https://bugs.webkit.org/show_bug.cgi?id=68221
Reviewed by Eric Seidel.
Source/WebCore:
The __proto__ property is super magical because it's not a real named
property and it has higher precedence than even interceptors. This
confuses this check, which is meant to detech which names will get
handled by our interceptor.
Test: http/tests/security/window-named-proto.html
* bindings/v8/custom/V8DOMWindowCustom.cpp:
(WebCore::V8DOMWindow::namedSecurityCheck):
LayoutTests:
* http/tests/security/resources/innocent-victim-with-iframe.html: Added.
* http/tests/security/window-named-proto-expected.txt: Added.
* http/tests/security/window-named-proto.html: Added.
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@95488
268f45cc-cd09-0410-ab3c-
d52691b4dbfc
+2011-09-19 Adam Barth <abarth@webkit.org>
+
+ Named property confusion with __proto__
+ https://bugs.webkit.org/show_bug.cgi?id=68221
+
+ Reviewed by Eric Seidel.
+
+ * http/tests/security/resources/innocent-victim-with-iframe.html: Added.
+ * http/tests/security/window-named-proto-expected.txt: Added.
+ * http/tests/security/window-named-proto.html: Added.
+
2011-09-19 John Bauman <jbauman@chromium.org>
Fix nonpremultiplied webgl toDataURL to jpeg
--- /dev/null
+<html>
+<body>
+This page doesn't do anything special except have an iframe:<br>
+<iframe src="about:blank"></iframe>
+</body>
+</html>
--- /dev/null
+CONSOLE MESSAGE: line 1: Unsafe JavaScript attempt to access frame with URL http://localhost:8080/security/resources/innocent-victim-with-iframe.html from frame with URL data:text/html,<script>(function () { setTimeout(function() { if (window.layoutTestController) layoutTestController.notifyDone(); }, 0); window.name = "__proto__"; parent.__proto__.alert.constructor("alert(document.body.innerHTML)")(); })()</script>. Domains, protocols and ports must match.
+
+CONSOLE MESSAGE: line 1: Uncaught TypeError: Cannot read property 'alert' of undefined
+
--- /dev/null
+<script>
+if (window.layoutTestController) {
+ layoutTestController.dumpAsText();
+ layoutTestController.waitUntilDone();
+}
+
+window.onload = function()
+{
+ frame = document.body.appendChild(document.createElement("iframe"));
+ frame.src = "http://localhost:8080/security/resources/innocent-victim-with-iframe.html";
+ frame.onload = function() {
+ frame.onload = null;
+
+ frame.contentWindow[0].location = "data:text/html,<script>(" + function() {
+
+ setTimeout(function() {
+ if (window.layoutTestController)
+ layoutTestController.notifyDone();
+ }, 0);
+
+ window.name = "__proto__";
+ parent.__proto__.alert.constructor("alert(document.body.innerHTML)")();
+ } + ")()</scr" + "ipt>";
+ }
+}
+</script>
2011-09-19 Adam Barth <abarth@webkit.org>
+ Named property confusion with __proto__
+ https://bugs.webkit.org/show_bug.cgi?id=68221
+
+ Reviewed by Eric Seidel.
+
+ The __proto__ property is super magical because it's not a real named
+ property and it has higher precedence than even interceptors. This
+ confuses this check, which is meant to detech which names will get
+ handled by our interceptor.
+
+ Test: http/tests/security/window-named-proto.html
+
+ * bindings/v8/custom/V8DOMWindowCustom.cpp:
+ (WebCore::V8DOMWindow::namedSecurityCheck):
+
+2011-09-19 Adam Barth <abarth@webkit.org>
+
Rename ENABLE(OPENTYPE_SANITIZER) to USE(OPENTYPE_SANITIZER)
https://bugs.webkit.org/show_bug.cgi?id=68292
return false;
if (key->IsString()) {
+ DEFINE_STATIC_LOCAL(AtomicString, nameOfProtoProperty, ("__proto__"));
+
String name = toWebCoreString(key);
// Notice that we can't call HasRealNamedProperty for ACCESS_HAS
// because that would generate infinite recursion.
if (type == v8::ACCESS_HAS && target->tree()->child(name))
return true;
- if (type == v8::ACCESS_GET && target->tree()->child(name) && !host->HasRealNamedProperty(key->ToString()))
+ // We need to explicitly compare against nameOfProtoProperty because
+ // V8's JSObject::LocalLookup finds __proto__ before
+ // interceptors and even when __proto__ isn't a "real named property".
+ if (type == v8::ACCESS_GET && target->tree()->child(name) && !host->HasRealNamedProperty(key->ToString()) && name != nameOfProtoProperty)
return true;
}