Changeset 95488 in webkit

Timestamp:

Sep 19, 2011 3:56:22 PM (13 years ago)

Author:

abarth@webkit.org

Message:

Named property confusion with proto
​https://bugs.webkit.org/show_bug.cgi?id=68221

Reviewed by Eric Seidel.

Source/WebCore:

The proto property is super magical because it's not a real named
property and it has higher precedence than even interceptors. This
confuses this check, which is meant to detech which names will get
handled by our interceptor.

Test: http/tests/security/window-named-proto.html

• bindings/v8/custom/V8DOMWindowCustom.cpp:

(WebCore::V8DOMWindow::namedSecurityCheck):

LayoutTests:

• http/tests/security/resources/innocent-victim-with-iframe.html: Added.
• http/tests/security/window-named-proto-expected.txt: Added.
• http/tests/security/window-named-proto.html: Added.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/http/tests/security/resources/innocent-victim-with-iframe.html (added)
• LayoutTests/http/tests/security/window-named-proto-expected.txt (added)
• LayoutTests/http/tests/security/window-named-proto.html (added)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/bindings/v8/custom/V8DOMWindowCustom.cpp (modified) (2 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2011-09-19  Adam Barth  <abarth@webkit.org>
+
+        Named property confusion with __proto__
+        https://bugs.webkit.org/show_bug.cgi?id=68221
+
+        Reviewed by Eric Seidel.
+
+        * http/tests/security/resources/innocent-victim-with-iframe.html: Added.
+        * http/tests/security/window-named-proto-expected.txt: Added.
+        * http/tests/security/window-named-proto.html: Added.
+
 2011-09-19  John Bauman  <jbauman@chromium.org>
 

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2011-09-19  Adam Barth  <abarth@webkit.org>
+
+        Named property confusion with __proto__
+        https://bugs.webkit.org/show_bug.cgi?id=68221
+
+        Reviewed by Eric Seidel.
+
+        The __proto__ property is super magical because it's not a real named
+        property and it has higher precedence than even interceptors.  This
+        confuses this check, which is meant to detech which names will get
+        handled by our interceptor.
+
+        Test: http/tests/security/window-named-proto.html
+
+        * bindings/v8/custom/V8DOMWindowCustom.cpp:
+        (WebCore::V8DOMWindow::namedSecurityCheck):
+
 2011-09-19  Adam Barth  <abarth@webkit.org>
 

trunk/Source/WebCore/bindings/v8/custom/V8DOMWindowCustom.cpp

@@ -561 +561 @@
 
     if (key->IsString()) {
+        DEFINE_STATIC_LOCAL(AtomicString, nameOfProtoProperty, ("__proto__"));
+
         String name = toWebCoreString(key);
         // Notice that we can't call HasRealNamedProperty for ACCESS_HAS
@@ -566 +568 @@
         if (type == v8::ACCESS_HAS && target->tree()->child(name))
             return true;
-        if (type == v8::ACCESS_GET && target->tree()->child(name) && !host->HasRealNamedProperty(key->ToString()))
+        // We need to explicitly compare against nameOfProtoProperty because
+        // V8's JSObject::LocalLookup finds __proto__ before
+        // interceptors and even when __proto__ isn't a "real named property".
+        if (type == v8::ACCESS_GET && target->tree()->child(name) && !host->HasRealNamedProperty(key->ToString()) && name != nameOfProtoProperty)
             return true;
     }