Skip to site navigation (Press enter)

[webkit-changes] [96341] trunk

abarth Thu, 29 Sep 2011 10:49:49 -0700

Title: [96341] trunk

Revision: 96341
Author: [email protected]
Date: 2011-09-29 10:50:47 -0700 (Thu, 29 Sep 2011)

Log Message

We should ignore the return value of GetRealNamedProperty
https://bugs.webkit.org/show_bug.cgi?id=68840


Reviewed by Nate Chapin.

Source/WebCore:

Instead of skipping the lookup process by using the result of real
named property, we should just indiciate that it wasn't handled by the
interceptor.

Test: http/tests/security/window-named-valueOf.html

* bindings/v8/custom/V8DOMWindowCustom.cpp:
(WebCore::V8DOMWindow::namedPropertyGetter):

LayoutTests:

* http/tests/security/window-named-valueOf-expected.txt: Added.
* http/tests/security/window-named-valueOf.html: Added.

Modified Paths

trunk/LayoutTests/ChangeLog
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/bindings/v8/custom/V8DOMWindowCustom.cpp

Added Paths

trunk/LayoutTests/http/tests/security/window-named-valueOf-expected.txt
trunk/LayoutTests/http/tests/security/window-named-valueOf.html

Diff

Modified: trunk/LayoutTests/ChangeLog (96340 => 96341)


--- trunk/LayoutTests/ChangeLog	2011-09-29 17:46:14 UTC (rev 96340)
+++ trunk/LayoutTests/ChangeLog	2011-09-29 17:50:47 UTC (rev 96341)
@@ -1,3 +1,13 @@
+2011-09-29  Adam Barth  <[email protected]>
+
+        We should ignore the return value of GetRealNamedProperty
+        https://bugs.webkit.org/show_bug.cgi?id=68840
+
+        Reviewed by Nate Chapin.
+
+        * http/tests/security/window-named-valueOf-expected.txt: Added.
+        * http/tests/security/window-named-valueOf.html: Added.
+
 2011-09-29  Chris Fleizach  <[email protected]>
 
         ARIA live regions don't trigger notifications for elements that aren't in the AX tree

Added: trunk/LayoutTests/http/tests/security/window-named-valueOf-expected.txt (0 => 96341)


--- trunk/LayoutTests/http/tests/security/window-named-valueOf-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/http/tests/security/window-named-valueOf-expected.txt	2011-09-29 17:50:47 UTC (rev 96341)
@@ -0,0 +1 @@
+This passes if it doesn't alert the contents of innocent-victim.

Added: trunk/LayoutTests/http/tests/security/window-named-valueOf.html (0 => 96341)


--- trunk/LayoutTests/http/tests/security/window-named-valueOf.html	                        (rev 0)
+++ trunk/LayoutTests/http/tests/security/window-named-valueOf.html	2011-09-29 17:50:47 UTC (rev 96341)
@@ -0,0 +1,32 @@
+<script>
+if (window.layoutTestController) {
+    layoutTestController.dumpAsText();
+    layoutTestController.waitUntilDone();
+    layoutTestController.setCanOpenWindows();
+    layoutTestController.setCloseRemainingWindowsWhenComplete(true);
+}
+</script>
+<body>
+This passes if it doesn't alert the contents of innocent-victim.
+<script>
+window._onload_ = function()
+{
+    frame = document.body.appendChild(document.createElement("iframe"));
+    frame.src = ""
+    frame._onload_ = function() {
+        frame._onload_ = null;
+
+        frame.contentWindow[0].location = "data:text/html,<script>(" + function() {
+            try {
+                window.name = "valueOf";
+                obj = window.open();
+                obj.__proto__.__proto__ = parent;
+                alert(obj.valueOf.constructor("return document.body.innerHTML")());
+            } catch(ex) {
+            }
+            if (window.layoutTestController)
+                layoutTestController.notifyDone();
+        } + ")()</scr" + "ipt>";
+    }
+}
+</script>

Modified: trunk/Source/WebCore/ChangeLog (96340 => 96341)


--- trunk/Source/WebCore/ChangeLog	2011-09-29 17:46:14 UTC (rev 96340)
+++ trunk/Source/WebCore/ChangeLog	2011-09-29 17:50:47 UTC (rev 96341)
@@ -1,3 +1,19 @@
+2011-09-29  Adam Barth  <[email protected]>
+
+        We should ignore the return value of GetRealNamedProperty
+        https://bugs.webkit.org/show_bug.cgi?id=68840
+
+        Reviewed by Nate Chapin.
+
+        Instead of skipping the lookup process by using the result of real
+        named property, we should just indiciate that it wasn't handled by the
+        interceptor.
+
+        Test: http/tests/security/window-named-valueOf.html
+
+        * bindings/v8/custom/V8DOMWindowCustom.cpp:
+        (WebCore::V8DOMWindow::namedPropertyGetter):
+
 2011-09-29  Chris Fleizach  <[email protected]>
 
         ARIA live regions don't trigger notifications for elements that aren't in the AX tree

Modified: trunk/Source/WebCore/bindings/v8/custom/V8DOMWindowCustom.cpp (96340 => 96341)


--- trunk/Source/WebCore/bindings/v8/custom/V8DOMWindowCustom.cpp	2011-09-29 17:46:14 UTC (rev 96340)
+++ trunk/Source/WebCore/bindings/v8/custom/V8DOMWindowCustom.cpp	2011-09-29 17:50:47 UTC (rev 96341)
@@ -510,9 +510,8 @@
         return toV8(child->domWindow());
 
     // Search IDL functions defined in the prototype
-    v8::Handle<v8::Value> result = info.Holder()->GetRealNamedProperty(name);
-    if (!result.IsEmpty())
-        return result;
+    if (!info.Holder()->GetRealNamedProperty(name).IsEmpty())
+        return notHandledByInterceptor();
 
     // Search named items in the document.
     Document* doc = frame->document();

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes