From f3488658948f360881479fa1da5e643d6719c71d Mon Sep 17 00:00:00 2001
From: "ulan@chromium.org"
 <ulan@chromium.org@ce2b1a6d-e550-0410-aec6-3dcde31c8c00>
Date: Wed, 23 Apr 2014 12:28:50 +0000
Subject: [PATCH] Harden DefineOrRedefineDataProperty.

R=jkummerow@chromium.org

Review URL: https://codereview.chromium.org/240973002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@20908 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
---
 src/runtime.cc | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/src/runtime.cc b/src/runtime.cc
index c508b4a..b98ba40 100644
--- a/src/runtime.cc
+++ b/src/runtime.cc
@@ -5193,6 +5193,7 @@ RUNTIME_FUNCTION(Runtime_DefineOrRedefineAccessorProperty) {
   PropertyAttributes attr = static_cast<PropertyAttributes>(unchecked);
 
   bool fast = obj->HasFastProperties();
+  // DefineAccessor checks access rights.
   JSObject::DefineAccessor(obj, name, getter, setter, attr);
   RETURN_FAILURE_IF_SCHEDULED_EXCEPTION(isolate);
   if (fast) JSObject::TransformToFastProperties(obj, 0);
@@ -5216,6 +5217,12 @@ RUNTIME_FUNCTION(Runtime_DefineOrRedefineDataProperty) {
   RUNTIME_ASSERT((unchecked & ~(READ_ONLY | DONT_ENUM | DONT_DELETE)) == 0);
   PropertyAttributes attr = static_cast<PropertyAttributes>(unchecked);
 
+  // Check access rights if needed.
+  if (js_object->IsAccessCheckNeeded() &&
+      !isolate->MayNamedAccess(js_object, name, v8::ACCESS_SET)) {
+    return isolate->heap()->undefined_value();
+  }
+
   LookupResult lookup(isolate);
   js_object->LocalLookupRealNamedProperty(*name, &lookup);
 
-- 
2.7.4