[v8-dev] Perform security checks before fetching the value in Object.getOwnPropertyDescriptor. (issue6386022)

antonm Mon, 31 Jan 2011 04:37:11 -0800

Reviewers: Mads Ager, Rico,

Message:
Mads and Rico,


may you have a look?

Description:
Perform security checks before fetching the value in
Object.getOwnPropertyDescriptor.

Please review this at http://codereview.chromium.org/6386022/

SVN Base: https://v8.googlecode.com/svn/branches/bleeding_edge

Affected files:
  M src/runtime.cc
  M test/cctest/test-api.cc


Index: src/runtime.cc
diff --git a/src/runtime.cc b/src/runtime.cc

indexb8133ae15e43e3fe08a65114cb60b4c0d8d5300d..96d07a859b296b5223d7355f56d1fbb591535b17100644

--- a/src/runtime.cc
+++ b/src/runtime.cc

@@ -745,35 +745,31 @@ static MaybeObject* Runtime_GetOwnProperty(Argumentsargs) {

   if (!result.IsProperty()) {
     return Heap::undefined_value();
   }
-  if (result.type() == CALLBACKS) {
-    Object* structure = result.GetCallbackObject();
-    if (structure->IsProxy() || structure->IsAccessorInfo()) {
-      // Property that is internally implemented as a callback or
-      // an API defined callback.
-      Object* value;
-      { MaybeObject* maybe_value = obj->GetPropertyWithCallback(
-            *obj, structure, *name, result.holder());
-        if (!maybe_value->ToObject(&value)) return maybe_value;
-      }
-      elms->set(IS_ACCESSOR_INDEX, Heap::false_value());
-      elms->set(VALUE_INDEX, value);
-      elms->set(WRITABLE_INDEX, Heap::ToBoolean(!result.IsReadOnly()));
-    } else if (structure->IsFixedArray()) {
-      // __defineGetter__/__defineSetter__ callback.
-      elms->set(IS_ACCESSOR_INDEX, Heap::true_value());
-      elms->set(GETTER_INDEX, FixedArray::cast(structure)->get(0));
-      elms->set(SETTER_INDEX, FixedArray::cast(structure)->get(1));
-    } else {
-      return Heap::undefined_value();
-    }
+
+  elms->set(ENUMERABLE_INDEX, Heap::ToBoolean(!result.IsDontEnum()));
+  elms->set(CONFIGURABLE_INDEX, Heap::ToBoolean(!result.IsDontDelete()));
+
+  bool is_js_accessor = (result.type() == CALLBACKS) &&
+                        (result.GetCallbackObject()->IsFixedArray());
+
+  if (is_js_accessor) {
+    // __defineGetter__/__defineSetter__ callback.
+    FixedArray* structure = FixedArray::cast(result.GetCallbackObject());
+    elms->set(IS_ACCESSOR_INDEX, Heap::true_value());
+    elms->set(GETTER_INDEX, structure->get(0));
+    elms->set(SETTER_INDEX, structure->get(1));
   } else {
     elms->set(IS_ACCESSOR_INDEX, Heap::false_value());
-    elms->set(VALUE_INDEX, result.GetLazyValue());
     elms->set(WRITABLE_INDEX, Heap::ToBoolean(!result.IsReadOnly()));
+
+    PropertyAttributes attrs;
+    Object* value;

+ { MaybeObject* maybe_value = obj->GetProperty(*obj, &result, *name,&attrs);

+      if (!maybe_value->ToObject(&value)) return maybe_value;
+    }
+    elms->set(VALUE_INDEX, value);
   }

-  elms->set(ENUMERABLE_INDEX, Heap::ToBoolean(!result.IsDontEnum()));
-  elms->set(CONFIGURABLE_INDEX, Heap::ToBoolean(!result.IsDontDelete()));
   return *desc;
 }

Index: test/cctest/test-api.cc
diff --git a/test/cctest/test-api.cc b/test/cctest/test-api.cc

indexe06062b2ed4c46d4a6f8e23b64a09be49f6eccd2..9b9f469f60a7a4d434eed5ca7c5003487f0a4fad100644

--- a/test/cctest/test-api.cc
+++ b/test/cctest/test-api.cc
@@ -5373,37 +5373,45 @@ THREADED_TEST(AccessControl) {
   v8::Handle<Value> value;

   // Access blocked property
-  value = v8_compile("other.blocked_prop = 1")->Run();
-  value = v8_compile("other.blocked_prop")->Run();
+  value = CompileRun("other.blocked_prop = 1");
+  value = CompileRun("other.blocked_prop");
   CHECK(value->IsUndefined());

- value =v8_compile("propertyIsEnumerable.call(other, 'blocked_prop')")->Run();

+  value = CompileRun(
+      "Object.getOwnPropertyDescriptor(other, 'blocked_prop').value");
+  CHECK(value->IsUndefined());
+
+  value = CompileRun("propertyIsEnumerable.call(other, 'blocked_prop')");
   CHECK(value->IsFalse());

   // Access accessible property
-  value = v8_compile("other.accessible_prop = 3")->Run();
+  value = CompileRun("other.accessible_prop = 3");
   CHECK(value->IsNumber());
   CHECK_EQ(3, value->Int32Value());
   CHECK_EQ(3, g_echo_value);

-  value = v8_compile("other.accessible_prop")->Run();
+  value = CompileRun("other.accessible_prop");
   CHECK(value->IsNumber());
   CHECK_EQ(3, value->Int32Value());

-  value =

-v8_compile("propertyIsEnumerable.call(other, 'accessible_prop')")->Run();

+  value = CompileRun(
+      "Object.getOwnPropertyDescriptor(other, 'accessible_prop').value");
+  CHECK(value->IsNumber());
+  CHECK_EQ(3, value->Int32Value());
+

+ value =CompileRun("propertyIsEnumerable.call(other, 'accessible_prop')");

   CHECK(value->IsTrue());

   // Enumeration doesn't enumerate accessors from inaccessible objects in

// the prototype chain even if the accessors are in themselvesaccessible.

-  Local<Value> result =
+  value =
       CompileRun("(function(){var obj = {'__proto__':other};"
                  "for (var p in obj)"
                  "   if (p == 'accessible_prop' || p == 'blocked_prop') {"
                  "     return false;"
                  "   }"
                  "return true;})()");
-  CHECK(result->IsTrue());
+  CHECK(value->IsTrue());

   context1->Exit();
   context0->Exit();


--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev

[v8-dev] Perform security checks before fetching the value in Object.getOwnPropertyDescriptor. (issue6386022)

Reply via email to