diff options
| author | Michael BrĂ¼ning <michael.bruning@qt.io> | 2019-03-20 17:00:22 +0100 |
|---|---|---|
| committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2019-12-02 18:25:30 +0000 |
| commit | f99f4ed74de6b4928c017c7a40029d06ed65ee12 (patch) | |
| tree | 32f7acf0df23f21a8154cb20513dad57ec22a84f | |
| parent | 2b330f66bb27d347b20314851178f8146ab5eb27 (diff) | |
| download | qtwebengine-chromium-f99f4ed74de6b4928c017c7a40029d06ed65ee12.tar.gz | |
[Backport] Security bug 913212
Original patch by Tobias Tebbi <tebbi@chromium.org>:
[ic] do not expose global object
Bug: chromium:913212
Change-Id: I9173e33a539c89bb9e8ff5edeca16cb8a8d4529b
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
| -rw-r--r-- | chromium/v8/src/objects.cc | 22 |
1 files changed, 18 insertions, 4 deletions
diff --git a/chromium/v8/src/objects.cc b/chromium/v8/src/objects.cc index ebbb95b59dd..3512524c307 100644 --- a/chromium/v8/src/objects.cc +++ b/chromium/v8/src/objects.cc @@ -977,9 +977,16 @@ MaybeHandle<Object> Object::GetProperty(LookupIterator* it) { UNREACHABLE(); case LookupIterator::JSPROXY: { bool was_found; + Handle<Object> receiver = it->GetReceiver(); + // In case of global IC, the receiver is the global object. Replace by + // the global proxy. + if (receiver->IsJSGlobalObject()) { + receiver = handle(JSGlobalObject::cast(*receiver)->global_proxy(), + it->isolate()); + } MaybeHandle<Object> result = JSProxy::GetProperty(it->isolate(), it->GetHolder<JSProxy>(), - it->GetName(), it->GetReceiver(), &was_found); + it->GetName(), receiver, &was_found); if (!was_found) it->NotFound(); return result; } @@ -4672,10 +4679,17 @@ Maybe<bool> Object::SetPropertyInternal(LookupIterator* it, return JSObject::SetPropertyWithFailedAccessCheck(it, value, should_throw); - case LookupIterator::JSPROXY: + case LookupIterator::JSPROXY: { + Handle<Object> receiver = it->GetReceiver(); + // In case of global IC, the receiver is the global object. Replace by + // the global proxy. + if (receiver->IsJSGlobalObject()) { + receiver = handle(JSGlobalObject::cast(*receiver)->global_proxy(), + it->isolate()); + } return JSProxy::SetProperty(it->GetHolder<JSProxy>(), it->GetName(), - value, it->GetReceiver(), language_mode); - + value, receiver, language_mode); + } case LookupIterator::INTERCEPTOR: { if (it->HolderIsReceiverOrHiddenPrototype()) { Maybe<bool> result = |