Changeset 48619 in webkit

Timestamp:

Sep 21, 2009 10:08:37 PM (15 years ago)

Author:

abarth@webkit.org

Message:

2009-09-21 Adam Barth <​abarth@webkit.org>

Reviewed by Sam Weinig.

Don't re-enter JavaScript after performing access checks
​https://bugs.webkit.org/show_bug.cgi?id=29531

Moved the access check slightly later in this functions to avoid
re-entering the JavaScript interpreter (typically via toString)
after performing the access check.

I can't really think of a meaningful test for this change. It's more
security hygiene.

• bindings/js/JSDOMWindowCustom.cpp: (WebCore::JSDOMWindow::setLocation): (WebCore::JSDOMWindow::open): (WebCore::JSDOMWindow::showModalDialog):
• bindings/js/JSLocationCustom.cpp: (WebCore::JSLocation::setHref): (WebCore::JSLocation::replace): (WebCore::JSLocation::assign):
• bindings/v8/custom/V8DOMWindowCustom.cpp: (WebCore::V8Custom::WindowSetTimeoutImpl): (WebCore::if): (CALLBACK_FUNC_DECL): (V8Custom::WindowSetLocation): (V8Custom::ClearTimeoutImpl):
• bindings/v8/custom/V8LocationCustom.cpp: (WebCore::ACCESSOR_SETTER): (WebCore::CALLBACK_FUNC_DECL):

Location:

trunk/WebCore

Files:

• ChangeLog (modified) (1 diff)
• bindings/js/JSDOMWindowCustom.cpp (modified) (6 diffs)
• bindings/js/JSLocationCustom.cpp (modified) (3 diffs)
• bindings/v8/custom/V8DOMWindowCustom.cpp (modified) (16 diffs)
• bindings/v8/custom/V8LocationCustom.cpp (modified) (3 diffs)

trunk/WebCore/ChangeLog

@@ +1 @@
+2009-09-21  Adam Barth  <abarth@webkit.org>
+
+        Reviewed by Sam Weinig.
+
+        Don't re-enter JavaScript after performing access checks
+        https://bugs.webkit.org/show_bug.cgi?id=29531
+
+        Moved the access check slightly later in this functions to avoid
+        re-entering the JavaScript interpreter (typically via toString)
+        after performing the access check.
+
+        I can't really think of a meaningful test for this change.  It's more
+        security hygiene.
+
+        * bindings/js/JSDOMWindowCustom.cpp:
+        (WebCore::JSDOMWindow::setLocation):
+        (WebCore::JSDOMWindow::open):
+        (WebCore::JSDOMWindow::showModalDialog):
+        * bindings/js/JSLocationCustom.cpp:
+        (WebCore::JSLocation::setHref):
+        (WebCore::JSLocation::replace):
+        (WebCore::JSLocation::assign):
+        * bindings/v8/custom/V8DOMWindowCustom.cpp:
+        (WebCore::V8Custom::WindowSetTimeoutImpl):
+        (WebCore::if):
+        (CALLBACK_FUNC_DECL):
+        (V8Custom::WindowSetLocation):
+        (V8Custom::ClearTimeoutImpl):
+        * bindings/v8/custom/V8LocationCustom.cpp:
+        (WebCore::ACCESSOR_SETTER):
+        (WebCore::CALLBACK_FUNC_DECL):
+
 2009-09-21  Dumitru Daniliuc  <dumi@chromium.org>
 

trunk/WebCore/bindings/js/JSDOMWindowCustom.cpp

@@ -581 +581 @@
     ASSERT(frame);
 
-    if (!shouldAllowNavigation(exec, frame))
-        return;
-
     KURL url = completeURL(exec, value.toString(exec));
     if (url.isNull())
+        return;
+
+    if (!shouldAllowNavigation(exec, frame))
         return;
 
@@ -782 +782 @@
 JSValue JSDOMWindow::open(ExecState* exec, const ArgList& args)
 {
+    String urlString = valueToStringWithUndefinedOrNullCheck(exec, args.at(0));
+    AtomicString frameName = args.at(1).isUndefinedOrNull() ? "_blank" : AtomicString(args.at(1).toString(exec));
+    WindowFeatures windowFeatures(valueToStringWithUndefinedOrNullCheck(exec, args.at(2)));
+
     Frame* frame = impl()->frame();
     if (!frame)
@@ -793 +797 @@
 
     Page* page = frame->page();
-
-    String urlString = valueToStringWithUndefinedOrNullCheck(exec, args.at(0));
-    AtomicString frameName = args.at(1).isUndefinedOrNull() ? "_blank" : AtomicString(args.at(1).toString(exec));
 
     // Because FrameTree::find() returns true for empty strings, we must check for empty framenames.
@@ -814 +815 @@
     }
     if (topOrParent) {
-        if (!shouldAllowNavigation(exec, frame))
-            return jsUndefined();
-
         String completedURL;
         if (!urlString.isEmpty())
             completedURL = completeURL(exec, urlString).string();
+
+        if (!shouldAllowNavigation(exec, frame))
+            return jsUndefined();
 
         const JSDOMWindow* targetedWindow = toJSDOMWindow(frame);
@@ -836 +837 @@
 
     // In the case of a named frame or a new window, we'll use the createWindow() helper
-    WindowFeatures windowFeatures(valueToStringWithUndefinedOrNullCheck(exec, args.at(2)));
     FloatRect windowRect(windowFeatures.xSet ? windowFeatures.x : 0, windowFeatures.ySet ? windowFeatures.y : 0,
                          windowFeatures.widthSet ? windowFeatures.width : 0, windowFeatures.heightSet ? windowFeatures.height : 0);
@@ -856 +856 @@
 JSValue JSDOMWindow::showModalDialog(ExecState* exec, const ArgList& args)
 {
-    Frame* frame = impl()->frame();
-    if (!frame)
-        return jsUndefined();
-    Frame* lexicalFrame = toLexicalFrame(exec);
-    if (!lexicalFrame)
-        return jsUndefined();
-    Frame* dynamicFrame = toDynamicFrame(exec);
-    if (!dynamicFrame)
-        return jsUndefined();
-
-    if (!DOMWindow::canShowModalDialogNow(frame) || !DOMWindow::allowPopUp(dynamicFrame))
-        return jsUndefined();
-
     String url = valueToStringWithUndefinedOrNullCheck(exec, args.at(0));
     JSValue dialogArgs = args.at(1);
     String featureArgs = valueToStringWithUndefinedOrNullCheck(exec, args.at(2));
+
+    Frame* frame = impl()->frame();
+    if (!frame)
+        return jsUndefined();
+    Frame* lexicalFrame = toLexicalFrame(exec);
+    if (!lexicalFrame)
+        return jsUndefined();
+    Frame* dynamicFrame = toDynamicFrame(exec);
+    if (!dynamicFrame)
+        return jsUndefined();
+
+    if (!DOMWindow::canShowModalDialogNow(frame) || !DOMWindow::allowPopUp(dynamicFrame))
+        return jsUndefined();
 
     HashMap<String, String> features;

trunk/WebCore/bindings/js/JSLocationCustom.cpp

@@ -205 +205 @@
     ASSERT(frame);
 
-    if (!shouldAllowNavigation(exec, frame))
-        return;
-
     KURL url = completeURL(exec, value.toString(exec));
     if (url.isNull())
+        return;
+
+    if (!shouldAllowNavigation(exec, frame))
         return;
 
@@ -309 +309 @@
         return jsUndefined();
 
-    if (!shouldAllowNavigation(exec, frame))
-        return jsUndefined();
-
     KURL url = completeURL(exec, args.at(0).toString(exec));
     if (url.isNull())
+        return jsUndefined();
+
+    if (!shouldAllowNavigation(exec, frame))
         return jsUndefined();
 
@@ -337 +337 @@
         return jsUndefined();
 
-    if (!shouldAllowNavigation(exec, frame))
-        return jsUndefined();
-
     KURL url = completeURL(exec, args.at(0).toString(exec));
     if (url.isNull())
         return jsUndefined();
 
+    if (!shouldAllowNavigation(exec, frame))
+        return jsUndefined();
+
     // We want a new history item if this JS was called via a user gesture
     navigateIfAllowed(exec, frame, url, !frame->script()->anyPageIsProcessingUserGesture(), false);

trunk/WebCore/bindings/v8/custom/V8DOMWindowCustom.cpp

@@ -66 +66 @@
         return v8::Undefined();
 
-    DOMWindow* imp = V8DOMWrapper::convertToNativeObject<DOMWindow>(V8ClassIndex::DOMWINDOW, args.Holder());
-
-    if (!V8Proxy::canAccessFrame(imp->frame(), true))
-        return v8::Undefined();
-
-    ScriptExecutionContext* scriptContext = static_cast<ScriptExecutionContext*>(imp->document());
-
-    if (!scriptContext)
-        return v8::Undefined();
-
     v8::Handle<v8::Value> function = args[0];
+
+    WebCore::String functionString;
+    if (!function->IsFunction())
+        functionString = function->IsString() ? 
+            toWebCoreString(function) : toWebCoreString(function->ToString());
+
+        // Bail out if string conversion failed.
+        if (functionString.IsEmpty())
+            return v8::Undefined();
+
+        // Don't allow setting timeouts to run empty functions!
+        // (Bug 1009597)
+        if (functionString.length() == 0)
+            return v8::Undefined();
+    }
 
     int32_t timeout = 0;
     if (argumentCount >= 2)
         timeout = args[1]->Int32Value();
+
+    DOMWindow* imp = V8DOMWrapper::convertToNativeObject<DOMWindow>(V8ClassIndex::DOMWINDOW, args.Holder());
+
+    if (!V8Proxy::canAccessFrame(imp->frame(), true))
+        return v8::Undefined();
+
+    ScriptExecutionContext* scriptContext = static_cast<ScriptExecutionContext*>(imp->document());
+
+    if (!scriptContext)
+        return v8::Undefined();
 
     int id;
@@ -100 +115 @@
         id = DOMTimer::install(scriptContext, action, timeout, singleShot);
     } else {
-        if (!function->IsString()) {
-            function = function->ToString();
-            // Bail out if string conversion failed.
-            if (function.IsEmpty())
-                return v8::Undefined();
-        }
-
-        WebCore::String functionString = toWebCoreString(function);
-
-        // Don't allow setting timeouts to run empty functions!
-        // (Bug 1009597)
-        if (functionString.length() == 0)
-            return v8::Undefined();
-
         id = DOMTimer::install(scriptContext, new ScheduledAction(V8Proxy::context(imp->frame()), functionString), timeout, singleShot);
     }
@@ -228 +229 @@
 {
     INC_STATS("DOM.DOMWindow.addEventListener()");
+
+    String eventType = toWebCoreString(args[0]);
+    bool useCapture = args[2]->BooleanValue();
+
     DOMWindow* imp = V8DOMWrapper::convertToNativeObject<DOMWindow>(V8ClassIndex::DOMWINDOW, args.Holder());
 
@@ -245 +250 @@
     RefPtr<EventListener> listener = proxy->eventListeners()->findOrCreateWrapper<V8EventListener>(proxy->frame(), args[1], false);
 
-    if (listener) {
-        String eventType = toWebCoreString(args[0]);
-        bool useCapture = args[2]->BooleanValue();
+    if (listener)
         imp->addEventListener(eventType, listener, useCapture);
-    }
 
     return v8::Undefined();
@@ -258 +260 @@
 {
     INC_STATS("DOM.DOMWindow.removeEventListener()");
+
+    String eventType = toWebCoreString(args[0]);
+    bool useCapture = args[2]->BooleanValue();
+
     DOMWindow* imp = V8DOMWrapper::convertToNativeObject<DOMWindow>(V8ClassIndex::DOMWINDOW, args.Holder());
 
@@ -274 +280 @@
     RefPtr<EventListener> listener = proxy->eventListeners()->findWrapper(args[1], false);
 
-    if (listener) {
-        String eventType = toWebCoreString(args[0]);
-        bool useCapture = args[2]->BooleanValue();
+    if (listener)
         imp->removeEventListener(eventType, listener.get(), useCapture);
-    }
 
     return v8::Undefined();
@@ -319 +322 @@
 {
     INC_STATS("DOM.DOMWindow.atob()");
+
+    if (args[0]->IsNull())
+        return v8String("");
+    String str = toWebCoreString(args[0]);
+
     DOMWindow* imp = V8DOMWrapper::convertToNativeObject<DOMWindow>(V8ClassIndex::DOMWINDOW, args.Holder());
 
@@ -327 +335 @@
         return throwError("Not enough arguments", V8Proxy::SyntaxError);
 
+    return convertBase64(str, false);
+}
+
+CALLBACK_FUNC_DECL(DOMWindowBtoa)
+{
+    INC_STATS("DOM.DOMWindow.btoa()");
+
     if (args[0]->IsNull())
         return v8String("");
-
     String str = toWebCoreString(args[0]);
-    return convertBase64(str, false);
-}
-
-CALLBACK_FUNC_DECL(DOMWindowBtoa)
-{
-    INC_STATS("DOM.DOMWindow.btoa()");
+
     DOMWindow* imp = V8DOMWrapper::convertToNativeObject<DOMWindow>(V8ClassIndex::DOMWINDOW, args.Holder());
 
@@ -345 +354 @@
         return throwError("Not enough arguments", V8Proxy::SyntaxError);
 
-    if (args[0]->IsNull())
-        return v8String("");
-
-    String str = toWebCoreString(args[0]);
     return convertBase64(str, true);
 }
@@ -564 +569 @@
 {
     INC_STATS("DOM.DOMWindow.showModalDialog()");
+
+    String url = toWebCoreStringWithNullOrUndefinedCheck(args[0]);
+    v8::Local<v8::Value> dialogArgs = args[1];
+    String featureArgs = toWebCoreStringWithNullOrUndefinedCheck(args[2]);
+
     DOMWindow* window = V8DOMWrapper::convertToNativeObject<DOMWindow>(
         V8ClassIndex::DOMWINDOW, args.Holder());
@@ -581 +591 @@
     if (!canShowModalDialogNow(frame) || !allowPopUp())
         return v8::Undefined();
-
-    String url = toWebCoreStringWithNullOrUndefinedCheck(args[0]);
-    v8::Local<v8::Value> dialogArgs = args[1];
-    String featureArgs = toWebCoreStringWithNullOrUndefinedCheck(args[2]);
 
     const HashMap<String, String> features = parseModalDialogFeatures(featureArgs);
@@ -653 +659 @@
 {
     INC_STATS("DOM.DOMWindow.open()");
+
+    String urlString = toWebCoreStringWithNullOrUndefinedCheck(args[0]);
+    AtomicString frameName = (args[1]->IsUndefined() || args[1]->IsNull()) ? "_blank" : AtomicString(toWebCoreString(args[1]));
+
     DOMWindow* parent = V8DOMWrapper::convertToNativeObject<DOMWindow>(V8ClassIndex::DOMWINDOW, args.Holder());
     Frame* frame = parent->frame();
@@ -670 +680 @@
     if (!page)
         return v8::Undefined();
-
-    String urlString = toWebCoreStringWithNullOrUndefinedCheck(args[0]);
-    AtomicString frameName = (args[1]->IsUndefined() || args[1]->IsNull()) ? "_blank" : AtomicString(toWebCoreString(args[1]));
 
     // Because FrameTree::find() returns true for empty strings, we must check
@@ -849 +856 @@
         return;
 
-    if (!shouldAllowNavigation(frame))
-        return;
-
     KURL url = completeURL(relativeURL);
     if (url.isNull())
         return;
 
+    if (!shouldAllowNavigation(frame))
+        return;
+
     navigateIfAllowed(frame, url, false, false);
 }
@@ -876 +883 @@
 void V8Custom::ClearTimeoutImpl(const v8::Arguments& args)
 {
+    int handle = toInt32(args[0]);
+
     v8::Handle<v8::Object> holder = args.Holder();
     DOMWindow* imp = V8DOMWrapper::convertToNativeObject<DOMWindow>(V8ClassIndex::DOMWINDOW, holder);
@@ -883 +892 @@
     if (!context)
         return;
-    int handle = toInt32(args[0]);
     DOMTimer::removeById(context, handle);
 }

trunk/WebCore/bindings/v8/custom/V8LocationCustom.cpp

@@ -129 +129 @@
         return;
 
-    if (!shouldAllowNavigation(frame))
-        return;
-
     KURL url = completeURL(toWebCoreString(value));
     if (url.isNull())
+        return;
+
+    if (!shouldAllowNavigation(frame))
         return;
 
@@ -289 +289 @@
         return v8::Undefined();
 
-    if (!shouldAllowNavigation(frame))
-        return v8::Undefined();
-
     KURL url = completeURL(toWebCoreString(args[0]));
     if (url.isNull())
         return v8::Undefined();
 
+    if (!shouldAllowNavigation(frame))
+        return v8::Undefined();
+
     navigateIfAllowed(frame, url, true, true);
     return v8::Undefined();
@@ -310 +310 @@
         return v8::Undefined();
 
-    if (!shouldAllowNavigation(frame))
-        return v8::Undefined();
-
     KURL url = completeURL(toWebCoreString(args[0]));
     if (url.isNull())
+        return v8::Undefined();
+
+    if (!shouldAllowNavigation(frame))
         return v8::Undefined();