Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(8885)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: chrome/test/data/extensions/api_test/bindings/override_gin_define.html

Issue 1433293004: [Extensions] Don't allow gin::Define to be overridden (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Created 5 years, 1 month ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « chrome/browser/extensions/extension_bindings_apitest.cc ('k') | extensions/renderer/api_activity_logger.cc » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: chrome/test/data/extensions/api_test/bindings/override_gin_define.html
diff --git a/chrome/test/data/extensions/api_test/bindings/override_gin_define.html b/chrome/test/data/extensions/api_test/bindings/override_gin_define.html
new file mode 100644
index 0000000000000000000000000000000000000000..3aaf8eebf58c593c5d811f10dad775611d606dbc
--- /dev/null
+++ b/chrome/test/data/extensions/api_test/bindings/override_gin_define.html
@@ -0,0 +1,69 @@
+<!doctype html>
+<html>
+<body>
+<span id="status"></span>
+</body>
+<script>
+var error = '';
+var addError = function(newError) {
+ error += newError;
+ document.getElementById('status').textContent = error;
+};
+
+var succeed = function() {
+ if (error != '')
+ return; // Don't overwrite an existing error.
+ document.getElementById('status').textContent = 'success';
+}
+
+// Repro from crbug.com/549986.
+Object.prototype.__defineSetter__('define', function(v) {
+ if (typeof v == 'function') {
+ addError('Leaked gin define');
+ leakedDefine = v;
+ }
+ Object.defineProperty(this, 'define', {value: v});
+});
+
+var leakedBinding;
+Object.defineProperty(Object.prototype, 'create', {set: function(v) {
+ if (typeof(v) == 'function') {
+ Object.defineProperty(this, 'create', {value: function(name) {
+ result = v(name);
+ if (name == 'runtime') {
+ try {
+ leakedDefine('foo', ['test'], function(){} );
+ } catch (e) { }
+ } else if (name == 'test') {
+ addError('Leaked test');
+ leakedBinding = result;
+ }
+ return result;
+ }, configurable: true});
+ }
+}});
+
+// Bindings are lazily initialized. Poke it.
+chrome.runtime;
+// If the runtime bindings aren't created, we didn't test anything.
+if (!chrome.runtime)
+ addError('chrome.runtime was not created.\n');
+
+if (leakedBinding) {
+ leakedFunctions = {};
+ leakedBinding.customHooks_[0](
+ {apiFunctions: {setHandleRequest: function(name, fun) {
+ leakedFunctions[name] = fun;
+ } }, compiledApi: {} });
+
+ leakedFunctions.runWithNativesEnabled(function() {
+ addError('Calling activityLogger.LogEvent');
+ leakedFunctions.getModuleSystem(window).requireNative('activityLogger')
+ .LogEvent('', '', 0xDEADBAD);
+ });
+}
+
+// All's well.
+succeed();
+</script>
+</html>
« no previous file with comments | « chrome/browser/extensions/extension_bindings_apitest.cc ('k') | extensions/renderer/api_activity_logger.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698