Commit 41cab7c7 authored by commit-queue@webkit.org's avatar commit-queue@webkit.org
Browse files

Prevent workers from calling back into other worlds

https://bugs.webkit.org/show_bug.cgi?id=96790

Patch by Dan Carney <dcarney@google.com> on 2012-09-14
Reviewed by Adam Barth.

Added a few sanity checks to ensure callbacks are always using the correct world.

No new tests. No new change in functionality.

* bindings/v8/V8DOMWrapper.cpp:
(WebCore::V8DOMWrapper::getEventListener):
* bindings/v8/V8LazyEventListener.cpp:
(WebCore::V8LazyEventListener::prepareListenerObject):
* bindings/v8/WorldContextHandle.cpp:
(WebCore::WorldContextHandle::WorldContextHandle):
(WebCore::WorldContextHandle::adjustedContext):
* bindings/v8/WorldContextHandle.h:

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@128651 268f45cc-cd09-0410-ab3c-d52691b4dbfc
parent a9d74b51
2012-09-14 Dan Carney <dcarney@google.com>
Prevent workers from calling back into other worlds
https://bugs.webkit.org/show_bug.cgi?id=96790
Reviewed by Adam Barth.
Added a few sanity checks to ensure callbacks are always using the correct world.
No new tests. No new change in functionality.
* bindings/v8/V8DOMWrapper.cpp:
(WebCore::V8DOMWrapper::getEventListener):
* bindings/v8/V8LazyEventListener.cpp:
(WebCore::V8LazyEventListener::prepareListenerObject):
* bindings/v8/WorldContextHandle.cpp:
(WebCore::WorldContextHandle::WorldContextHandle):
(WebCore::WorldContextHandle::adjustedContext):
* bindings/v8/WorldContextHandle.h:
2012-09-14 Dana Jansens <danakj@chromium.org>
 
Minimize collisions when hashing pairs
......@@ -201,8 +201,7 @@ PassRefPtr<EventListener> V8DOMWrapper::getEventListener(v8::Local<v8::Value> va
return 0;
if (lookup == ListenerFindOnly)
return V8EventListenerList::findWrapper(value, isAttribute);
v8::Handle<v8::Object> globalPrototype = v8::Handle<v8::Object>::Cast(context->Global()->GetPrototype());
if (isWrapperOfType(globalPrototype, &V8DOMWindow::info))
if (isWrapperOfType(toInnerGlobalObject(context), &V8DOMWindow::info))
return V8EventListenerList::findOrCreateWrapper<V8EventListener>(value, isAttribute);
#if ENABLE(WORKERS)
return V8EventListenerList::findOrCreateWrapper<V8WorkerContextEventListener>(value, isAttribute);
......
......@@ -124,7 +124,7 @@ void V8LazyEventListener::prepareListenerObject(ScriptExecutionContext* context)
if (!frame->script()->canExecuteScripts(NotAboutToExecuteScript))
return;
// Use the outer scope to hold context.
v8::Local<v8::Context> v8Context = worldContext().adjustedContext(frame->script());
v8::Local<v8::Context> v8Context = toV8Context(context, worldContext());
// Bail out if we cannot get the context.
if (v8Context.IsEmpty())
return;
......
......@@ -32,6 +32,8 @@
#include "WorldContextHandle.h"
#include "ScriptController.h"
#include "V8Binding.h"
#include "V8DOMWindow.h"
#include "V8DOMWindowShell.h"
namespace WebCore {
......@@ -39,9 +41,22 @@ namespace WebCore {
WorldContextHandle::WorldContextHandle(WorldToUse worldToUse)
: m_worldToUse(worldToUse)
{
if (worldToUse == UseMainWorld)
if (worldToUse == UseMainWorld || worldToUse == UseWorkerWorld)
return;
#if ENABLE(WORKERS)
// FIXME We are duplicating a lot of effort here checking the context for the worker and for the isolated world.
if (v8::Context::InContext()) {
v8::Handle<v8::Context> context = v8::Context::GetCurrent();
if (!context.IsEmpty()) {
if (UNLIKELY(!V8DOMWrapper::isWrapperOfType(toInnerGlobalObject(context), &V8DOMWindow::info))) {
m_worldToUse = UseWorkerWorld;
return;
}
}
}
#endif
V8DOMWindowShell* shell = V8DOMWindowShell::getEntered();
if (LIKELY(!shell)) {
m_worldToUse = UseMainWorld;
......@@ -54,6 +69,7 @@ WorldContextHandle::WorldContextHandle(WorldToUse worldToUse)
v8::Local<v8::Context> WorldContextHandle::adjustedContext(ScriptController* script) const
{
ASSERT(m_worldToUse != UseWorkerWorld);
if (m_worldToUse == UseMainWorld)
return script->mainWorldContext();
......
......@@ -40,7 +40,7 @@ namespace WebCore {
class ScriptController;
enum WorldToUse { UseMainWorld, UseCurrentWorld };
enum WorldToUse { UseMainWorld, UseCurrentWorld, UseWorkerWorld };
class WorldContextHandle {
public:
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment