Diff
Modified: trunk/LayoutTests/ChangeLog (129591 => 129592)
--- trunk/LayoutTests/ChangeLog 2012-09-26 04:03:16 UTC (rev 129591)
+++ trunk/LayoutTests/ChangeLog 2012-09-26 04:45:35 UTC (rev 129592)
@@ -1,3 +1,24 @@
+2012-09-25 Gavin Barraclough <[email protected]>
+
+ REGRESSION (r129456): http/tests/security/xss-eval.html is failing on JSC platforms
+ https://bugs.webkit.org/show_bug.cgi?id=97529
+
+ Reviewed by Filip Pizlo.
+
+ A recent patch changed JSC's EvalError behaviour; bring this more into line with other browsers.
+
+ * fast/js/eval-cross-window-expected.txt:
+ * fast/js/eval-cross-window.html:
+ - Changed not to expect EvalErrors (this matches other browsers), and modified testThis
+ to check that the this object is always set to the global object.
+ * http/tests/security/resources/xss-eval2.html:
+ * http/tests/security/resources/xss-eval3.html:
+ * http/tests/security/xss-eval-expected.txt:
+ * http/tests/security/xss-eval.html:
+ - Updated. Access via the global environment is not a security risk, since the eval is
+ accessing it's own document's informantion. Access via the shell attempts to access
+ the navigated pages document, tripping an access check & throwing a TypeError.
+
2012-09-25 Bear Travis <[email protected]>
[CSS Exclusions] shape-inside line segment layout should be based on line position and height
Modified: trunk/LayoutTests/fast/js/eval-cross-window-expected.txt (129591 => 129592)
--- trunk/LayoutTests/fast/js/eval-cross-window-expected.txt 2012-09-26 04:03:16 UTC (rev 129591)
+++ trunk/LayoutTests/fast/js/eval-cross-window-expected.txt 2012-09-26 04:45:35 UTC (rev 129592)
@@ -7,34 +7,34 @@
PASS: window.eval("x") should be 0 and is.
PASS: frames[0].eval("x") should be 1 and is.
-PASS: window.eval("x") should be EvalError and is.
-PASS: frames[0].eval("x") should be EvalError and is.
+PASS: window.eval("x") should be 1 and is.
+PASS: frames[0].eval("x") should be undefined and is.
----- Scope Chain for Getters: -----
PASS: window.eval("xx") should be ReferenceError and is.
PASS: frames[0].eval("xx") should be ReferenceError and is.
-PASS: window.eval("xx") should be EvalError and is.
-PASS: frames[0].eval("xx") should be EvalError and is.
+PASS: window.eval("xx") should be ReferenceError and is.
+PASS: frames[0].eval("xx") should be ReferenceError and is.
----- Variable Object: -----
PASS: window.eval("var y; "y" in top") should be true and is.
PASS: frames[0].eval("var y; "y" in top.frames[0]") should be true and is.
-PASS: window.eval("var y; "y" in top.frames[0]") should be EvalError and is.
-PASS: frames[0].eval("var y; "y" in top") should be EvalError and is.
+PASS: window.eval("var y; "y" in top.frames[0]") should be undefined and is.
+PASS: frames[0].eval("var y; "y" in top") should be undefined and is.
----- Scope Chain for Setters: -----
PASS: window.eval("z = 1; top.z") should be 1 and is.
PASS: frames[0].eval("z = 2; top.frames[0].z") should be 2 and is.
-PASS: window.eval("z = 3; top.frames[0].z") should be EvalError and is.
-PASS: frames[0].eval("z = 4; top.z") should be EvalError and is.
+PASS: window.eval("z = 3; top.frames[0].z") should be undefined and is.
+PASS: frames[0].eval("z = 4; top.z") should be undefined and is.
----- This Object: -----
PASS: window.eval("this") should be [object Window] and is.
PASS: frames[0].eval("this") should be [object Window] and is.
-PASS: window.eval("this") should be EvalError and is.
-PASS: frames[0].eval("this") should be EvalError and is.
+PASS: window.eval("this") should be undefined and is.
+PASS: frames[0].eval("this") should be undefined and is.
Modified: trunk/LayoutTests/fast/js/eval-cross-window.html (129591 => 129592)
--- trunk/LayoutTests/fast/js/eval-cross-window.html 2012-09-26 04:03:16 UTC (rev 129591)
+++ trunk/LayoutTests/fast/js/eval-cross-window.html 2012-09-26 04:45:35 UTC (rev 129592)
@@ -42,11 +42,11 @@
shouldBe('frames[0].eval("x")', frames[0].eval("x"), 1);
window.eval = frameEval;
- shouldBe('window.eval("x")', (function() { try { return window.eval("x") } catch(e) { return e.name; } })(), "EvalError");
+ shouldBe('window.eval("x")', (function() { try { return window.eval("x") } catch(e) { return e.name; } })(), 1);
window.eval = topEval;
frames[0].eval = topEval;
- shouldBe('frames[0].eval("x")', (function() { try { frames[0].eval("x") } catch(e) { return e.name; } })(), "EvalError");
+ shouldBe('frames[0].eval("x")', (function() { try { frames[0].eval("x") } catch(e) { return e.name; } })(), undefined);
frames[0].eval = frameEval;
}
@@ -58,11 +58,11 @@
shouldBe('frames[0].eval("xx")', (function() { try { return frames[0].eval("xx") } catch(e) { return e.name; } })(), "ReferenceError");
window.eval = frameEval;
- shouldBe('window.eval("xx")', (function() { try { return window.eval("xx") } catch(e) { return e.name; } })(), "EvalError");
+ shouldBe('window.eval("xx")', (function() { try { return window.eval("xx") } catch(e) { return e.name; } })(), "ReferenceError");
window.eval = topEval;
frames[0].eval = topEval;
- shouldBe('frames[0].eval("xx")', (function() { try { return frames[0].eval("xx") } catch(e) { return e.name; } })(), "EvalError");
+ shouldBe('frames[0].eval("xx")', (function() { try { return frames[0].eval("xx") } catch(e) { return e.name; } })(), "ReferenceError");
frames[0].eval = frameEval;
}
@@ -77,13 +77,13 @@
delete frames[0].y;
window.eval = frameEval;
- shouldBe('window.eval("var y; \"y\" in top.frames[0]")', (function() { try { window.eval("var y; \"y\" in top.frames[0]") } catch(e) { return e.name; } })(), "EvalError");
+ shouldBe('window.eval("var y; \"y\" in top.frames[0]")', (function() { try { window.eval("var y; \"y\" in top.frames[0]") } catch(e) { return e.name; } })(), undefined);
delete window.y;
delete frames[0].y;
window.eval = topEval;
frames[0].eval = topEval;
- shouldBe('frames[0].eval("var y; \"y\" in top")', (function() { try { frames[0].eval("var y; \"y\" in top") } catch(e) { return e.name; } })(), "EvalError");
+ shouldBe('frames[0].eval("var y; \"y\" in top")', (function() { try { frames[0].eval("var y; \"y\" in top") } catch(e) { return e.name; } })(), undefined);
delete window.y;
delete frames[0].y;
frames[0].eval = frameEval;
@@ -99,25 +99,25 @@
shouldBe('frames[0].eval("z = 2; top.frames[0].z")', frames[0].eval("z = 2; top.frames[0].z"), 2);
window.eval = frameEval;
- shouldBe('window.eval("z = 3; top.frames[0].z")', (function() { try { window.eval("z = 3; top.frames[0].z") } catch(e) { return e.name; } })(), "EvalError");
+ shouldBe('window.eval("z = 3; top.frames[0].z")', (function() { try { window.eval("z = 3; top.frames[0].z") } catch(e) { return e.name; } })(), undefined);
window.eval = topEval;
frames[0].eval = topEval;
- shouldBe('frames[0].eval("z = 4; top.z")', (function() { try { frames[0].eval("z = 4; top.z") } catch(e) { return e.name; } })(), "EvalError");
+ shouldBe('frames[0].eval("z = 4; top.z")', (function() { try { frames[0].eval("z = 4; top.z") } catch(e) { return e.name; } })(), undefined);
frames[0].eval = frameEval;
}
function testThis()
{
- shouldBe('window.eval("this")', window.eval("this"), window);
- shouldBe('frames[0].eval("this")', frames[0].eval("this"), frames[0]);
+ shouldBe('window.eval("this")', window.eval.call("wrong", "this"), window);
+ shouldBe('frames[0].eval("this")', frames[0].eval.call("wrong", "this"), frames[0]);
window.eval = frameEval;
- shouldBe('window.eval("this")', (function() { try { window.eval("this"), frames[0] } catch(e) { return e.name; } })(), "EvalError");
+ shouldBe('window.eval("this")', (function() { try { window.eval.call("wrong", "this"), frames[0] } catch(e) { return e.name; } })(), undefined);
window.eval = topEval;
frames[0].eval = topEval;
- shouldBe('frames[0].eval("this")', (function() { try { frames[0].eval("this"), window } catch(e) { return e.name; } })(), "EvalError");
+ shouldBe('frames[0].eval("this")', (function() { try { frames[0].eval.call("wrong", "this"), window } catch(e) { return e.name; } })(), undefined);
frames[0].eval = frameEval;
}
Modified: trunk/LayoutTests/http/tests/security/cross-frame-access-call-expected.txt (129591 => 129592)
--- trunk/LayoutTests/http/tests/security/cross-frame-access-call-expected.txt 2012-09-26 04:03:16 UTC (rev 129591)
+++ trunk/LayoutTests/http/tests/security/cross-frame-access-call-expected.txt 2012-09-26 04:45:35 UTC (rev 129592)
@@ -85,6 +85,6 @@
PASS: window.resizeBy.call(targetWindow, 0, 0); should be 'undefined' and is.
PASS: window.resizeTo.call(targetWindow, 0, 0); should be 'undefined' and is.
PASS: window.showModalDialog.call(targetWindow); should be 'undefined' and is.
-PASS: window.eval.call(targetWindow, '1+2'); should be 'EvalError: The "this" value passed to eval must be the global object from which eval originated' and is.
+PASS: window.eval.call(targetWindow, '1+2'); should be '3' and is.
PASS: window.location.toString.call(targetWindow.location) should be 'undefined' and is.
Modified: trunk/LayoutTests/http/tests/security/cross-frame-access-call.html (129591 => 129592)
--- trunk/LayoutTests/http/tests/security/cross-frame-access-call.html 2012-09-26 04:03:16 UTC (rev 129591)
+++ trunk/LayoutTests/http/tests/security/cross-frame-access-call.html 2012-09-26 04:45:35 UTC (rev 129592)
@@ -57,7 +57,7 @@
shouldBe("window.showModalDialog.call(targetWindow);", "undefined");
// Throws an EvalError and logs to the error console
- shouldBe("window.eval.call(targetWindow, '1+2');", '"EvalError: The \\"this\\" value passed to eval must be the global object from which eval originated"');
+ shouldBe("window.eval.call(targetWindow, '1+2');", '3');
// - Tests for the Location object -
// undefined value indicates failure
Modified: trunk/LayoutTests/http/tests/security/resources/xss-eval2.html (129591 => 129592)
--- trunk/LayoutTests/http/tests/security/resources/xss-eval2.html 2012-09-26 04:03:16 UTC (rev 129591)
+++ trunk/LayoutTests/http/tests/security/resources/xss-eval2.html 2012-09-26 04:45:35 UTC (rev 129592)
@@ -1,4 +1,6 @@
<script>
+document.testExpando = "It's me too!";
+
parent.childEval = eval;
parent.childEvalCaller = function(s) {
Modified: trunk/LayoutTests/http/tests/security/resources/xss-eval3.html (129591 => 129592)
--- trunk/LayoutTests/http/tests/security/resources/xss-eval3.html 2012-09-26 04:03:16 UTC (rev 129591)
+++ trunk/LayoutTests/http/tests/security/resources/xss-eval3.html 2012-09-26 04:45:35 UTC (rev 129592)
@@ -1,3 +1,5 @@
<script>
+document.testExpando = "It's me three!";
+
parent.postMessage("done", "*");
</script>
Modified: trunk/LayoutTests/http/tests/security/xss-eval-expected.txt (129591 => 129592)
--- trunk/LayoutTests/http/tests/security/xss-eval-expected.txt 2012-09-26 04:03:16 UTC (rev 129591)
+++ trunk/LayoutTests/http/tests/security/xss-eval-expected.txt 2012-09-26 04:45:35 UTC (rev 129592)
@@ -4,8 +4,8 @@
If the test passes, you'll see a pass message below.
-PASS: eval.call(frames[0], 'document') should be EvalError and is.
-PASS: childEval.call(frames[0], 'document') should be EvalError and is.
-PASS: childEvalCaller('document') should be TypeError and is.
-PASS: childLocalEvalCaller('document') should be EvalError and is.
+PASS: eval.call(frames[0], 'document').testExpando should be It's me! and is.
+PASS: childEval.call(frames[0], 'document').testExpando should be It's me too! and is.
+PASS: childEvalCaller('document').testExpando should be TypeError and is.
+PASS: childLocalEvalCaller('document').testExpando should be It's me too! and is.
Modified: trunk/LayoutTests/http/tests/security/xss-eval.html (129591 => 129592)
--- trunk/LayoutTests/http/tests/security/xss-eval.html 2012-09-26 04:03:16 UTC (rev 129591)
+++ trunk/LayoutTests/http/tests/security/xss-eval.html 2012-09-26 04:45:35 UTC (rev 129592)
@@ -29,22 +29,25 @@
addEventListener("message", function()
{
- (function() {
- try {
- var doc = eval.call(frames[0], 'document');
- // V8 execute the eval our scope, which is safe.
- shouldBe("documentFromEval", doc.testExpando, "It's me!")
- } catch(e) {
- // JSC throws an exception, which is also safe.
- shouldBe("eval.call(frames[0], 'document')", e.name, "EvalError");
- }
- })();
+ shouldBe("eval.call(frames[0], 'document').testExpando",
+ (function() { try {
+ return eval.call(frames[0], 'document').testExpando;
+ } catch(e) { return e.name; } })(), "It's me!")
- shouldBe("childEval.call(frames[0], 'document')", (function() { try { return childEval.call(frames[0], 'document'); } catch(e) { return e.name; } })(), "EvalError");
+ shouldBe("childEval.call(frames[0], 'document').testExpando",
+ (function() { try {
+ return childEval.call(frames[0], 'document').testExpando;
+ } catch(e) { return e.name; } })(), "It's me too!");
- shouldBe("childEvalCaller('document')", (function() { try { return childEvalCaller('document'); } catch(e) { return e.name; } })(), "TypeError");
+ shouldBe("childEvalCaller('document').testExpando",
+ (function() { try {
+ return childEvalCaller('document').testExpando;
+ } catch(e) { return e.name; } })(), "TypeError");
- shouldBe("childLocalEvalCaller('document')", (function() { try { return childLocalEvalCaller('document'); } catch(e) { return e.name; } })(), "EvalError");
+ shouldBe("childLocalEvalCaller('document').testExpando",
+ (function() { try {
+ return childLocalEvalCaller('document').testExpando;
+ } catch(e) { return e.name; } })(), "It's me too!");
if (window.testRunner)
testRunner.notifyDone();
Modified: trunk/Source/_javascript_Core/ChangeLog (129591 => 129592)
--- trunk/Source/_javascript_Core/ChangeLog 2012-09-26 04:03:16 UTC (rev 129591)
+++ trunk/Source/_javascript_Core/ChangeLog 2012-09-26 04:45:35 UTC (rev 129592)
@@ -1,3 +1,20 @@
+2012-09-25 Gavin Barraclough <[email protected]>
+
+ REGRESSION (r129456): http/tests/security/xss-eval.html is failing on JSC platforms
+ https://bugs.webkit.org/show_bug.cgi?id=97529
+
+ Reviewed by Filip Pizlo.
+
+ A recent patch changed JSC's EvalError behaviour; bring this more into line with other browsers.
+
+ JSC currently throws an EvalError if you try to call eval with a this object that doesn't
+ match the given eval function. This does not match other browsers, which generally just
+ ignore the this value that was passed, and eval the string in the eval function's environment.
+
+ * runtime/JSGlobalObjectFunctions.cpp:
+ (JSC::globalFuncEval):
+ - Remove EvalError, ignore passed this value.
+
2012-09-25 Filip Pizlo <[email protected]>
DFG ArrayPush, ArrayPop don't handle clobbering or having a bad time correctly
Modified: trunk/Source/_javascript_Core/runtime/JSGlobalObjectFunctions.cpp (129591 => 129592)
--- trunk/Source/_javascript_Core/runtime/JSGlobalObjectFunctions.cpp 2012-09-26 04:03:16 UTC (rev 129591)
+++ trunk/Source/_javascript_Core/runtime/JSGlobalObjectFunctions.cpp 2012-09-26 04:45:35 UTC (rev 129592)
@@ -497,11 +497,6 @@
EncodedJSValue JSC_HOST_CALL globalFuncEval(ExecState* exec)
{
- JSObject* thisObject = exec->hostThisValue().toThisObject(exec);
- JSGlobalObject* calleeGlobalObject = exec->callee()->globalObject();
- if (thisObject != exec->callee()->globalObject()->globalThis())
- return throwVMError(exec, createEvalError(exec, ASCIILiteral("The \"this\" value passed to eval must be the global object from which eval originated")));
-
JSValue x = exec->argument(0);
if (!x.isString())
return JSValue::encode(x);
@@ -518,12 +513,13 @@
return JSValue::encode(parsedObject);
}
+ JSGlobalObject* calleeGlobalObject = exec->callee()->globalObject();
EvalExecutable* eval = EvalExecutable::create(exec, makeSource(s), false);
JSObject* error = eval->compile(exec, calleeGlobalObject);
if (error)
return throwVMError(exec, error);
- return JSValue::encode(exec->interpreter()->execute(eval, exec, thisObject, calleeGlobalObject));
+ return JSValue::encode(exec->interpreter()->execute(eval, exec, calleeGlobalObject->globalThis(), calleeGlobalObject));
}
EncodedJSValue JSC_HOST_CALL globalFuncParseInt(ExecState* exec)
