Changeset 86100 in webkit


Ignore:
Timestamp:
May 9, 2011 4:05:54 PM (13 years ago)
Author:
abarth@webkit.org
Message:

2011-05-09 Adam Barth <abarth@webkit.org>

Reviewed by Eric Seidel.

CSP should block Function constructor
https://bugs.webkit.org/show_bug.cgi?id=60240

Test that the function constructor is properly blocked.

  • http/tests/security/contentSecurityPolicy/function-constructor-allowed-expected.txt: Added.
  • http/tests/security/contentSecurityPolicy/function-constructor-allowed.html: Added.
  • http/tests/security/contentSecurityPolicy/function-constructor-blocked-expected.txt: Added.
  • http/tests/security/contentSecurityPolicy/function-constructor-blocked.html: Added.
  • platform/chromium/test_expectations.txt:

2011-05-09 Adam Barth <abarth@webkit.org>

Reviewed by Eric Seidel.

CSP should block Function constructor
https://bugs.webkit.org/show_bug.cgi?id=60240

When eval is disabled, we need to block the use of the function
constructor. However, the WebCore JSC bindings call the function
constructor directly to create inline event listeners. To support that
use, this patch adds an entrypoint that bypasses the check for whether
eval is enabled.

  • JavaScriptCore.exp:
  • JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
  • runtime/FunctionConstructor.cpp: (JSC::constructFunction): (JSC::constructFunctionSkippingEvalEnabledCheck):
  • runtime/FunctionConstructor.h:

2011-05-09 Adam Barth <abarth@webkit.org>

Reviewed by Eric Seidel.

CSP should block Function constructor
https://bugs.webkit.org/show_bug.cgi?id=60240

Tests: http/tests/security/contentSecurityPolicy/function-constructor-allowed.html

http/tests/security/contentSecurityPolicy/function-constructor-blocked.html

  • bindings/js/JSLazyEventListener.cpp: (WebCore::JSLazyEventListener::initializeJSFunction):
    • Update call site to the new entrypoint.
  • bindings/v8/V8LazyEventListener.cpp: (WebCore::V8LazyEventListener::prepareListenerObject):
    • Add some comments about the rediculousness of this implementation.
Location:
trunk
Files:
5 added
9 edited

Legend:

Unmodified
Added
Removed
  • trunk/LayoutTests/ChangeLog

    r86096 r86100  
     12011-05-09  Adam Barth  <abarth@webkit.org>
     2
     3        Reviewed by Eric Seidel.
     4
     5        CSP should block Function constructor
     6        https://bugs.webkit.org/show_bug.cgi?id=60240
     7
     8        Test that the function constructor is properly blocked.
     9
     10        * http/tests/security/contentSecurityPolicy/function-constructor-allowed-expected.txt: Added.
     11        * http/tests/security/contentSecurityPolicy/function-constructor-allowed.html: Added.
     12        * http/tests/security/contentSecurityPolicy/function-constructor-blocked-expected.txt: Added.
     13        * http/tests/security/contentSecurityPolicy/function-constructor-blocked.html: Added.
     14        * platform/chromium/test_expectations.txt:
     15
    1162011-05-09  Robert Hogan  <robert@webkit.org>
    217
  • trunk/Source/JavaScriptCore/ChangeLog

    r86056 r86100  
     12011-05-09  Adam Barth  <abarth@webkit.org>
     2
     3        Reviewed by Eric Seidel.
     4
     5        CSP should block Function constructor
     6        https://bugs.webkit.org/show_bug.cgi?id=60240
     7
     8        When eval is disabled, we need to block the use of the function
     9        constructor.  However, the WebCore JSC bindings call the function
     10        constructor directly to create inline event listeners.  To support that
     11        use, this patch adds an entrypoint that bypasses the check for whether
     12        eval is enabled.
     13
     14        * JavaScriptCore.exp:
     15        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
     16        * runtime/FunctionConstructor.cpp:
     17        (JSC::constructFunction):
     18        (JSC::constructFunctionSkippingEvalEnabledCheck):
     19        * runtime/FunctionConstructor.h:
     20
    1212011-05-09  Adam Roben  <aroben@apple.com>
    222
  • trunk/Source/JavaScriptCore/JavaScriptCore.exp

    r85700 r86100  
    215215__ZN3JSC25evaluateInGlobalCallFrameERKNS_7UStringERNS_7JSValueEPNS_14JSGlobalObjectE
    216216__ZN3JSC35createInterruptedExecutionExceptionEPNS_12JSGlobalDataE
     217__ZN3JSC41constructFunctionSkippingEvalEnabledCheckEPNS_9ExecStateEPNS_14JSGlobalObjectERKNS_7ArgListERKNS_10IdentifierERKNS_7UStringEi
    217218__ZN3JSC3NaNE
    218219__ZN3JSC4Heap16activityCallbackEv
  • trunk/Source/JavaScriptCore/JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def

    r85700 r86100  
    9696    ?constructEmptyObject@JSC@@YAPAVJSObject@1@PAVExecState@1@@Z
    9797    ?constructFunction@JSC@@YAPAVJSObject@1@PAVExecState@1@PAVJSGlobalObject@1@ABVArgList@1@ABVIdentifier@1@ABVUString@1@H@Z
     98    ?constructFunctionSkippingEvalEnabledCheck@JSC@@YAPAVJSObject@1@PAVExecState@1@PAVJSGlobalObject@1@ABVArgList@1@ABVIdentifier@1@ABVUString@1@H@Z
    9899    ?convertUTF16ToUTF8@Unicode@WTF@@YA?AW4ConversionResult@12@PAPB_WPB_WPAPADPAD_N@Z
    99100    ?convertUTF8ToUTF16@Unicode@WTF@@YA?AW4ConversionResult@12@PAPBDPBDPAPA_WPA_W_N@Z
  • trunk/Source/JavaScriptCore/runtime/FunctionConstructor.cpp

    r84052 r86100  
    7575JSObject* constructFunction(ExecState* exec, JSGlobalObject* globalObject, const ArgList& args, const Identifier& functionName, const UString& sourceURL, int lineNumber)
    7676{
     77    if (!globalObject->isEvalEnabled())
     78        return throwError(exec, createEvalError(exec, "Function constructor is disabled"));
     79    return constructFunctionSkippingEvalEnabledCheck(exec, globalObject, args, functionName, sourceURL, lineNumber);
     80}
     81
     82JSObject* constructFunctionSkippingEvalEnabledCheck(ExecState* exec, JSGlobalObject* globalObject, const ArgList& args, const Identifier& functionName, const UString& sourceURL, int lineNumber)
     83{
    7784    // Functions need to have a space following the opening { due to for web compatibility
    7885    // see https://bugs.webkit.org/show_bug.cgi?id=24350
  • trunk/Source/JavaScriptCore/runtime/FunctionConstructor.h

    r84052 r86100  
    4040    JSObject* constructFunction(ExecState*, JSGlobalObject*, const ArgList&);
    4141
     42    JSObject* constructFunctionSkippingEvalEnabledCheck(ExecState*, JSGlobalObject*, const ArgList&, const Identifier&, const UString&, int lineNumber);
     43
    4244} // namespace JSC
    4345
  • trunk/Source/WebCore/ChangeLog

    r86099 r86100  
     12011-05-09  Adam Barth  <abarth@webkit.org>
     2
     3        Reviewed by Eric Seidel.
     4
     5        CSP should block Function constructor
     6        https://bugs.webkit.org/show_bug.cgi?id=60240
     7
     8        Tests: http/tests/security/contentSecurityPolicy/function-constructor-allowed.html
     9               http/tests/security/contentSecurityPolicy/function-constructor-blocked.html
     10
     11        * bindings/js/JSLazyEventListener.cpp:
     12        (WebCore::JSLazyEventListener::initializeJSFunction):
     13            - Update call site to the new entrypoint.
     14        * bindings/v8/V8LazyEventListener.cpp:
     15        (WebCore::V8LazyEventListener::prepareListenerObject):
     16            - Add some comments about the rediculousness of this implementation.
     17
    1182011-05-09  Chris Rogers  <crogers@google.com>
    219
  • trunk/Source/WebCore/bindings/js/JSLazyEventListener.cpp

    r82173 r86100  
    9898    args.append(jsString(exec, m_code));
    9999
    100     JSObject* jsFunction = constructFunction(exec, exec->lexicalGlobalObject(), args, Identifier(exec, stringToUString(m_functionName)), stringToUString(m_sourceURL), m_lineNumber); // FIXME: is globalExec ok?
     100    JSObject* jsFunction = constructFunctionSkippingEvalEnabledCheck(exec, exec->lexicalGlobalObject(), args, Identifier(exec, stringToUString(m_functionName)), stringToUString(m_sourceURL), m_lineNumber); // FIXME: is globalExec ok?
    101101    if (exec->hadException()) {
    102102        exec->clearException();
  • trunk/Source/WebCore/bindings/v8/V8LazyEventListener.cpp

    r82147 r86100  
    101101    // FIXME: cache the wrapper function.
    102102
    103     // Nodes other than the document object, when executing inline event handlers push document, form, and the target node on the scope chain.
     103    // Nodes other than the document object, when executing inline event
     104    // handlers push document, form, and the target node on the scope chain.
    104105    // We do this by using 'with' statement.
    105106    // See chrome/fast/forms/form-action.html
     
    109110    // Don't use new lines so that lines in the modified handler
    110111    // have the same numbers as in the original code.
     112    // FIXME: What about m_eventParameterName from JSLazyEventListener?
     113    // FIXME: This approach is a giant hack! What if m_code escapes to run
     114    //        arbitrary script?
    111115    String code = "(function (evt) {" \
    112116            "with (this.ownerDocument ? this.ownerDocument : {}) {" \
Note: See TracChangeset for help on using the changeset viewer.