filter cross context eval

src/runtime.cc

Index: src/runtime.cc
diff --git a/src/runtime.cc b/src/runtime.cc
index 1aaa3cd92a70b10d8521ffde464cec500aecd393..90c52833b92df07278b936b0c5a42341316f00c6 100644
--- a/src/runtime.cc
+++ b/src/runtime.cc
@@ -9784,6 +9784,21 @@ bool CodeGenerationFromStringsAllowed(Isolate* isolate,
 }
 
 
+static Handle<JSFunction> FirstJSFunctionOnStack(Isolate* isolate) {
+  for (StackTraceFrameIterator it(isolate); !it.done(); it.Advance()) {
+    StackFrame* raw_frame = it.frame();
+    if (!raw_frame->is_java_script()) continue;
+    JavaScriptFrame* frame = JavaScriptFrame::cast(raw_frame);
+    List<FrameSummary> frames(FLAG_max_inlining_levels + 1);
+    frame->Summarize(&frames);
+    for (int i = frames.length() - 1; i >= 0; i--) {

[Toon Verwaest, 2014/05/27 15:15:43]

Why is this a for-loop? :)

[dcarney, 2014/05/27 15:45:11]

originally, i was filtering stuff out

+      return frames[i].function();
+    }
+  }
+  return Handle<JSFunction>();

[Toon Verwaest, 2014/05/27 15:15:43]

If you can return an empty handle, it should be a MaybeHandle according to the
new rules.

+}
+
+
 RUNTIME_FUNCTION(Runtime_CompileString) {
   HandleScope scope(isolate);
   ASSERT(args.length() == 2);
@@ -9793,6 +9808,14 @@ RUNTIME_FUNCTION(Runtime_CompileString) {
   // Extract native context.
   Handle<Context> context(isolate->context()->native_context());
 
+  // Filter cross security context calls.
+  {
+    Handle<JSFunction> fun = FirstJSFunctionOnStack(isolate);
+    if (fun.is_null() || !context->HasSameSecurityTokenAs(fun->context())) {
+      return isolate->heap()->undefined_value();
+    }
+  }
+
   // Check if native context allows code generation from
   // strings. Throw an exception if it doesn't.
   if (context->allow_code_gen_from_strings()->IsFalse() &&