projects / platform / upstream / v8.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: b881d87)
Harden DefineOrRedefineDataProperty.
authorulan@chromium.org <ulan@chromium.org@ce2b1a6d-e550-0410-aec6-3dcde31c8c00>
Wed, 23 Apr 2014 12:28:50 +0000 (12:28 +0000)
committerulan@chromium.org <ulan@chromium.org@ce2b1a6d-e550-0410-aec6-3dcde31c8c00>
Wed, 23 Apr 2014 12:28:50 +0000 (12:28 +0000)
R=jkummerow@chromium.org

Review URL: https://codereview.chromium.org/240973002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@20908 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

src/runtime.cc patch | blob | history

diff --git a/src/runtime.cc b/src/runtime.cc
index c508b4a..b98ba40 100644 (file)
--- a/src/runtime.cc
+++ b/src/runtime.cc
@@ -5193,6 +5193,7 @@ RUNTIME_FUNCTION(Runtime_DefineOrRedefineAccessorProperty) {
   PropertyAttributes attr = static_cast<PropertyAttributes>(unchecked);
 
   bool fast = obj->HasFastProperties();
+  // DefineAccessor checks access rights.
   JSObject::DefineAccessor(obj, name, getter, setter, attr);
   RETURN_FAILURE_IF_SCHEDULED_EXCEPTION(isolate);
   if (fast) JSObject::TransformToFastProperties(obj, 0);
@@ -5216,6 +5217,12 @@ RUNTIME_FUNCTION(Runtime_DefineOrRedefineDataProperty) {
   RUNTIME_ASSERT((unchecked & ~(READ_ONLY | DONT_ENUM | DONT_DELETE)) == 0);
   PropertyAttributes attr = static_cast<PropertyAttributes>(unchecked);
 
+  // Check access rights if needed.
+  if (js_object->IsAccessCheckNeeded() &&
+      !isolate->MayNamedAccess(js_object, name, v8::ACCESS_SET)) {
+    return isolate->heap()->undefined_value();
+  }
+
   LookupResult lookup(isolate);
   js_object->LocalLookupRealNamedProperty(*name, &lookup);
 
Domain: Web Framework / Web Engine;