[SCM] WebKit Debian packaging branch, debian/experimental, updated. upstream/1.3.3-9427-gc2be6fc

abarth at webkit.org abarth at webkit.org
Wed Dec 22 13:25:17 UTC 2010 

The following commit has been merged in the debian/experimental branch:
commit 054aac1d7790379954e23f3bb2cedbe421b0d35e
Author: abarth at webkit.org <abarth at webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date:   Tue Sep 14 23:12:49 2010 +0000

    2010-09-14  Adam Barth  <abarth at webkit.org>
    
            Reviewed by Nate Chapin.
    
            V8 security checks don't account for shadowing named frames
            https://bugs.webkit.org/show_bug.cgi?id=45700
    
            Test: http/tests/security/xss-DENIED-frame-name.html
    
            * bindings/v8/custom/V8DOMWindowCustom.cpp:
            (WebCore::V8DOMWindow::namedSecurityCheck):
                - If the property name exists on the object, it will shadow the
                  named property lookup on the window object.  That means we need
                  to block access if there's shadowing going on.
            (WebCore::V8DOMWindow::indexedSecurityCheck):
                - I made the corresponding change to this function too, but I don't
                  think this one can actually be triggered because JavaScript
                  variable names need to start with a non-digit.
    2010-09-14  Adam Barth  <abarth at webkit.org>
    
            Reviewed by Nate Chapin.
    
            V8 security checks don't account for shadowing named frames
            https://bugs.webkit.org/show_bug.cgi?id=45700
    
            Test whether cross-origin observers can see global variables shadowing
            named frames.
    
            * http/tests/security/resources/frame-for-parent-name.html: Added.
            * http/tests/security/xss-DENIED-frame-name-expected.txt: Added.
            * http/tests/security/xss-DENIED-frame-name.html: Added.
    
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@67509 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 159bd76..d60fa35 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,5 +1,19 @@
 2010-09-14  Adam Barth  <abarth at webkit.org>
 
+        Reviewed by Nate Chapin.
+
+        V8 security checks don't account for shadowing named frames
+        https://bugs.webkit.org/show_bug.cgi?id=45700
+
+        Test whether cross-origin observers can see global variables shadowing
+        named frames.
+
+        * http/tests/security/resources/frame-for-parent-name.html: Added.
+        * http/tests/security/xss-DENIED-frame-name-expected.txt: Added.
+        * http/tests/security/xss-DENIED-frame-name.html: Added.
+
+2010-09-14  Adam Barth  <abarth at webkit.org>
+
         Reviewed by Eric Seidel.
 
         incorrect tabindex parsing
diff --git a/LayoutTests/http/tests/security/resources/frame-for-parent-name.html b/LayoutTests/http/tests/security/resources/frame-for-parent-name.html
new file mode 100644
index 0000000..93303e8
--- /dev/null
+++ b/LayoutTests/http/tests/security/resources/frame-for-parent-name.html
@@ -0,0 +1,3 @@
+<script>
+alert(parent.test.prop);
+</script>
diff --git a/LayoutTests/http/tests/security/xss-DENIED-frame-name-expected.txt b/LayoutTests/http/tests/security/xss-DENIED-frame-name-expected.txt
new file mode 100644
index 0000000..1396979
--- /dev/null
+++ b/LayoutTests/http/tests/security/xss-DENIED-frame-name-expected.txt
@@ -0,0 +1,4 @@
+CONSOLE MESSAGE: line 1: Unsafe JavaScript attempt to access frame with URL about:blank from frame with URL http://localhost:8000/security/resources/frame-for-parent-name.html. Domains, protocols and ports must match.
+
+ALERT: undefined
+   This test passes if it doesn't alert fail.
diff --git a/LayoutTests/http/tests/security/xss-DENIED-frame-name.html b/LayoutTests/http/tests/security/xss-DENIED-frame-name.html
new file mode 100644
index 0000000..b09faa9
--- /dev/null
+++ b/LayoutTests/http/tests/security/xss-DENIED-frame-name.html
@@ -0,0 +1,10 @@
+<script>
+if (window.layoutTestController)
+    layoutTestController.dumpAsText();
+</script>
+<iframe name="test" src="about:blank"></iframe>
+<script>
+var test = {'prop': 'FAIL'};
+</script>
+<iframe src="http://localhost:8000/security/resources/frame-for-parent-name.html"></iframe>
+This test passes if it doesn't alert fail.
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index 58b28d0..1628ebb 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,5 +1,24 @@
 2010-09-14  Adam Barth  <abarth at webkit.org>
 
+        Reviewed by Nate Chapin.
+
+        V8 security checks don't account for shadowing named frames
+        https://bugs.webkit.org/show_bug.cgi?id=45700
+
+        Test: http/tests/security/xss-DENIED-frame-name.html
+
+        * bindings/v8/custom/V8DOMWindowCustom.cpp:
+        (WebCore::V8DOMWindow::namedSecurityCheck):
+            - If the property name exists on the object, it will shadow the
+              named property lookup on the window object.  That means we need
+              to block access if there's shadowing going on.
+        (WebCore::V8DOMWindow::indexedSecurityCheck):
+            - I made the corresponding change to this function too, but I don't
+              think this one can actually be triggered because JavaScript
+              variable names need to start with a non-digit.
+
+2010-09-14  Adam Barth  <abarth at webkit.org>
+
         Reviewed by Eric Seidel.
 
         incorrect tabindex parsing
diff --git a/WebCore/bindings/v8/custom/V8DOMWindowCustom.cpp b/WebCore/bindings/v8/custom/V8DOMWindowCustom.cpp
index 45cb1b4..f7c75f7 100644
--- a/WebCore/bindings/v8/custom/V8DOMWindowCustom.cpp
+++ b/WebCore/bindings/v8/custom/V8DOMWindowCustom.cpp
@@ -605,9 +605,11 @@ bool V8DOMWindow::namedSecurityCheck(v8::Local<v8::Object> host, v8::Local<v8::V
 
     if (key->IsString()) {
         String name = toWebCoreString(key);
-
-        // Allow access of GET and HAS if index is a subframe.
-        if ((type == v8::ACCESS_GET || type == v8::ACCESS_HAS) && target->tree()->child(name))
+        // Notice that we can't call HasRealNamedProperty for ACCESS_HAS
+        // because that would generate infinite recursion.
+        if (type == v8::ACCESS_HAS && target->tree()->child(name))
+            return true;
+        if (type == v8::ACCESS_GET && target->tree()->child(name) && !host->HasRealNamedProperty(key->ToString()))
             return true;
     }
 
@@ -628,8 +630,11 @@ bool V8DOMWindow::indexedSecurityCheck(v8::Local<v8::Object> host, uint32_t inde
     if (!target)
         return false;
 
-    // Allow access of GET and HAS if index is a subframe.
-    if ((type == v8::ACCESS_GET || type == v8::ACCESS_HAS) && target->tree()->child(index))
+    // Notice that we can't call HasRealNamedProperty for ACCESS_HAS
+    // because that would generate infinite recursion.
+    if (type == v8::ACCESS_HAS && target->tree()->child(index))
+        return true;
+    if (type == v8::ACCESS_GET && target->tree()->child(index) && !host->HasRealIndexedProperty(index))
         return true;
 
     return V8BindingSecurity::canAccessFrame(V8BindingState::Only(), target, false);

-- 
WebKit Debian packaging

More information about the Pkg-webkit-commits mailing list