Title: [248709] trunk
- Revision
- 248709
- Author
- mark....@apple.com
- Date
- 2019-08-14 23:20:11 -0700 (Wed, 14 Aug 2019)
Log Message
JSTests:
ProxyObject should not be allow to access its target's private properties.
https://bugs.webkit.org/show_bug.cgi?id=200739
<rdar://problem/53972768>
Reviewed by Yusuke Suzuki.
* stress/proxy-should-not-be-allowed-to-access-private-properties-of-target.js: Added.
* stress/proxy-with-private-symbols.js: Rebased.
Source/_javascript_Core:
Remove support for macOS < 10.13
https://bugs.webkit.org/show_bug.cgi?id=200694
<rdar://problem/54278851>
Patch by Keith Rollin <krol...@apple.com> on 2019-08-14
Reviewed by Youenn Fablet.
Update conditionals that reference __MAC_OS_X_VERSION_MIN_REQUIRED and
__MAC_OS_X_VERSION_MAX_ALLOWED, assuming that they both have values >=
101300. This means that expressions like
"__MAC_OS_X_VERSION_MIN_REQUIRED < 101300" are always False and
"__MAC_OS_X_VERSION_MIN_REQUIRED >= 101300" are always True.
* API/WebKitAvailability.h:
Modified Paths
Added Paths
Diff
Modified: trunk/JSTests/ChangeLog (248708 => 248709)
--- trunk/JSTests/ChangeLog 2019-08-15 06:11:35 UTC (rev 248708)
+++ trunk/JSTests/ChangeLog 2019-08-15 06:20:11 UTC (rev 248709)
@@ -1,5 +1,16 @@
2019-08-14 Mark Lam <mark....@apple.com>
+ ProxyObject should not be allow to access its target's private properties.
+ https://bugs.webkit.org/show_bug.cgi?id=200739
+ <rdar://problem/53972768>
+
+ Reviewed by Yusuke Suzuki.
+
+ * stress/proxy-should-not-be-allowed-to-access-private-properties-of-target.js: Added.
+ * stress/proxy-with-private-symbols.js: Rebased.
+
+2019-08-14 Mark Lam <mark....@apple.com>
+
Missing exception check in string compare.
https://bugs.webkit.org/show_bug.cgi?id=200743
<rdar://problem/53975356>
Added: trunk/JSTests/stress/proxy-should-not-be-allowed-to-access-private-properties-of-target.js (0 => 248709)
--- trunk/JSTests/stress/proxy-should-not-be-allowed-to-access-private-properties-of-target.js (rev 0)
+++ trunk/JSTests/stress/proxy-should-not-be-allowed-to-access-private-properties-of-target.js 2019-08-15 06:20:11 UTC (rev 248709)
@@ -0,0 +1,21 @@
+var foo = (function* bar() {
+ try {
+ yield* x;
+ } finally {
+ try {
+ y;
+ } finally {
+ return;
+ }
+ }
+}) ();
+
+var x = new Proxy(foo, {});
+try {
+ x.next();
+} catch (e) {
+ exception = e;
+}
+
+if (exception != 'TypeError: |this| should be a generator')
+ throw "FAILED";
Modified: trunk/JSTests/stress/proxy-with-private-symbols.js (248708 => 248709)
--- trunk/JSTests/stress/proxy-with-private-symbols.js 2019-08-15 06:11:35 UTC (rev 248708)
+++ trunk/JSTests/stress/proxy-with-private-symbols.js 2019-08-15 06:20:11 UTC (rev 248709)
@@ -81,7 +81,7 @@
assert(e.message === "%ArrayIteratorPrototype%.next requires that |this| be an Array Iterator instance");
threw = true;
}
- assert(!threw);
+ assert(threw);
assert(!sawPrivateSymbolAsString);
sawPrivateSymbolAsString = false;
}
Modified: trunk/Source/_javascript_Core/ChangeLog (248708 => 248709)
--- trunk/Source/_javascript_Core/ChangeLog 2019-08-15 06:11:35 UTC (rev 248708)
+++ trunk/Source/_javascript_Core/ChangeLog 2019-08-15 06:20:11 UTC (rev 248709)
@@ -16,6 +16,22 @@
2019-08-14 Mark Lam <mark....@apple.com>
+ ProxyObject should not be allow to access its target's private properties.
+ https://bugs.webkit.org/show_bug.cgi?id=200739
+ <rdar://problem/53972768>
+
+ Reviewed by Yusuke Suzuki.
+
+ * runtime/ProxyObject.cpp:
+ (JSC::performProxyGet):
+ (JSC::ProxyObject::performInternalMethodGetOwnProperty):
+ (JSC::ProxyObject::performHasProperty):
+ (JSC::ProxyObject::performPut):
+ (JSC::ProxyObject::performDelete):
+ (JSC::ProxyObject::performDefineOwnProperty):
+
+2019-08-14 Mark Lam <mark....@apple.com>
+
Missing exception check in string compare.
https://bugs.webkit.org/show_bug.cgi?id=200743
<rdar://problem/53975356>
Modified: trunk/Source/_javascript_Core/runtime/ProxyObject.cpp (248708 => 248709)
--- trunk/Source/_javascript_Core/runtime/ProxyObject.cpp 2019-08-15 06:11:35 UTC (rev 248708)
+++ trunk/Source/_javascript_Core/runtime/ProxyObject.cpp 2019-08-15 06:20:11 UTC (rev 248709)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2016-2017 Apple Inc. All Rights Reserved.
+ * Copyright (C) 2016-2019 Apple Inc. All Rights Reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -143,7 +143,7 @@
};
if (propertyName.isPrivateName())
- return performDefaultGet();
+ return jsUndefined();
JSValue handlerValue = proxyObject->handler();
if (handlerValue.isNull())
@@ -214,7 +214,7 @@
};
if (propertyName.isPrivateName())
- RELEASE_AND_RETURN(scope, performDefaultGetOwnProperty());
+ return false;
JSValue handlerValue = this->handler();
if (handlerValue.isNull()) {
@@ -323,7 +323,7 @@
};
if (propertyName.isPrivateName())
- RELEASE_AND_RETURN(scope, performDefaultHasProperty());
+ return false;
JSValue handlerValue = this->handler();
if (handlerValue.isNull()) {
@@ -425,7 +425,7 @@
}
if (propertyName.isPrivateName())
- RELEASE_AND_RETURN(scope, performDefaultPut());
+ return false;
JSValue handlerValue = this->handler();
if (handlerValue.isNull()) {
@@ -628,7 +628,7 @@
}
if (propertyName.isPrivateName())
- RELEASE_AND_RETURN(scope, performDefaultDelete());
+ return false;
JSValue handlerValue = this->handler();
if (handlerValue.isNull()) {
@@ -827,7 +827,7 @@
};
if (propertyName.isPrivateName())
- return performDefaultDefineOwnProperty();
+ return false;
JSValue handlerValue = this->handler();
if (handlerValue.isNull()) {
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
