diff options
| author | Adam Rice <ricea@chromium.org> | 2019-03-05 08:15:38 +0000 |
|---|---|---|
| committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2019-03-28 15:19:05 +0000 |
| commit | 037efcfdba3d96ea6d10a3308ae9b6266de3b6c1 (patch) | |
| tree | 714e28f48abeaa0625a784fbab286c43f416531f | |
| parent | 85136fedbde62ecf382362fc82849c8172c67697 (diff) | |
| download | qtwebengine-chromium-037efcfdba3d96ea6d10a3308ae9b6266de3b6c1.tar.gz | |
[Backport] Security Bug 931640 1/2
Streams: Prevent double-resolution of promises
The v8.resolvePromise() and v8.rejectPromise() do not make
double-resolution of promises a no-op like the JavaScript APIs do. Add
protection against resolving or rejecting the same promise twice.
Attach a new internal symbol "_isSettled" to a promise when it is
resolved or rejected inside the resolvePromise() and rejectPromise()
functions. If the symbol is already present, the promise has already
been resolved or rejected and so do nothing.
BUG=931953
Reviewed-on: https://chromium-review.googlesource.com/c/1475591
Change-Id: Ied15330289c3b8e2cce78b30fc8475da2033967c
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
Reviewed-by: Michael BrĂ¼ning <michael.bruning@qt.io>
| -rw-r--r-- | chromium/third_party/blink/renderer/core/streams/CommonOperations.js | 17 |
1 files changed, 17 insertions, 0 deletions
diff --git a/chromium/third_party/blink/renderer/core/streams/CommonOperations.js b/chromium/third_party/blink/renderer/core/streams/CommonOperations.js index f35f6d13ff6..4f04dacf2d5 100644 --- a/chromium/third_party/blink/renderer/core/streams/CommonOperations.js +++ b/chromium/third_party/blink/renderer/core/streams/CommonOperations.js @@ -13,6 +13,11 @@ const _queue = v8.createPrivateSymbol('[[queue]]'); const _queueTotalSize = v8.createPrivateSymbol('[[queueTotalSize]]'); + // A symbol to protect against double-resolution of promises. This + // functionality is not explicit in the standard, but is implied in the way + // the operations are defined. + const _isSettled = v8.createPrivateSymbol('isSettled'); + // Javascript functions. It is important to use these copies for security and // robustness. See "V8 Extras Design Doc", section "Security Considerations". // https://docs.google.com/document/d/1AT5-T0aHGp7Lt29vPWFr2-qG8r3l9CByyvKwEuA8Ec0/edit#heading=h.9yixony1a18r @@ -63,6 +68,12 @@ if (!v8.isPromise(p)) { streamInternalError(); } + + if (p[_isSettled]) { + return; + } + p[_isSettled] = true; + v8.rejectPromise(p, reason); } @@ -70,6 +81,12 @@ if (!v8.isPromise(p)) { streamInternalError(); } + + if (p[_isSettled]) { + return; + } + p[_isSettled] = true; + v8.resolvePromise(p, value); } |