Context Navigation

← Previous Changeset
Next Changeset →

Changeset 196628 in webkit

Timestamp:

Feb 16, 2016 12:11:47 AM (8 years ago)

Author:

Chris Dumez

Message:

Do security checks early in JSDOMWindow::put*()
https://bugs.webkit.org/show_bug.cgi?id=154270

Reviewed by Gavin Barraclough.

Source/WebCore:

Do security checks early in JSDOMWindow::put() / JSDOMWindow::putByIndex()
and return as soon as possible. This makes it less error-prone as we need
to do the security check only once, at the top of the function.

Also lock down the security further by calling lookupPut() only if the
property name is "location". The "location" property is the only one that
can be set cross-origin. Previously, trying to set a property such as
"name" (which cannot be set cross-origin) relied on the attribute setter
doing the security check when getting called. The new check is less error
prone and will correctly prevent overriding window's method cross-origin
once these move down from the prototype (Bug 154120).

Finally, the previous code was failing to set the "location" property
cross-origin after the window has been reified. This patch fixes the
issue by always calling the original "location" property setter from the
static table in the cross-origin case.

Test: http/tests/security/cross-origin-reified-window-location-setting.html

bindings/js/JSDOMWindowCustom.cpp:

(WebCore::JSDOMWindow::put):
(WebCore::JSDOMWindow::putByIndex):

LayoutTests:

http/tests/security/cross-frame-access-put-expected.txt:

Rebaseline. The extra security warnings are for the following properties:
closed, crypto, frameElement, pageXOffset and pageYOffset.
All these properties are read-only and therefore cannot be set (cross-origin
or not). The previous code was not doing an explicit check and ended up
trying to set these properties. However, since they are read-only, we would
silently fail to set them. The new code does the explicit check and therefore
will warn and NOT attempt to set.

http/tests/security/cross-origin-reified-window-location-setting-expected.txt: Added.
http/tests/security/cross-origin-reified-window-location-setting.html: Added.

Add test to check that setting window.location cross-origin still works after the
window object has been reified.

Location:

trunk

Files:

: 2 added
: 4 edited

LayoutTests/ChangeLog (modified) (1 diff)
LayoutTests/http/tests/security/cross-frame-access-put-expected.txt (modified) (3 diffs)
LayoutTests/http/tests/security/cross-origin-reified-window-location-setting-expected.txt (added)
LayoutTests/http/tests/security/cross-origin-reified-window-location-setting.html (added)
Source/WebCore/ChangeLog (modified) (1 diff)
Source/WebCore/bindings/js/JSDOMWindowCustom.cpp (modified) (2 diffs)

Legend:

: Unmodified
: Added
: Removed

trunk/LayoutTests/ChangeLog

-                      r196625
+                      r196628
+-02-16  Chris Dumez  <cdumez@apple.com>
+        Do security checks early in JSDOMWindow::put*()
+        https://bugs.webkit.org/show_bug.cgi?id=154270
+        Reviewed by Gavin Barraclough.
+        * http/tests/security/cross-frame-access-put-expected.txt:
+        Rebaseline. The extra security warnings are for the following properties:
+        closed, crypto, frameElement, pageXOffset and pageYOffset.
+        All these properties are read-only and therefore cannot be set (cross-origin
+        or not). The previous code was not doing an explicit check and ended up
+        trying to set these properties. However, since they are read-only, we would
+        silently fail to set them. The new code does the explicit check and therefore
+        will warn and NOT attempt to set.
+        * http/tests/security/cross-origin-reified-window-location-setting-expected.txt: Added.
+        * http/tests/security/cross-origin-reified-window-location-setting.html: Added.
+        Add test to check that setting window.location cross-origin still works after the
+        window object has been reified.
 -02-15  Mark Lam  <mark.lam@apple.com>

trunk/LayoutTests/http/tests/security/cross-frame-access-put-expected.txt

-                      r196392
+                      r196628
 CONSOLE MESSAGE: line 122: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
 CONSOLE MESSAGE: line 131: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
+CONSOLE MESSAGE: line 132: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
 CONSOLE MESSAGE: line 133: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
+CONSOLE MESSAGE: line 134: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
 CONSOLE MESSAGE: line 135: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
 CONSOLE MESSAGE: line 136: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
 …
 CONSOLE MESSAGE: line 139: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
 CONSOLE MESSAGE: line 140: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
+CONSOLE MESSAGE: line 141: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
 CONSOLE MESSAGE: line 142: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
 CONSOLE MESSAGE: line 143: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
 …
 CONSOLE MESSAGE: line 179: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
 CONSOLE MESSAGE: line 180: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
+CONSOLE MESSAGE: line 181: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
+CONSOLE MESSAGE: line 182: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
 CONSOLE MESSAGE: line 183: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
 CONSOLE MESSAGE: line 184: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.

trunk/Source/WebCore/ChangeLog

-                      r196622
+                      r196628
+-02-16  Chris Dumez  <cdumez@apple.com>
+        Do security checks early in JSDOMWindow::put*()
+        https://bugs.webkit.org/show_bug.cgi?id=154270
+        Reviewed by Gavin Barraclough.
+        Do security checks early in JSDOMWindow::put() / JSDOMWindow::putByIndex()
+        and return as soon as possible. This makes it less error-prone as we need
+        to do the security check only once, at the top of the function.
+        Also lock down the security further by calling lookupPut() only if the
+        property name is "location". The "location" property is the only one that
+        can be set cross-origin. Previously, trying to set a property such as
+        "name" (which cannot be set cross-origin) relied on the attribute setter
+        doing the security check when getting called. The new check is less error
+        prone and will correctly prevent overriding window's method cross-origin
+        once these move down from the prototype (Bug 154120).
+        Finally, the previous code was failing to set the "location" property
+        cross-origin after the window has been reified. This patch fixes the
+        issue by always calling the original "location" property setter from the
+        static table in the cross-origin case.
+        Test: http/tests/security/cross-origin-reified-window-location-setting.html
+        * bindings/js/JSDOMWindowCustom.cpp:
+        (WebCore::JSDOMWindow::put):
+        (WebCore::JSDOMWindow::putByIndex):
 -02-15  Brent Fulgham  <bfulgham@apple.com>

trunk/Source/WebCore/bindings/js/JSDOMWindowCustom.cpp

-                      r196583
+                      r196628
 void JSDOMWindow::put(JSCell* cell, ExecState* exec, PropertyName propertyName, JSValue value, PutPropertySlot& slot)
+{
     JSDOMWindow* thisObject = jsCast<JSDOMWindow*>(cell);
+    auto* thisObject = jsCast<JSDOMWindow*>(cell);
     if (!thisObject->wrapped().frame())
         return;
+    String errorMessage;
+    if (!shouldAllowAccessToDOMWindow(exec, thisObject->wrapped(), errorMessage)) {
+        // We only allow setting "location" attribute cross-origin.
+        if (propertyName == exec->propertyNames().location)
+            lookupPut(exec, propertyName, thisObject, value, *s_info.staticPropHashTable, slot);
+        else
+            thisObject->printErrorMessage(errorMessage);
+        return;
+    }
     // Optimization: access JavaScript global variables directly before involving the DOM.
     if (thisObject->JSGlobalObject::hasOwnPropertyForWrite(exec, propertyName)) {
+        if (BindingSecurity::shouldAllowAccessToDOMWindow(exec, thisObject->wrapped()))
+            JSGlobalObject::put(thisObject, exec, propertyName, value, slot);
+        JSGlobalObject::put(thisObject, exec, propertyName, value, slot);
         return;
+    }
 …
+    }
+    if (BindingSecurity::shouldAllowAccessToDOMWindow(exec, thisObject->wrapped()))
+        Base::put(thisObject, exec, propertyName, value, slot);
+    Base::put(thisObject, exec, propertyName, value, slot);
+}
 void JSDOMWindow::putByIndex(JSCell* cell, ExecState* exec, unsigned index, JSValue value, bool shouldThrow)
+{
     JSDOMWindow* thisObject = jsCast<JSDOMWindow*>(cell);
     if (!thisObject->wrapped().frame())
+    auto* thisObject = jsCast<JSDOMWindow*>(cell);
+    if (!thisObject->wrapped().frame() || !BindingSecurity::shouldAllowAccessToDOMWindow(exec, thisObject->wrapped()))
         return;
-    Identifier propertyName = Identifier::from(exec, index);
     // Optimization: access JavaScript global variables directly before involving the DOM.
+    if (thisObject->JSGlobalObject::hasOwnPropertyForWrite(exec, propertyName)) {
+        if (BindingSecurity::shouldAllowAccessToDOMWindow(exec, thisObject->wrapped()))
+            JSGlobalObject::putByIndex(thisObject, exec, index, value, shouldThrow);
+    if (thisObject->JSGlobalObject::hasOwnPropertyForWrite(exec, Identifier::from(exec, index))) {
+        JSGlobalObject::putByIndex(thisObject, exec, index, value, shouldThrow);
         return;
+    }
+    if (BindingSecurity::shouldAllowAccessToDOMWindow(exec, thisObject->wrapped()))
+        Base::putByIndex(thisObject, exec, index, value, shouldThrow);
+    Base::putByIndex(thisObject, exec, index, value, shouldThrow);
+}

Note: See TracChangeset for help on using the changeset viewer.