Reviewers: dcarney,
Message:
On 2014/04/29 06:28:03, dcarney wrote:
looks ok, but we want to have all the cross-origin checks go through a
chokepoint, like MayAccessPreCheck (by having the relevant bit moved to
another
function with a better name)
Indeed, thanks for taking a look. I should have said "proof of concept" fix,
this isn't actually the patch I'd want to land, it was just the minimal set
of
code changes necessary to avoid the posted exploits.
There are also some loose ends that need to be tied up around
Object.getNotifier() that I need to tie up in the same patch.
Description:
Proposed fix for Object.observe access checks
BUG=367817
Please review this at https://codereview.chromium.org/260253002/
SVN Base: https://chromium.googlesource.com/external/v8.git@master
Affected files (+10, -17 lines):
M src/runtime.cc
Index: src/runtime.cc
diff --git a/src/runtime.cc b/src/runtime.cc
index
c91c3f908fcb02a713455ca99cd383670d6f5450..923705294e4b04e5ad40df99cbfe678e18e5bf66
100644
--- a/src/runtime.cc
+++ b/src/runtime.cc
@@ -14913,26 +14913,19 @@
RUNTIME_FUNCTION(Runtime_IsAccessAllowedForObserver) {
CONVERT_ARG_HANDLE_CHECKED(JSFunction, observer, 0);
CONVERT_ARG_HANDLE_CHECKED(JSObject, object, 1);
RUNTIME_ASSERT(object->map()->is_access_check_needed());
+ // FIXME: Remove key arg
CONVERT_ARG_HANDLE_CHECKED(Object, key, 2);
- SaveContext save(isolate);
- isolate->set_context(observer->context());
- if (!isolate->MayNamedAccess(
- object, isolate->factory()->undefined_value(), v8::ACCESS_KEYS))
{
- return isolate->heap()->false_value();
- }
- bool access_allowed = false;
- uint32_t index = 0;
- if (key->ToArrayIndex(&index) ||
- (key->IsString() && String::cast(*key)->AsArrayIndex(&index))) {
- access_allowed =
- isolate->MayIndexedAccess(object, index, v8::ACCESS_GET) &&
- isolate->MayIndexedAccess(object, index, v8::ACCESS_HAS);
+ Handle<Context> observer_context(observer->context()->native_context(),
isolate);
+ Handle<Context> object_context;
+ Handle<Object> constructor(object->map()->constructor(), isolate);
+ if (!constructor->IsJSFunction()) {
+ object_context =
handle(JSFunction::cast(*object)->context()->native_context(), isolate);
} else {
- access_allowed =
- isolate->MayNamedAccess(object, key, v8::ACCESS_GET) &&
- isolate->MayNamedAccess(object, key, v8::ACCESS_HAS);
+ object_context =
handle(JSFunction::cast(*constructor)->context()->native_context(),
isolate);
}
- return isolate->heap()->ToBoolean(access_allowed);
+ return isolate->heap()->ToBoolean(
+ *object_context == *observer_context ||
+ object_context->security_token() ==
observer_context->security_token());
}
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
