[Backport] Security bug 913212

Original patch by Tobias Tebbi <tebbi@chromium.org>: [ic] do not expose global object Bug: chromium:913212 Reviewed-on: https://chromium-review.googlesource.com/c/1371605 Change-Id: I9173e33a539c89bb9e8ff5edeca16cb8a8d4529b Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
author: Michael Brüning <michael.bruning@qt.io> 2019-03-20 17:00:22 +0100
committer: Michael Brüning <michael.bruning@qt.io> 2019-03-27 15:01:55 +0000
commit: 0a717e1dbe973e1ebcbe49f213591a7dd5805012 (patch)
tree: f9a144104c649974249cd7d373b6b5ea91eae158
parent: e4e104616590bc90b187acff50c00f43a27c8490 (diff)
download: qtwebengine-chromium-0a717e1dbe973e1ebcbe49f213591a7dd5805012.tar.gz
1 files changed, 17 insertions, 3 deletions
diff --git a/chromium/v8/src/objects.cc b/chromium/v8/src/objects.cc
index 8cd04869391..fcee8c9c8b7 100644
--- a/chromium/v8/src/objects.cc
+++ b/chromium/v8/src/objects.cc
@@ -1024,9 +1024,16 @@ MaybeHandle<Object> Object::GetProperty(LookupIterator* it,
         UNREACHABLE();
       case LookupIterator::JSPROXY: {
         bool was_found;
+        Handle<Object> receiver = it->GetReceiver();
+        // In case of global IC, the receiver is the global object. Replace by
+        // the global proxy.
+        if (receiver->IsJSGlobalObject()) {
+          receiver = handle(JSGlobalObject::cast(*receiver)->global_proxy(),
+                            it->isolate());
+        }
         MaybeHandle<Object> result =
             JSProxy::GetProperty(it->isolate(), it->GetHolder<JSProxy>(),
-                                 it->GetName(), it->GetReceiver(), &was_found);
+                                 it->GetName(), receiver, &was_found);
         if (!was_found) it->NotFound();
         return result;
       }
@@ -4958,9 +4965,16 @@ Maybe<bool> Object::SetPropertyInternal(LookupIterator* it,
         return JSObject::SetPropertyWithFailedAccessCheck(it, value,
                                                           should_throw);
 
-      case LookupIterator::JSPROXY:
+      case LookupIterator::JSPROXY: {
+        Handle<Object> receiver = it->GetReceiver();
+        // In case of global IC, the receiver is the global object. Replace by
+        // the global proxy.
+        if (receiver->IsJSGlobalObject()) {
+          receiver = handle(JSGlobalObject::cast(*receiver)->global_proxy(),
+                            it->isolate());
+        }
         return JSProxy::SetProperty(it->GetHolder<JSProxy>(), it->GetName(),
-                                    value, it->GetReceiver(), language_mode);
+                                    value, receiver, language_mode);
 
       case LookupIterator::INTERCEPTOR: {
         if (it->HolderIsReceiverOrHiddenPrototype()) {
author	Michael Brüning <michael.bruning@qt.io>	2019-03-20 17:00:22 +0100
committer	Michael Brüning <michael.bruning@qt.io>	2019-03-27 15:01:55 +0000
commit	0a717e1dbe973e1ebcbe49f213591a7dd5805012 (patch)
tree	f9a144104c649974249cd7d373b6b5ea91eae158
parent	e4e104616590bc90b187acff50c00f43a27c8490 (diff)
download	qtwebengine-chromium-0a717e1dbe973e1ebcbe49f213591a7dd5805012.tar.gz