Reviewers: danno,
Description:
Version 3.27.34.15 (merged r23129)
Fix access checks in GetAccessor
[email protected]
BUG=
Please review this at https://codereview.chromium.org/500203002/
SVN Base: https://v8.googlecode.com/svn/branches/3.27
Affected files (+18, -9 lines):
M src/objects.cc
M src/version.cc
Index: src/objects.cc
diff --git a/src/objects.cc b/src/objects.cc
index
92bce62d44c44ab1a9f941f9d1e7c03a697a870e..1d3b022c71caed782881e05f9c8c7886b3e8e769
100644
--- a/src/objects.cc
+++ b/src/objects.cc
@@ -6909,20 +6909,21 @@ MaybeHandle<Object>
JSObject::GetAccessor(Handle<JSObject> object,
// interceptor calls.
AssertNoContextChange ncc(isolate);
- // Check access rights if needed.
- if (object->IsAccessCheckNeeded() &&
- !isolate->MayNamedAccess(object, name, v8::ACCESS_HAS)) {
- isolate->ReportFailedAccessCheck(object, v8::ACCESS_HAS);
- RETURN_EXCEPTION_IF_SCHEDULED_EXCEPTION(isolate, Object);
- return isolate->factory()->undefined_value();
- }
-
// Make the lookup and include prototypes.
uint32_t index = 0;
if (name->AsArrayIndex(&index)) {
for (Handle<Object> obj = object;
!obj->IsNull();
obj = handle(JSReceiver::cast(*obj)->GetPrototype(), isolate)) {
+ if (obj->IsAccessCheckNeeded() &&
+ !isolate->MayNamedAccess(Handle<JSObject>::cast(obj), name,
+ v8::ACCESS_HAS)) {
+ isolate->ReportFailedAccessCheck(Handle<JSObject>::cast(obj),
+ v8::ACCESS_HAS);
+ RETURN_EXCEPTION_IF_SCHEDULED_EXCEPTION(isolate, Object);
+ return isolate->factory()->undefined_value();
+ }
+
if (obj->IsJSObject() &&
JSObject::cast(*obj)->HasDictionaryElements()) {
JSObject* js_object = JSObject::cast(*obj);
SeededNumberDictionary* dictionary =
js_object->element_dictionary();
@@ -6941,6 +6942,14 @@ MaybeHandle<Object>
JSObject::GetAccessor(Handle<JSObject> object,
for (Handle<Object> obj = object;
!obj->IsNull();
obj = handle(JSReceiver::cast(*obj)->GetPrototype(), isolate)) {
+ if (obj->IsAccessCheckNeeded() &&
+ !isolate->MayNamedAccess(Handle<JSObject>::cast(obj), name,
+ v8::ACCESS_HAS)) {
+ isolate->ReportFailedAccessCheck(Handle<JSObject>::cast(obj),
+ v8::ACCESS_HAS);
+ RETURN_EXCEPTION_IF_SCHEDULED_EXCEPTION(isolate, Object);
+ return isolate->factory()->undefined_value();
+ }
LookupResult result(isolate);
JSReceiver::cast(*obj)->LookupOwn(name, &result);
if (result.IsFound()) {
Index: src/version.cc
diff --git a/src/version.cc b/src/version.cc
index
d6c5135551c0d3d8abd5066eb60283cf4714d9dc..da8e38614734d967ce7b786c4a8f17c1ba74b2c9
100644
--- a/src/version.cc
+++ b/src/version.cc
@@ -35,7 +35,7 @@
#define MAJOR_VERSION 3
#define MINOR_VERSION 27
#define BUILD_NUMBER 34
-#define PATCH_LEVEL 14
+#define PATCH_LEVEL 15
// Use 1 for candidates and 0 otherwise.
// (Boolean macro values are not supported by all preprocessors.)
#define IS_CANDIDATE_VERSION 0
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
