diff options
author | Kentaro Hara <haraken@chromium.org> | 2016-12-14 10:44:11 +0900 |
---|---|---|
committer | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2017-04-20 07:38:51 +0000 |
commit | de52fee9893b2e357e79585d3087710b934f282a (patch) | |
tree | 8b62e614e89e0d4559e91b1cae3984a6ed2dba26 | |
parent | f1da809abe8e3fdf61a572ded04c04f6b10c990d (diff) |
[Backport] CVE-2017-5008
Don't touch the prototype chain to get the private script controller.
Prior to this patch, private scripts attempted to get the
"privateScriptController" property off the global object without verifying if
the property actually exists on the global. If the property hasn't been set yet,
this operation could descend into the prototype chain and potentially return
a named property from the WindowProperties object, leading to release asserts
and general confusion.
BUG=668552
Review-Url: https://codereview.chromium.org/2529163002
Cr-Commit-Position: refs/heads/master@{#434627}
(cherry picked from commit c093b7a74ddce32dd3b0e0be60f31becc6ce32f9)
Change-Id: I8818028270f6b1f5265a6a9bfd5320716adcfec0
Review-Url: https://codereview.chromium.org/2574523004 .
Cr-Commit-Position: refs/branch-heads/2924@{#485}
Cr-Branched-From: 3a87aecc31cd1ffe751dd72c04e5a96a1fc8108a-refs/heads/master@{#433059}
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
-rw-r--r-- | chromium/third_party/WebKit/Source/bindings/core/v8/PrivateScriptRunner.cpp | 10 | ||||
-rw-r--r-- | chromium/third_party/WebKit/Source/bindings/core/v8/PrivateScriptRunner.js | 2 |
2 files changed, 8 insertions, 4 deletions
diff --git a/chromium/third_party/WebKit/Source/bindings/core/v8/PrivateScriptRunner.cpp b/chromium/third_party/WebKit/Source/bindings/core/v8/PrivateScriptRunner.cpp index cee73f1ed38..41b43b7972a 100644 --- a/chromium/third_party/WebKit/Source/bindings/core/v8/PrivateScriptRunner.cpp +++ b/chromium/third_party/WebKit/Source/bindings/core/v8/PrivateScriptRunner.cpp @@ -16,6 +16,7 @@ #include "core/dom/Document.h" #include "core/dom/ExceptionCode.h" #include "platform/PlatformResourceLoader.h" +#include "base/logging.h" namespace blink { @@ -53,9 +54,12 @@ static v8::Local<v8::Value> compileAndRunPrivateScript(ScriptState* scriptState, v8::Local<v8::Context> context = scriptState->context(); v8::Local<v8::Object> global = context->Global(); - v8::Local<v8::Value> privateScriptController = global->Get(context, v8String(isolate, "privateScriptController")).ToLocalChecked(); - RELEASE_ASSERT(privateScriptController->IsUndefined() || privateScriptController->IsObject()); - if (privateScriptController->IsObject()) { + v8::Local<v8::String> key = v8String(isolate, "privateScriptController"); + + if (global->HasOwnProperty(context, key).FromJust()) { + v8::Local<v8::Value> privateScriptController = + global->Get(context, key).ToLocalChecked(); + CHECK(privateScriptController->IsObject()); v8::Local<v8::Object> privateScriptControllerObject = privateScriptController.As<v8::Object>(); v8::Local<v8::Value> importFunctionValue = privateScriptControllerObject->Get(context, v8String(isolate, "import")).ToLocalChecked(); if (importFunctionValue->IsUndefined()) { diff --git a/chromium/third_party/WebKit/Source/bindings/core/v8/PrivateScriptRunner.js b/chromium/third_party/WebKit/Source/bindings/core/v8/PrivateScriptRunner.js index 9dc27f0d7df..6010df9963b 100644 --- a/chromium/third_party/WebKit/Source/bindings/core/v8/PrivateScriptRunner.js +++ b/chromium/third_party/WebKit/Source/bindings/core/v8/PrivateScriptRunner.js @@ -136,7 +136,7 @@ PrivateScriptController.prototype = { }, } -if (typeof window.privateScriptController === 'undefined') +if (!window.hasOwnProperty("privateScriptController")) window.privateScriptController = new PrivateScriptController(); // This line must be the last statement of this JS file. |