diff options
author | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2017-05-12 14:06:33 +0200 |
---|---|---|
committer | Alexandru Croitor <alexandru.croitor@qt.io> | 2017-07-11 13:23:36 +0000 |
commit | ac5d2f8fc69db3a37baae870815350836080d7e0 (patch) | |
tree | 36960aa8a5337879d1476f3b11401f3dc2cebbab | |
parent | 19ed073bf7e0426356709786cca56ec464faf6b6 (diff) |
[Backport] Fix for CVE-2017-5062
Fix for WebViewImpl exposure through bind().
This patch converts all uses of bind() in the GuestView JavaScript
objects to use $Function.bind() instead. This will prevent WebViewImpl (and other objects) from being exposed via overriding bind().
BUG=702896
Review-Url: https://codereview.chromium.org/2781713002
Cr-Commit-Position: refs/heads/master@{#459903}
(cherry picked from commit eddd286de56b219308a2475ad6d2e8fd525aed63)
Change-Id: I864e52beea00a05a4267f3a9c722a885ecdaf5e8
Review-Url: https://codereview.chromium.org/2794623002 .
Cr-Commit-Position: refs/branch-heads/3029@{#516}
Cr-Branched-From: 939b32ee5ba05c396eef3fd992822fcca9a2e262-refs/heads/master@{#454471}
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
-rw-r--r-- | chromium/chrome/renderer/resources/extensions/web_view/chrome_web_view.js | 17 |
1 files changed, 9 insertions, 8 deletions
diff --git a/chromium/chrome/renderer/resources/extensions/web_view/chrome_web_view.js b/chromium/chrome/renderer/resources/extensions/web_view/chrome_web_view.js index 2d8c445d994..8b050ff0c7e 100644 --- a/chromium/chrome/renderer/resources/extensions/web_view/chrome_web_view.js +++ b/chromium/chrome/renderer/resources/extensions/web_view/chrome_web_view.js @@ -47,10 +47,10 @@ function ContextMenusOnClickedEvent(webViewInstanceId, if (!view) { return; } - view.events.addScopedListener(ContextMenusEvent, function() { + view.events.addScopedListener(ContextMenusEvent, $Function.bind(function() { // Re-dispatch to subEvent's listeners. $Function.apply(this.dispatch, this, $Array.slice(arguments)); - }.bind(this), {instanceId: webViewInstanceId}); + }, this), {instanceId: webViewInstanceId}); } ContextMenusOnClickedEvent.prototype.__proto__ = EventBindings.Event.prototype; @@ -70,7 +70,8 @@ function ContextMenusOnContextMenuEvent(webViewInstanceId, if (!view) { return; } - view.events.addScopedListener(ContextMenusHandlerEvent, function(e) { + view.events.addScopedListener( + ContextMenusHandlerEvent, $Function.bind(function(e) { var defaultPrevented = false; var event = { 'preventDefault': function() { defaultPrevented = true; } @@ -88,7 +89,7 @@ function ContextMenusOnContextMenuEvent(webViewInstanceId, GetViewFromID(webViewInstanceId).guest.getId(); ChromeWebView.showContextMenu(guestInstanceId, e.requestId, items); } - }.bind(this), {instanceId: webViewInstanceId}); + }, this), {instanceId: webViewInstanceId}); } ContextMenusOnContextMenuEvent.prototype.__proto__ = @@ -138,7 +139,7 @@ WebViewImpl.prototype.maybeSetupContextMenus = function() { this.viewInstanceId, eventName, eventSchema, eventOptions); } - var createContextMenus = function() { + var createContextMenus = $Function.bind(function() { return this.weakWrapper(function() { if (this.contextMenus_) { return this.contextMenus_; @@ -147,7 +148,7 @@ WebViewImpl.prototype.maybeSetupContextMenus = function() { this.contextMenus_ = new WebViewContextMenus(this.viewInstanceId); // Define 'onClicked' event property on |this.contextMenus_|. - var getOnClickedEvent = function() { + var getOnClickedEvent = $Function.bind(function() { return this.weakWrapper(function() { if (!this.contextMenusOnClickedEvent_) { var eventName = 'chromeWebViewInternal.onClicked'; @@ -161,7 +162,7 @@ WebViewImpl.prototype.maybeSetupContextMenus = function() { } return this.contextMenusOnClickedEvent_; }); - }.bind(this); + }, this); $Object.defineProperty( this.contextMenus_, 'onClicked', @@ -177,7 +178,7 @@ WebViewImpl.prototype.maybeSetupContextMenus = function() { }); return this.contextMenus_; }); - }.bind(this); + }, this); // Expose <webview>.contextMenus object. // TODO(lazyboy): Add documentation for contextMenus: |