From 7810ff70f60a3d8209f822ce3badcfae6a3e1531 Mon Sep 17 00:00:00 2001 From: "ricow@chromium.org" Date: Mon, 26 Sep 2011 16:54:50 +0000 Subject: [PATCH] Make sure that we can't access hidden properties by installing accessors on Object.prototype. BUG:chromium:97784 TEST=cctest/test-api Review URL: http://codereview.chromium.org/8041020 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@9434 ce2b1a6d-e550-0410-aec6-3dcde31c8c00 --- src/objects.cc | 7 +++++++ test/cctest/test-api.cc | 28 ++++++++++++++++++++++++++++ 2 files changed, 35 insertions(+) diff --git a/src/objects.cc b/src/objects.cc index 46d5264c4..aa0b6f227 100644 --- a/src/objects.cc +++ b/src/objects.cc @@ -3310,6 +3310,13 @@ MaybeObject* JSObject::GetHiddenProperties(CreationFlag flag) { isolate->context()->global_context()->object_function()); if (!maybe_obj->ToObject(&hidden_obj)) return maybe_obj; } + // Don't allow leakage of the hidden object through accessors + // on Object.prototype. + { + MaybeObject* maybe_obj = + JSObject::cast(hidden_obj)->SetPrototype(heap->null_value(), false); + if (maybe_obj->IsFailure()) return maybe_obj; + } return obj->SetHiddenPropertiesObject(hidden_obj); } else { return heap->undefined_value(); diff --git a/test/cctest/test-api.cc b/test/cctest/test-api.cc index 17fd226ee..88b925f26 100644 --- a/test/cctest/test-api.cc +++ b/test/cctest/test-api.cc @@ -2007,6 +2007,34 @@ THREADED_TEST(HiddenProperties) { } +THREADED_TEST(Regress97784) { + // Regression test for crbug.com/97784 + // Messing with the Object.prototype should not have effect on + // hidden properties. + v8::HandleScope scope; + LocalContext env; + + v8::Local obj = v8::Object::New(); + v8::Local key = v8_str("hidden"); + + CompileRun( + "set_called = false;" + "Object.defineProperty(" + " Object.prototype," + " 'hidden'," + " {get: function() { return 45; }," + " set: function() { set_called = true; }})"); + + CHECK(obj->GetHiddenValue(key).IsEmpty()); + // Make sure that the getter and setter from Object.prototype is not invoked. + // If it did we would have full access to the hidden properties in + // the accessor. + CHECK(obj->SetHiddenValue(key, v8::Integer::New(42))); + ExpectFalse("set_called"); + CHECK_EQ(42, obj->GetHiddenValue(key)->Int32Value()); +} + + static bool interceptor_for_hidden_properties_called; static v8::Handle InterceptorForHiddenProperties( Local name, const AccessorInfo& info) { -- 2.34.1