diff options
| author | Simon Zünd <szuend@chromium.org> | 2023-01-11 05:55:14 +0000 |
|---|---|---|
| committer | Michael Brüning <michael.bruning@qt.io> | 2023-03-24 10:08:01 +0000 |
| commit | 39ed1862f1a4d09daf4bc9a35c553b5c6612d20f (patch) | |
| tree | a3c76dc8811c3587e254eb66dbedfd02b88dca8b | |
| parent | 2e876df5a053bcde7219f0c2bd6a65db728663a5 (diff) | |
| download | qtwebengine-chromium-39ed1862f1a4d09daf4bc9a35c553b5c6612d20f.tar.gz | |
[Backport] CVE-2023-1235: Type Confusion in DevTools
Cherry-pick of commit originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/4150308:
Ensure that invoked method is an actual v8::Function
CallMethodOnFrame invokes a function part of an object which in turn
is installed on globalThis. E.g. globalThis['foo'].bar();
CallMethodOnFrame already bails out if 'foo' or 'bar' can't be found,
but we should also bail out if 'bar' is not an actual function.
Fixed: 1404704
Change-Id: I67c0883a53b358176898bd04fad3c45cf98721ed
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4150308
Reviewed-by: David Bokan <bokan@chromium.org>
Commit-Queue: Simon Zünd <szuend@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1091189}
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/468226
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
| -rw-r--r-- | chromium/third_party/blink/renderer/core/frame/local_frame_mojo_handler.cc | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/chromium/third_party/blink/renderer/core/frame/local_frame_mojo_handler.cc b/chromium/third_party/blink/renderer/core/frame/local_frame_mojo_handler.cc index 47b86ec9111..b40e145b028 100644 --- a/chromium/third_party/blink/renderer/core/frame/local_frame_mojo_handler.cc +++ b/chromium/third_party/blink/renderer/core/frame/local_frame_mojo_handler.cc @@ -206,9 +206,11 @@ v8::MaybeLocal<v8::Value> CallMethodOnFrame(LocalFrame* local_frame, v8::Local<v8::Value> object; v8::Local<v8::Value> method; if (!GetProperty(context, context->Global(), object_name).ToLocal(&object) || - !GetProperty(context, object, method_name).ToLocal(&method)) { + !GetProperty(context, object, method_name).ToLocal(&method) || + !method->IsFunction()) { return v8::MaybeLocal<v8::Value>(); } + CHECK(method->IsFunction()); return local_frame->DomWindow() ->GetScriptController() |