diff options
| author | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2019-10-15 11:50:00 +0200 |
|---|---|---|
| committer | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2019-10-16 12:24:04 +0000 |
| commit | 691467ccbb87ccd558467e384f280aed122a85e2 (patch) | |
| tree | c5e2b70b27f3ae49747a574660e099e3a388e61f | |
| parent | 8635cf233cdf15409fcce7a66f0bc4670d07cd5f (diff) | |
| download | qtwebengine-chromium-691467ccbb87ccd558467e384f280aed122a85e2.tar.gz | |
[Backport] CVE-2019-13673
[inspector] Generate custom previews in the objects creation context.
Generating custom previews can invoke user specified JavaScript (via the
`window.devtoolsFormatters` custom formatters feature). These custom
formatters were previously invoked in the main page context, even for
objects coming from other `<iframe>`s. Instead of using the main
renderer context, we should instead generate the custom preview in the
creation context of the object.
Bug: chromium:997925
Change-Id: Ia07915cff6680153b6727e68117ed565e60bc1c2
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63476}
Reviewed-by: Michael BrĂ¼ning <michael.bruning@qt.io>
| -rw-r--r-- | chromium/v8/src/inspector/custom-preview.cc | 2 | ||||
| -rw-r--r-- | chromium/v8/src/inspector/custom-preview.h | 6 | ||||
| -rw-r--r-- | chromium/v8/src/inspector/injected-script.cc | 2 |
3 files changed, 5 insertions, 5 deletions
diff --git a/chromium/v8/src/inspector/custom-preview.cc b/chromium/v8/src/inspector/custom-preview.cc index 63d1d74ab81..974ab3382ad 100644 --- a/chromium/v8/src/inspector/custom-preview.cc +++ b/chromium/v8/src/inspector/custom-preview.cc @@ -242,10 +242,10 @@ void bodyCallback(const v8::FunctionCallbackInfo<v8::Value>& info) { } // anonymous namespace void generateCustomPreview(int sessionId, const String16& groupName, - v8::Local<v8::Context> context, v8::Local<v8::Object> object, v8::MaybeLocal<v8::Value> maybeConfig, int maxDepth, std::unique_ptr<CustomPreview>* preview) { + v8::Local<v8::Context> context = object->CreationContext(); v8::Isolate* isolate = context->GetIsolate(); v8::MicrotasksScope microtasksScope(isolate, v8::MicrotasksScope::kDoNotRunMicrotasks); diff --git a/chromium/v8/src/inspector/custom-preview.h b/chromium/v8/src/inspector/custom-preview.h index 1ae8e25a4c7..1e8c74a154c 100644 --- a/chromium/v8/src/inspector/custom-preview.h +++ b/chromium/v8/src/inspector/custom-preview.h @@ -13,9 +13,9 @@ namespace v8_inspector { const int kMaxCustomPreviewDepth = 20; void generateCustomPreview( - int sessionId, const String16& groupName, v8::Local<v8::Context> context, - v8::Local<v8::Object> object, v8::MaybeLocal<v8::Value> config, - int maxDepth, std::unique_ptr<protocol::Runtime::CustomPreview>* preview); + int sessionId, const String16& groupName, v8::Local<v8::Object> object, + v8::MaybeLocal<v8::Value> config, int maxDepth, + std::unique_ptr<protocol::Runtime::CustomPreview>* preview); } // namespace v8_inspector diff --git a/chromium/v8/src/inspector/injected-script.cc b/chromium/v8/src/inspector/injected-script.cc index f1eb4fecf30..e728f6b97d3 100644 --- a/chromium/v8/src/inspector/injected-script.cc +++ b/chromium/v8/src/inspector/injected-script.cc @@ -430,7 +430,7 @@ Response InjectedScript::wrapObjectMirror( if (!response.isSuccess()) return response; if (customPreviewEnabled && value->IsObject()) { std::unique_ptr<protocol::Runtime::CustomPreview> customPreview; - generateCustomPreview(sessionId, groupName, context, value.As<v8::Object>(), + generateCustomPreview(sessionId, groupName, value.As<v8::Object>(), customPreviewConfig, maxCustomPreviewDepth, &customPreview); if (customPreview) (*result)->setCustomPreview(std::move(customPreview)); |