Changeset 86100 in webkit
- Timestamp:
- May 9, 2011 4:05:54 PM (13 years ago)
- Location:
- trunk
- Files:
-
- 5 added
- 9 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r86096 r86100 1 2011-05-09 Adam Barth <abarth@webkit.org> 2 3 Reviewed by Eric Seidel. 4 5 CSP should block Function constructor 6 https://bugs.webkit.org/show_bug.cgi?id=60240 7 8 Test that the function constructor is properly blocked. 9 10 * http/tests/security/contentSecurityPolicy/function-constructor-allowed-expected.txt: Added. 11 * http/tests/security/contentSecurityPolicy/function-constructor-allowed.html: Added. 12 * http/tests/security/contentSecurityPolicy/function-constructor-blocked-expected.txt: Added. 13 * http/tests/security/contentSecurityPolicy/function-constructor-blocked.html: Added. 14 * platform/chromium/test_expectations.txt: 15 1 16 2011-05-09 Robert Hogan <robert@webkit.org> 2 17 -
trunk/Source/JavaScriptCore/ChangeLog
r86056 r86100 1 2011-05-09 Adam Barth <abarth@webkit.org> 2 3 Reviewed by Eric Seidel. 4 5 CSP should block Function constructor 6 https://bugs.webkit.org/show_bug.cgi?id=60240 7 8 When eval is disabled, we need to block the use of the function 9 constructor. However, the WebCore JSC bindings call the function 10 constructor directly to create inline event listeners. To support that 11 use, this patch adds an entrypoint that bypasses the check for whether 12 eval is enabled. 13 14 * JavaScriptCore.exp: 15 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: 16 * runtime/FunctionConstructor.cpp: 17 (JSC::constructFunction): 18 (JSC::constructFunctionSkippingEvalEnabledCheck): 19 * runtime/FunctionConstructor.h: 20 1 21 2011-05-09 Adam Roben <aroben@apple.com> 2 22 -
trunk/Source/JavaScriptCore/JavaScriptCore.exp
r85700 r86100 215 215 __ZN3JSC25evaluateInGlobalCallFrameERKNS_7UStringERNS_7JSValueEPNS_14JSGlobalObjectE 216 216 __ZN3JSC35createInterruptedExecutionExceptionEPNS_12JSGlobalDataE 217 __ZN3JSC41constructFunctionSkippingEvalEnabledCheckEPNS_9ExecStateEPNS_14JSGlobalObjectERKNS_7ArgListERKNS_10IdentifierERKNS_7UStringEi 217 218 __ZN3JSC3NaNE 218 219 __ZN3JSC4Heap16activityCallbackEv -
trunk/Source/JavaScriptCore/JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def
r85700 r86100 96 96 ?constructEmptyObject@JSC@@YAPAVJSObject@1@PAVExecState@1@@Z 97 97 ?constructFunction@JSC@@YAPAVJSObject@1@PAVExecState@1@PAVJSGlobalObject@1@ABVArgList@1@ABVIdentifier@1@ABVUString@1@H@Z 98 ?constructFunctionSkippingEvalEnabledCheck@JSC@@YAPAVJSObject@1@PAVExecState@1@PAVJSGlobalObject@1@ABVArgList@1@ABVIdentifier@1@ABVUString@1@H@Z 98 99 ?convertUTF16ToUTF8@Unicode@WTF@@YA?AW4ConversionResult@12@PAPB_WPB_WPAPADPAD_N@Z 99 100 ?convertUTF8ToUTF16@Unicode@WTF@@YA?AW4ConversionResult@12@PAPBDPBDPAPA_WPA_W_N@Z -
trunk/Source/JavaScriptCore/runtime/FunctionConstructor.cpp
r84052 r86100 75 75 JSObject* constructFunction(ExecState* exec, JSGlobalObject* globalObject, const ArgList& args, const Identifier& functionName, const UString& sourceURL, int lineNumber) 76 76 { 77 if (!globalObject->isEvalEnabled()) 78 return throwError(exec, createEvalError(exec, "Function constructor is disabled")); 79 return constructFunctionSkippingEvalEnabledCheck(exec, globalObject, args, functionName, sourceURL, lineNumber); 80 } 81 82 JSObject* constructFunctionSkippingEvalEnabledCheck(ExecState* exec, JSGlobalObject* globalObject, const ArgList& args, const Identifier& functionName, const UString& sourceURL, int lineNumber) 83 { 77 84 // Functions need to have a space following the opening { due to for web compatibility 78 85 // see https://bugs.webkit.org/show_bug.cgi?id=24350 -
trunk/Source/JavaScriptCore/runtime/FunctionConstructor.h
r84052 r86100 40 40 JSObject* constructFunction(ExecState*, JSGlobalObject*, const ArgList&); 41 41 42 JSObject* constructFunctionSkippingEvalEnabledCheck(ExecState*, JSGlobalObject*, const ArgList&, const Identifier&, const UString&, int lineNumber); 43 42 44 } // namespace JSC 43 45 -
trunk/Source/WebCore/ChangeLog
r86099 r86100 1 2011-05-09 Adam Barth <abarth@webkit.org> 2 3 Reviewed by Eric Seidel. 4 5 CSP should block Function constructor 6 https://bugs.webkit.org/show_bug.cgi?id=60240 7 8 Tests: http/tests/security/contentSecurityPolicy/function-constructor-allowed.html 9 http/tests/security/contentSecurityPolicy/function-constructor-blocked.html 10 11 * bindings/js/JSLazyEventListener.cpp: 12 (WebCore::JSLazyEventListener::initializeJSFunction): 13 - Update call site to the new entrypoint. 14 * bindings/v8/V8LazyEventListener.cpp: 15 (WebCore::V8LazyEventListener::prepareListenerObject): 16 - Add some comments about the rediculousness of this implementation. 17 1 18 2011-05-09 Chris Rogers <crogers@google.com> 2 19 -
trunk/Source/WebCore/bindings/js/JSLazyEventListener.cpp
r82173 r86100 98 98 args.append(jsString(exec, m_code)); 99 99 100 JSObject* jsFunction = constructFunction (exec, exec->lexicalGlobalObject(), args, Identifier(exec, stringToUString(m_functionName)), stringToUString(m_sourceURL), m_lineNumber); // FIXME: is globalExec ok?100 JSObject* jsFunction = constructFunctionSkippingEvalEnabledCheck(exec, exec->lexicalGlobalObject(), args, Identifier(exec, stringToUString(m_functionName)), stringToUString(m_sourceURL), m_lineNumber); // FIXME: is globalExec ok? 101 101 if (exec->hadException()) { 102 102 exec->clearException(); -
trunk/Source/WebCore/bindings/v8/V8LazyEventListener.cpp
r82147 r86100 101 101 // FIXME: cache the wrapper function. 102 102 103 // Nodes other than the document object, when executing inline event handlers push document, form, and the target node on the scope chain. 103 // Nodes other than the document object, when executing inline event 104 // handlers push document, form, and the target node on the scope chain. 104 105 // We do this by using 'with' statement. 105 106 // See chrome/fast/forms/form-action.html … … 109 110 // Don't use new lines so that lines in the modified handler 110 111 // have the same numbers as in the original code. 112 // FIXME: What about m_eventParameterName from JSLazyEventListener? 113 // FIXME: This approach is a giant hack! What if m_code escapes to run 114 // arbitrary script? 111 115 String code = "(function (evt) {" \ 112 116 "with (this.ownerDocument ? this.ownerDocument : {}) {" \
Note: See TracChangeset
for help on using the changeset viewer.