Title: [128651] trunk/Source/WebCore
- Revision
- 128651
- Author
- [email protected]
- Date
- 2012-09-14 14:09:46 -0700 (Fri, 14 Sep 2012)
Log Message
Prevent workers from calling back into other worlds
https://bugs.webkit.org/show_bug.cgi?id=96790
Patch by Dan Carney <[email protected]> on 2012-09-14
Reviewed by Adam Barth.
Added a few sanity checks to ensure callbacks are always using the correct world.
No new tests. No new change in functionality.
* bindings/v8/V8DOMWrapper.cpp:
(WebCore::V8DOMWrapper::getEventListener):
* bindings/v8/V8LazyEventListener.cpp:
(WebCore::V8LazyEventListener::prepareListenerObject):
* bindings/v8/WorldContextHandle.cpp:
(WebCore::WorldContextHandle::WorldContextHandle):
(WebCore::WorldContextHandle::adjustedContext):
* bindings/v8/WorldContextHandle.h:
Modified Paths
Diff
Modified: trunk/Source/WebCore/ChangeLog (128650 => 128651)
--- trunk/Source/WebCore/ChangeLog 2012-09-14 21:00:20 UTC (rev 128650)
+++ trunk/Source/WebCore/ChangeLog 2012-09-14 21:09:46 UTC (rev 128651)
@@ -1,3 +1,23 @@
+2012-09-14 Dan Carney <[email protected]>
+
+ Prevent workers from calling back into other worlds
+ https://bugs.webkit.org/show_bug.cgi?id=96790
+
+ Reviewed by Adam Barth.
+
+ Added a few sanity checks to ensure callbacks are always using the correct world.
+
+ No new tests. No new change in functionality.
+
+ * bindings/v8/V8DOMWrapper.cpp:
+ (WebCore::V8DOMWrapper::getEventListener):
+ * bindings/v8/V8LazyEventListener.cpp:
+ (WebCore::V8LazyEventListener::prepareListenerObject):
+ * bindings/v8/WorldContextHandle.cpp:
+ (WebCore::WorldContextHandle::WorldContextHandle):
+ (WebCore::WorldContextHandle::adjustedContext):
+ * bindings/v8/WorldContextHandle.h:
+
2012-09-14 Dana Jansens <[email protected]>
Minimize collisions when hashing pairs
Modified: trunk/Source/WebCore/bindings/v8/V8DOMWrapper.cpp (128650 => 128651)
--- trunk/Source/WebCore/bindings/v8/V8DOMWrapper.cpp 2012-09-14 21:00:20 UTC (rev 128650)
+++ trunk/Source/WebCore/bindings/v8/V8DOMWrapper.cpp 2012-09-14 21:09:46 UTC (rev 128651)
@@ -201,8 +201,7 @@
return 0;
if (lookup == ListenerFindOnly)
return V8EventListenerList::findWrapper(value, isAttribute);
- v8::Handle<v8::Object> globalPrototype = v8::Handle<v8::Object>::Cast(context->Global()->GetPrototype());
- if (isWrapperOfType(globalPrototype, &V8DOMWindow::info))
+ if (isWrapperOfType(toInnerGlobalObject(context), &V8DOMWindow::info))
return V8EventListenerList::findOrCreateWrapper<V8EventListener>(value, isAttribute);
#if ENABLE(WORKERS)
return V8EventListenerList::findOrCreateWrapper<V8WorkerContextEventListener>(value, isAttribute);
Modified: trunk/Source/WebCore/bindings/v8/V8LazyEventListener.cpp (128650 => 128651)
--- trunk/Source/WebCore/bindings/v8/V8LazyEventListener.cpp 2012-09-14 21:00:20 UTC (rev 128650)
+++ trunk/Source/WebCore/bindings/v8/V8LazyEventListener.cpp 2012-09-14 21:09:46 UTC (rev 128651)
@@ -124,7 +124,7 @@
if (!frame->script()->canExecuteScripts(NotAboutToExecuteScript))
return;
// Use the outer scope to hold context.
- v8::Local<v8::Context> v8Context = worldContext().adjustedContext(frame->script());
+ v8::Local<v8::Context> v8Context = toV8Context(context, worldContext());
// Bail out if we cannot get the context.
if (v8Context.IsEmpty())
return;
Modified: trunk/Source/WebCore/bindings/v8/WorldContextHandle.cpp (128650 => 128651)
--- trunk/Source/WebCore/bindings/v8/WorldContextHandle.cpp 2012-09-14 21:00:20 UTC (rev 128650)
+++ trunk/Source/WebCore/bindings/v8/WorldContextHandle.cpp 2012-09-14 21:09:46 UTC (rev 128651)
@@ -32,6 +32,8 @@
#include "WorldContextHandle.h"
#include "ScriptController.h"
+#include "V8Binding.h"
+#include "V8DOMWindow.h"
#include "V8DOMWindowShell.h"
namespace WebCore {
@@ -39,9 +41,22 @@
WorldContextHandle::WorldContextHandle(WorldToUse worldToUse)
: m_worldToUse(worldToUse)
{
- if (worldToUse == UseMainWorld)
+ if (worldToUse == UseMainWorld || worldToUse == UseWorkerWorld)
return;
+#if ENABLE(WORKERS)
+ // FIXME We are duplicating a lot of effort here checking the context for the worker and for the isolated world.
+ if (v8::Context::InContext()) {
+ v8::Handle<v8::Context> context = v8::Context::GetCurrent();
+ if (!context.IsEmpty()) {
+ if (UNLIKELY(!V8DOMWrapper::isWrapperOfType(toInnerGlobalObject(context), &V8DOMWindow::info))) {
+ m_worldToUse = UseWorkerWorld;
+ return;
+ }
+ }
+ }
+#endif
+
V8DOMWindowShell* shell = V8DOMWindowShell::getEntered();
if (LIKELY(!shell)) {
m_worldToUse = UseMainWorld;
@@ -54,6 +69,7 @@
v8::Local<v8::Context> WorldContextHandle::adjustedContext(ScriptController* script) const
{
+ ASSERT(m_worldToUse != UseWorkerWorld);
if (m_worldToUse == UseMainWorld)
return script->mainWorldContext();
Modified: trunk/Source/WebCore/bindings/v8/WorldContextHandle.h (128650 => 128651)
--- trunk/Source/WebCore/bindings/v8/WorldContextHandle.h 2012-09-14 21:00:20 UTC (rev 128650)
+++ trunk/Source/WebCore/bindings/v8/WorldContextHandle.h 2012-09-14 21:09:46 UTC (rev 128651)
@@ -40,7 +40,7 @@
class ScriptController;
-enum WorldToUse { UseMainWorld, UseCurrentWorld };
+enum WorldToUse { UseMainWorld, UseCurrentWorld, UseWorkerWorld };
class WorldContextHandle {
public:
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo/webkit-changes
