diff options
author | Yuki Shiino <yukishiino@chromium.org> | 2019-05-23 09:20:05 +0000 |
---|---|---|
committer | Michal Klocek <michal.klocek@qt.io> | 2019-07-25 06:19:31 +0000 |
commit | d42e2e2bc4415af05451183808e46b55938229c9 (patch) | |
tree | 48640e72d66021137fe5db7f3d35ff68c7f41dbb /chromium/third_party | |
parent | cc4d38df371e5020ddf562465c6b63bb8f5567d2 (diff) | |
download | qtwebengine-chromium-d42e2e2bc4415af05451183808e46b55938229c9.tar.gz |
[Backport] Security bug 964928
v8binding: Check the "script forbidden" status in IDL callbacks.
Checks whether script execution is allowed or not in IDL callbacks.
See the bug for details.
Bug: 964928
Change-Id: Ie611470287bc584069707a2c279379f9a61aea87
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
Diffstat (limited to 'chromium/third_party')
-rw-r--r-- | chromium/third_party/blink/renderer/bindings/templates/callback_invoke.cc.tmpl | 5 | ||||
-rw-r--r-- | chromium/third_party/blink/renderer/platform/bindings/script_forbidden_scope.h | 11 |
2 files changed, 14 insertions, 2 deletions
diff --git a/chromium/third_party/blink/renderer/bindings/templates/callback_invoke.cc.tmpl b/chromium/third_party/blink/renderer/bindings/templates/callback_invoke.cc.tmpl index 9329dd4dab7..87e7f6a9339 100644 --- a/chromium/third_party/blink/renderer/bindings/templates/callback_invoke.cc.tmpl +++ b/chromium/third_party/blink/renderer/bindings/templates/callback_invoke.cc.tmpl @@ -56,6 +56,11 @@ v8::Context::BackupIncumbentScope backup_incumbent_scope( IncumbentScriptState()->GetContext()); + if (UNLIKELY(ScriptForbiddenScope::IsScriptForbidden())) { + ScriptForbiddenScope::ThrowScriptForbiddenException(GetIsolate()); + return v8::Nothing<{{return_cpp_type}}>(); + } + {% if invoke_or_construct == 'construct' %} // step 3. If ! IsConstructor(F) is false, throw a TypeError exception. // diff --git a/chromium/third_party/blink/renderer/platform/bindings/script_forbidden_scope.h b/chromium/third_party/blink/renderer/platform/bindings/script_forbidden_scope.h index 656083c7377..ae44c6d23d8 100644 --- a/chromium/third_party/blink/renderer/platform/bindings/script_forbidden_scope.h +++ b/chromium/third_party/blink/renderer/platform/bindings/script_forbidden_scope.h @@ -7,6 +7,7 @@ #include "base/auto_reset.h" #include "base/macros.h" +#include "third_party/blink/renderer/platform/bindings/v8_throw_exception.h" #include "third_party/blink/renderer/platform/platform_export.h" #include "third_party/blink/renderer/platform/wtf/allocator.h" #include "third_party/blink/renderer/platform/wtf/stack_util.h" @@ -41,7 +42,11 @@ class PLATFORM_EXPORT ScriptForbiddenScope final { return GetMutableCounter() > 0; } - // DO NOT USE THESE FUNCTIONS FROM OUTSIDE OF THIS CLASS. + static void ThrowScriptForbiddenException(v8::Isolate* isolate) { + V8ThrowException::ThrowError(isolate, "Script execution is forbidden."); + } + + private: static void Enter() { if (LIKELY(!WTF::MayNotBeMainThread())) { ++g_main_thread_counter_; @@ -58,9 +63,11 @@ class PLATFORM_EXPORT ScriptForbiddenScope final { } } - private: static unsigned& GetMutableCounter(); static unsigned g_main_thread_counter_; + + // V8GCController is exceptionally allowed to call Enter/Exit. + friend class V8GCController; }; } // namespace blink |