src/runtime.cc - Issue 294073002: filter cross context eval

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: src/runtime.cc

Issue 294073002: filter cross context eval (Closed) Base URL: https://v8.googlecode.com/svn/branches/bleeding_edge

Patch Set: Created 6 years, 7 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: src/runtime.cc

diff --git a/src/runtime.cc b/src/runtime.cc

index 686c3f550fb55c592d4cd5173b1ceffd9ad820d9..631c576dfeba4a5e09252be9896d27a35e3a4de5 100644

--- a/src/runtime.cc

+++ b/src/runtime.cc

@@ -9759,6 +9759,59 @@ bool CodeGenerationFromStringsAllowed(Isolate* isolate,

}

+// Walk up the stack expecting:

+// - Runtime_CompileString

+// - JSFunction callee (eval, Function constructor, etc)

+// - call() (maybe)

+// - apply() (maybe)

+// - bind() (maybe)

+// - JSFunction caller (maybe)

+//

+// return true if the caller has the same security token as the callee

+// or if an exit frame was hit, in which case allow it through, as it could

+// have come through the api.

+static bool TokensMatchForCompileString(Isolate* isolate) {

+ MaybeHandle<JSFunction> callee;

+ bool exit_handled = true;

+ bool tokens_match = true;

+ bool done = false;

+ for (StackFrameIterator it(isolate); !it.done() && !done; it.Advance()) {

+ StackFrame* raw_frame = it.frame();

+ if (!raw_frame->is_java_script()) {

+ if (raw_frame->is_exit()) exit_handled = false;

+ continue;

+ }

+ JavaScriptFrame* outer_frame = JavaScriptFrame::cast(raw_frame);

+ List<FrameSummary> frames(FLAG_max_inlining_levels + 1);

+ outer_frame->Summarize(&frames);

+ for (int i = frames.length() - 1; i >= 0 && !done; --i) {

+ FrameSummary& frame = frames[i];

+ Handle<JSFunction> fun = frame.function();

+ // Capture the callee function.

+ if (callee.is_null()) {

+ callee = fun;

+ exit_handled = true;

+ continue;

+ }

+ // Exit condition.

+ Handle<Context> context = handle(callee.ToHandleChecked()->context());

Toon Verwaest 2014/06/11 12:28:44 remove " = handle"

+ if (!fun->context()->HasSameSecurityTokenAs(*context)) {

+ tokens_match = false;

+ done = true;

+ continue;

+ }

+ // Skip bound functions in correct origin.

+ if (fun->shared()->bound()) {

+ exit_handled = true;

+ continue;

+ }

+ done = true;

+ }

+ return !exit_handled || tokens_match;

RUNTIME_FUNCTION(Runtime_CompileString) {

HandleScope scope(isolate);

ASSERT(args.length() == 2);

@@ -9768,6 +9821,11 @@ RUNTIME_FUNCTION(Runtime_CompileString) {

// Extract native context.

Handle<Context> context(isolate->context()->native_context());

+ // Filter cross security context calls.

+ if (!TokensMatchForCompileString(isolate)) {

+ return isolate->heap()->undefined_value();

+ }

// Check if native context allows code generation from

// strings. Throw an exception if it doesn't.

if (context->allow_code_gen_from_strings()->IsFalse() &&

« no previous file with comments | « src/generator.js ('k') | src/v8natives.js » ('j') | no next file with comments »