.eval = frameEval; 80 shouldBe('window.eval("var y; \"y\" in top.frames[0]")', (function() { try { window.eval("var y; \"y\" in top.frames[0]") } catch(e) { return e.name; } })(), "EvalError");80 shouldBe('window.eval("var y; \"y\" in top.frames[0]")', (function() { try { window.eval("var y; \"y\" in top.frames[0]") } catch(e) { return e.name; } })(), undefined); 81 81 delete window.y; 82 82 delete frames[0].y; … … 84 84 85 85 frames[0].eval = topEval; 86 shouldBe('frames[0].eval("var y; \"y\" in top")', (function() { try { frames[0].eval("var y; \"y\" in top") } catch(e) { return e.name; } })(), "EvalError");86 shouldBe('frames[0].eval("var y; \"y\" in top")', (function() { try { frames[0].eval("var y; \"y\" in top") } catch(e) { return e.name; } })(), undefined); 87 87 delete window.y; 88 88 delete frames[0].y; … … 100 100 101 101 window.eval = frameEval; 102 shouldBe('window.eval("z = 3; top.frames[0].z")', (function() { try { window.eval("z = 3; top.frames[0].z") } catch(e) { return e.name; } })(), "EvalError");102 shouldBe('window.eval("z = 3; top.frames[0].z")', (function() { try { window.eval("z = 3; top.frames[0].z") } catch(e) { return e.name; } })(), undefined); 103 103 window.eval = topEval; 104 104 105 105 frames[0].eval = topEval; 106 shouldBe('frames[0].eval("z = 4; top.z")', (function() { try { frames[0].eval("z = 4; top.z") } catch(e) { return e.name; } })(), "EvalError");106 shouldBe('frames[0].eval("z = 4; top.z")', (function() { try { frames[0].eval("z = 4; top.z") } catch(e) { return e.name; } })(), undefined); 107 107 frames[0].eval = frameEval; 108 108 } … … 110 110 function testThis() 111 111 { 112 shouldBe('window.eval("this")', window.eval ("this"), window);113 shouldBe('frames[0].eval("this")', frames[0].eval ("this"), frames[0]);112 shouldBe('window.eval("this")', window.eval.call("wrong", "this"), window); 113 shouldBe('frames[0].eval("this")', frames[0].eval.call("wrong", "this"), frames[0]); 114 114 115 115 window.eval = frameEval; 116 shouldBe('window.eval("this")', (function() { try { window.eval ("this"), frames[0] } catch(e) { return e.name; } })(), "EvalError");116 shouldBe('window.eval("this")', (function() { try { window.eval.call("wrong", "this"), frames[0] } catch(e) { return e.name; } })(), undefined); 117 117 window.eval = topEval; 118 118 119 119 frames[0].eval = topEval; 120 shouldBe('frames[0].eval("this")', (function() { try { frames[0].eval ("this"), window } catch(e) { return e.name; } })(), "EvalError");120 shouldBe('frames[0].eval("this")', (function() { try { frames[0].eval.call("wrong", "this"), window } catch(e) { return e.name; } })(), undefined); 121 121 frames[0].eval = frameEval; 122 122 } -
trunk/LayoutTests/http/tests/security/cross-frame-access-call-expected.txt
r129629 r129712 86 86 PASS: window.resizeTo.call(targetWindow, 0, 0); should be 'undefined' and is. 87 87 PASS: window.showModalDialog.call(targetWindow); should be 'undefined' and is. 88 PASS: window.eval.call(targetWindow, '1+2'); should be ' EvalError: The "this" value passed to eval must be the global object from which eval originated' and is.88 PASS: window.eval.call(targetWindow, '1+2'); should be '3' and is. 89 89 PASS: window.location.toString.call(targetWindow.location) should be 'undefined' and is. 90 90 -
trunk/LayoutTests/http/tests/security/cross-frame-access-call.html
r129629 r129712 58 58 59 59 // Throws an EvalError and logs to the error console 60 shouldBe("window.eval.call(targetWindow, '1+2');", ' "EvalError: The \\"this\\" value passed to eval must be the global object from which eval originated"');60 shouldBe("window.eval.call(targetWindow, '1+2');", '3'); 61 61 62 62 // - Tests for the Location object - -
trunk/LayoutTests/http/tests/security/resources/xss-eval2.html
r129629 r129712 1 1 <script> 2 document.testExpando = "It's me too!"; 3 2 4 parent.childEval = eval; 3 5 -
trunk/LayoutTests/http/tests/security/resources/xss-eval3.html
r129629 r129712 1 1 <script> 2 document.testExpando = "It's me three!"; 3 2 4 parent.postMessage("done", "*"); 3 5 </script> -
trunk/LayoutTests/http/tests/security/xss-eval-expected.txt
r129629 r129712 5 5 If the test passes, you'll see a pass message below. 6 6 7 PASS: eval.call(frames[0], 'document') should be EvalErrorand is.8 PASS: childEval.call(frames[0], 'document') should be EvalErrorand is.9 PASS: childEvalCaller('document') should be TypeError and is.10 PASS: childLocalEvalCaller('document') should be EvalErrorand is.7 PASS: eval.call(frames[0], 'document').testExpando should be It's me! and is. 8 PASS: childEval.call(frames[0], 'document').testExpando should be It's me too! and is. 9 PASS: childEvalCaller('document').testExpando should be TypeError and is. 10 PASS: childLocalEvalCaller('document').testExpando should be It's me too! and is. 11 11 -
trunk/LayoutTests/http/tests/security/xss-eval.html
r129629 r129712 30 30 addEventListener("message", function() 31 31 { 32 (function() { 33 try { 34 var doc = eval.call(frames[0], 'document'); 35 // V8 execute the eval our scope, which is safe. 36 shouldBe("documentFromEval", doc.testExpando, "It's me!") 37 } catch(e) { 38 // JSC throws an exception, which is also safe. 39 shouldBe("eval.call(frames[0], 'document')", e.name, "EvalError"); 40 } 41 })(); 32 shouldBe("eval.call(frames[0], 'document').testExpando", 33 (function() { try { 34 return eval.call(frames[0], 'document').testExpando; 35 } catch(e) { return e.name; } })(), "It's me!") 42 36 43 shouldBe("childEval.call(frames[0], 'document')", (function() { try { return childEval.call(frames[0], 'document'); } catch(e) { return e.name; } })(), "EvalError"); 37 shouldBe("childEval.call(frames[0], 'document').testExpando", 38 (function() { try { 39 return childEval.call(frames[0], 'document').testExpando; 40 } catch(e) { return e.name; } })(), "It's me too!"); 44 41 45 shouldBe("childEvalCaller('document')", (function() { try { return childEvalCaller('document'); } catch(e) { return e.name; } })(), "TypeError"); 42 shouldBe("childEvalCaller('document').testExpando", 43 (function() { try { 44 return childEvalCaller('document').testExpando; 45 } catch(e) { return e.name; } })(), "TypeError"); 46 46 47 shouldBe("childLocalEvalCaller('document')", (function() { try { return childLocalEvalCaller('document'); } catch(e) { return e.name; } })(), "EvalError"); 47 shouldBe("childLocalEvalCaller('document').testExpando", 48 (function() { try { return childLocalEvalCaller('document').testExpando; } catch(e) { return e.name; } })(), "It's me too!"); 48 49 49 50 if (window.testRunner) -
trunk/Source/JavaScriptCore/ChangeLog
r129711 r129712 1 2012-09-26 Gavin Barraclough <barraclough@apple.com> 2 3 REGRESSION (r129456): http/tests/security/xss-eval.html is failing on JSC platforms 4 https://bugs.webkit.org/show_bug.cgi?id=97529 5 6 Reviewed by Filip Pizlo. 7 8 A recent patch changed JSC's EvalError behaviour; bring this more into line with other browsers. 9 10 JSC currently throws an EvalError if you try to call eval with a this object that doesn't 11 match the given eval function. This does not match other browsers, which generally just 12 ignore the this value that was passed, and eval the string in the eval function's environment. 13 14 * runtime/JSGlobalObjectFunctions.cpp: 15 (JSC::globalFuncEval): 16 - Remove EvalError, ignore passed this value. 17 1 18 2012-09-26 Gavin Barraclough <barraclough@apple.com> 2 19 -
trunk/Source/JavaScriptCore/runtime/JSGlobalObjectFunctions.cpp
r129629 r129712 498 498 EncodedJSValue JSC_HOST_CALL globalFuncEval(ExecState* exec) 499 499 { 500 JSObject* thisObject = exec->hostThisValue().toThisObject(exec);501 JSGlobalObject* calleeGlobalObject = exec->callee()->globalObject();502 if (thisObject != exec->callee()->globalObject()->globalThis())503 return throwVMError(exec, createEvalError(exec, ASCIILiteral("The \"this\" value passed to eval must be the global object from which eval originated")));504 505 500 JSValue x = exec->argument(0); 506 501 if (!x.isString()) … … 519 514 } 520 515 516 JSGlobalObject* calleeGlobalObject = exec->callee()->globalObject(); 521 517 EvalExecutable* eval = EvalExecutable::create(exec, makeSource(s), false); 522 518 JSObject* error = eval->compile(exec, calleeGlobalObject); … … 524 520 return throwVMError(exec, error); 525 521 526 return JSValue::encode(exec->interpreter()->execute(eval, exec, thisObject, calleeGlobalObject));522 return JSValue::encode(exec->interpreter()->execute(eval, exec, calleeGlobalObject->globalThis(), calleeGlobalObject)); 527 523 } 528 524
Note: See TracChangeset
for help on using the changeset viewer.