[SCM] WebKit Debian packaging branch, webkit-1.3, updated. upstream/1.3.7-4207-g178b198
oliver at apple.com
oliver at apple.com
Sun Feb 20 23:18:10 UTC 2011
The following commit has been merged in the webkit-1.3 branch:
commit de0184441fe0da4c44182236024973e583ceed1d
Author: oliver at apple.com <oliver at apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Wed Jan 19 20:18:57 2011 +0000
2011-01-19 Oliver Hunt <oliver at apple.com>
Reviewed by Gavin Barraclough.
[jsfunfuzz] Defining a function called __proto__ inside an eval triggers an assertion
https://bugs.webkit.org/show_bug.cgi?id=52672
Add tests to ensure that we disallow __proto__ as a function name.
* fast/js/parser-syntax-check-expected.txt:
* fast/js/script-tests/parser-syntax-check.js:
2011-01-19 Oliver Hunt <oliver at apple.com>
Reviewed by Gavin Barraclough.
[jsfunfuzz] Defining a function called __proto__ inside an eval triggers an assertion
https://bugs.webkit.org/show_bug.cgi?id=52672
Rather than coming up with a somewhat convoluted mechanism to ensure that
developers can override the global objects prototype with a function named
__proto__ and expect it to work, we just disallow it at the syntax level.
* parser/JSParser.cpp:
(JSC::JSParser::parseFunctionInfo):
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@76148 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 2382179..8af5489 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,15 @@
+2011-01-19 Oliver Hunt <oliver at apple.com>
+
+ Reviewed by Gavin Barraclough.
+
+ [jsfunfuzz] Defining a function called __proto__ inside an eval triggers an assertion
+ https://bugs.webkit.org/show_bug.cgi?id=52672
+
+ Add tests to ensure that we disallow __proto__ as a function name.
+
+ * fast/js/parser-syntax-check-expected.txt:
+ * fast/js/script-tests/parser-syntax-check.js:
+
2011-01-19 Chang Shu <chang.shu at nokia.com>
Reviewed by Darin Adler.
diff --git a/LayoutTests/fast/js/parser-syntax-check-expected.txt b/LayoutTests/fast/js/parser-syntax-check-expected.txt
index ef6764d..ed71d0b 100644
--- a/LayoutTests/fast/js/parser-syntax-check-expected.txt
+++ b/LayoutTests/fast/js/parser-syntax-check-expected.txt
@@ -541,6 +541,14 @@ PASS Invalid: "for(var a,b 'this shouldn't be allowed' false ; ) ;"
PASS Invalid: "function f() { for(var a,b 'this shouldn't be allowed' false ; ) ; }"
PASS Invalid: "for(var a,b '"
PASS Invalid: "function f() { for(var a,b ' }"
+PASS Invalid: "function __proto__(){}"
+PASS Invalid: "function f() { function __proto__(){} }"
+PASS Invalid: "(function __proto__(){})"
+PASS Invalid: "function f() { (function __proto__(){}) }"
+PASS Invalid: "'use strict'; function __proto__(){}"
+PASS Invalid: "function f() { 'use strict'; function __proto__(){} }"
+PASS Invalid: "'use strict'; (function __proto__(){})"
+PASS Invalid: "function f() { 'use strict'; (function __proto__(){}) }"
PASS successfullyParsed is true
TEST COMPLETE
diff --git a/LayoutTests/fast/js/script-tests/parser-syntax-check.js b/LayoutTests/fast/js/script-tests/parser-syntax-check.js
index 4424e50..61455ac 100644
--- a/LayoutTests/fast/js/script-tests/parser-syntax-check.js
+++ b/LayoutTests/fast/js/script-tests/parser-syntax-check.js
@@ -346,4 +346,9 @@ invalid("L: L1: L2: L3: L4: L: ;");
invalid("for(var a,b 'this shouldn\'t be allowed' false ; ) ;");
invalid("for(var a,b '");
+invalid("function __proto__(){}")
+invalid("(function __proto__(){})")
+invalid("'use strict'; function __proto__(){}")
+invalid("'use strict'; (function __proto__(){})")
+
var successfullyParsed = true;
diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog
index 4abe7e1..9356400 100644
--- a/Source/JavaScriptCore/ChangeLog
+++ b/Source/JavaScriptCore/ChangeLog
@@ -1,3 +1,17 @@
+2011-01-19 Oliver Hunt <oliver at apple.com>
+
+ Reviewed by Gavin Barraclough.
+
+ [jsfunfuzz] Defining a function called __proto__ inside an eval triggers an assertion
+ https://bugs.webkit.org/show_bug.cgi?id=52672
+
+ Rather than coming up with a somewhat convoluted mechanism to ensure that
+ developers can override the global objects prototype with a function named
+ __proto__ and expect it to work, we just disallow it at the syntax level.
+
+ * parser/JSParser.cpp:
+ (JSC::JSParser::parseFunctionInfo):
+
2011-01-19 Michael Saboff <msaboff at apple.com>
Reviewed by Darin Adler.
diff --git a/Source/JavaScriptCore/parser/JSParser.cpp b/Source/JavaScriptCore/parser/JSParser.cpp
index 37b7f90..1ff5090 100644
--- a/Source/JavaScriptCore/parser/JSParser.cpp
+++ b/Source/JavaScriptCore/parser/JSParser.cpp
@@ -1223,6 +1223,7 @@ template <JSParser::FunctionRequirements requirements, bool nameIsInContainingSc
functionScope->setIsFunction();
if (match(IDENT)) {
name = m_token.m_data.ident;
+ failIfTrue(*name == m_globalData->propertyNames->underscoreProto);
next();
if (!nameIsInContainingScope)
failIfFalseIfStrict(functionScope->declareVariable(name));
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list