[v8-dev] [v8 commit] r368 - in branches/bleeding_edge: src test/cctest

Wed, 24 Sep 2008 08:47:46 -0700 

Author: [EMAIL PROTECTED]
Date: Wed Sep 24 08:47:34 2008
New Revision: 368

Modified:
    branches/bleeding_edge/src/handles.cc
    branches/bleeding_edge/test/cctest/test-api.cc

Log:
This is a fix of issue http://b/issue?id=1381845.

Check domain security on prototypes in for-in loop.

Review URL: http://codereview.chromium.org/4236

Modified: branches/bleeding_edge/src/handles.cc
==============================================================================
--- branches/bleeding_edge/src/handles.cc       (original)
+++ branches/bleeding_edge/src/handles.cc       Wed Sep 24 08:47:34 2008
@@ -332,13 +332,6 @@
  Handle<FixedArray> GetKeysInFixedArrayFor(Handle<JSObject> object) {
    Handle<FixedArray> content = Factory::empty_fixed_array();

-  // Check access rights if required.
-  if (object->IsAccessCheckNeeded() &&
-    !Top::MayNamedAccess(*object, Heap::undefined_value(),  
v8::ACCESS_KEYS)) {
-    Top::ReportFailedAccessCheck(*object, v8::ACCESS_KEYS);
-    return content;
-  }
-
    JSObject* arguments_boilerplate =
        Top::context()->global_context()->arguments_boilerplate();
    JSFunction* arguments_function =
@@ -351,6 +344,14 @@
           *p != Heap::null_value();
           p = Handle<Object>(p->GetPrototype())) {
        Handle<JSObject> current(JSObject::cast(*p));
+
+      // Check access rights if required.
+      if (current->IsAccessCheckNeeded() &&
+        !Top::MayNamedAccess(*current, Heap::undefined_value(),
+                             v8::ACCESS_KEYS)) {
+        Top::ReportFailedAccessCheck(*current, v8::ACCESS_KEYS);
+        break;
+      }

        // Compute the property keys.
        content = UnionOfKeys(content, GetEnumPropertyKeys(current));

Modified: branches/bleeding_edge/test/cctest/test-api.cc
==============================================================================
--- branches/bleeding_edge/test/cctest/test-api.cc      (original)
+++ branches/bleeding_edge/test/cctest/test-api.cc      Wed Sep 24 08:47:34 2008
@@ -3167,6 +3167,38 @@
  }


+THREADED_TEST(CrossDomainForIn) {
+  v8::HandleScope handle_scope;
+  LocalContext env1;
+  v8::Persistent<Context> env2 = Context::New();
+
+  Local<Value> foo = v8_str("foo");
+  Local<Value> bar = v8_str("bar");
+
+  // Set to the same domain.
+  env1->SetSecurityToken(foo);
+  env2->SetSecurityToken(foo);
+
+  env1->Global()->Set(v8_str("prop"), v8_num(3));
+  env2->Global()->Set(v8_str("env1"), env1->Global());
+
+  // Change env2 to a different domain and set env1's global object
+  // as the __proto__ of an object in env2 and enumerate properties
+  // in for-in. It shouldn't enumerate properties on env1's global
+  // object.
+  env2->SetSecurityToken(bar);
+  {
+    Context::Scope scope_env2(env2);
+    Local<Value> result =
+        CompileRun("(function(){var obj = {'__proto__':env1};"
+                   "for (var p in obj)"
+                   "   if (p == 'prop') return false;"
+                   "return true;})()");
+    CHECK(result->IsTrue());
+  }
+  env2.Dispose();
+}
+

  static bool NamedAccessBlocker(Local<v8::Object> global,
                                 Local<Value> name,

--~--~---------~--~----~------------~-------~--~----~
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
-~----------~----~----~----~------~----~------~--~---

Reply via email to