Reviewers: Toon Verwaest,
Message:
ptal
Description:
filter out .caller from other worlds
[email protected]
BUG=
Please review this at https://codereview.chromium.org/261103002/
SVN Base: https://v8.googlecode.com/svn/branches/bleeding_edge
Affected files (+27, -6 lines):
M src/accessors.cc
M src/contexts.h
Index: src/accessors.cc
diff --git a/src/accessors.cc b/src/accessors.cc
index
8c8fcdd9993a7899043363524cd428a0d4e5c44a..08e9e23ebb94b001a87ea362b5742fcb351e2b06
100644
--- a/src/accessors.cc
+++ b/src/accessors.cc
@@ -1114,22 +1114,33 @@ Handle<AccessorInfo>
Accessors::FunctionArgumentsInfo(
//
+static inline bool AllowAccessToFunction(Context* current_context,
+ JSFunction* function) {
+ return current_context->HasSameSecurityTokenAs(function->context());
+}
+
+
class FrameFunctionIterator {
public:
FrameFunctionIterator(Isolate* isolate, const DisallowHeapAllocation&
promise)
- : frame_iterator_(isolate),
+ : isolate_(isolate),
+ frame_iterator_(isolate),
functions_(2),
index_(0) {
GetFunctions();
}
JSFunction* next() {
if (functions_.length() == 0) return NULL;
- JSFunction* next_function = functions_[index_];
- index_--;
- if (index_ < 0) {
- GetFunctions();
+ while (true) {
+ JSFunction* next_function = functions_[index_];
+ index_--;
+ if (index_ < 0) {
+ GetFunctions();
+ }
+ // Skip functions from other origins.
+ if (!AllowAccessToFunction(isolate_->context(), next_function))
continue;
+ return next_function;
}
- return next_function;
}
// Iterate through functions until the first occurence of 'function'.
@@ -1154,6 +1165,7 @@ class FrameFunctionIterator {
frame_iterator_.Advance();
index_ = functions_.length() - 1;
}
+ Isolate* isolate_;
JavaScriptFrameIterator frame_iterator_;
List<JSFunction*> functions_;
int index_;
@@ -1201,6 +1213,10 @@ MaybeHandle<JSFunction> FindCaller(Isolate* isolate,
if (caller->shared()->strict_mode() == STRICT) {
return MaybeHandle<JSFunction>();
}
+ // Don't return caller from another security context.
+ if (!AllowAccessToFunction(isolate->context(), caller)) {
+ return MaybeHandle<JSFunction>();
+ }
return Handle<JSFunction>(caller);
}
Index: src/contexts.h
diff --git a/src/contexts.h b/src/contexts.h
index
50b6a2bd377011ea0e6a96e1446dc2247d1109aa..faaa6ecce1b15a026fae0f9ea47bfa2424593e43
100644
--- a/src/contexts.h
+++ b/src/contexts.h
@@ -439,6 +439,11 @@ class Context: public FixedArray {
return map == map->GetHeap()->global_context_map();
}
+ bool HasSameSecurityTokenAs(Context* that) {
+ return this->global_object()->native_context()->security_token() ==
+ that->global_object()->native_context()->security_token();
+ }
+
// A native context holds a list of all functions with optimized code.
void AddOptimizedFunction(JSFunction* function);
void RemoveOptimizedFunction(JSFunction* function);
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
