diff options
author | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2019-10-15 11:39:30 +0200 |
---|---|---|
committer | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2019-10-16 12:23:57 +0000 |
commit | 8635cf233cdf15409fcce7a66f0bc4670d07cd5f (patch) | |
tree | beae1f9785bb131d956664986c9aef75922c35d5 | |
parent | 1f64c1f27840316f9f525d9b74a9ac9a22da841d (diff) | |
download | qtwebengine-chromium-8635cf233cdf15409fcce7a66f0bc4670d07cd5f.tar.gz |
[Backport] CVE-2019-13668
Calls to {console} require an access check for the provided arguments
This CL adds an access check for the arguments to all calls to
{console} like {console.log}. This is needed since the DevTools
protocol notificiation event does not contain the context in which
the {console.log} call occurred. Only the context of the argument.
When DevTools then reads properties for the preview of the argument,
it uses arguments context, instead of the calling context, potentially
leaking objects/exceptions into the calling context.
Bug: chromium:987502, chromium:986393
Change-Id: I6f7682f7bee94a28ac61994bad259bd003511c39
Commit-Queue: Simon Zünd <szuend@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63122}
Reviewed-by: Michael Brüning <michael.bruning@qt.io>
-rw-r--r-- | chromium/v8/src/builtins/builtins-console.cc | 16 |
1 files changed, 16 insertions, 0 deletions
diff --git a/chromium/v8/src/builtins/builtins-console.cc b/chromium/v8/src/builtins/builtins-console.cc index 6b7db301d68..a7a213b4b27 100644 --- a/chromium/v8/src/builtins/builtins-console.cc +++ b/chromium/v8/src/builtins/builtins-console.cc @@ -46,6 +46,22 @@ void ConsoleCall( CHECK(!isolate->has_scheduled_exception()); if (!isolate->console_delegate()) return; HandleScope scope(isolate); + + // Access check. The current context has to match the context of all + // arguments, otherwise the inspector might leak objects across contexts. + Handle<Context> context = handle(isolate->context(), isolate); + for (int i = 0; i < args.length(); ++i) { + Handle<Object> argument = args.at<Object>(i); + if (!argument->IsJSObject()) continue; + + Handle<JSObject> argument_obj = Handle<JSObject>::cast(argument); + if (argument->IsAccessCheckNeeded(isolate) && + !isolate->MayAccess(context, argument_obj)) { + isolate->ReportFailedAccessCheck(argument_obj); + return; + } + } + debug::ConsoleCallArguments wrapper(args); Handle<Object> context_id_obj = JSObject::GetDataProperty( args.target(), isolate->factory()->console_context_id_symbol()); |