diff options
| author | Cary Clark <cary@android.com> | 2009-06-08 14:29:40 -0400 |
|---|---|---|
| committer | Cary Clark <cary@android.com> | 2009-06-11 08:34:20 -0400 |
| commit | 3a3100a35baa885399196fc0256500464307e9cc (patch) | |
| tree | 24b8fe8f65e63f22ad4211aae3f7bae8762a6f2c /JavaScriptCore/runtime/StructureChain.cpp | |
| parent | ecc88dcc9bcc917892396ed149e0c254b4b177a3 (diff) | |
| download | external_webkit-3a3100a35baa885399196fc0256500464307e9cc.zip external_webkit-3a3100a35baa885399196fc0256500464307e9cc.tar.gz external_webkit-3a3100a35baa885399196fc0256500464307e9cc.tar.bz2 | |
add security fix to webkit
do not merge
bug is described by http://b/issue?id=1892983 (23148)
originally fixed by http://trac.webkit.org/changeset/42216
with this fix in place, these exploits fail:
http://evil.webblaze.org/jww/tests/location-exploit.html
generates:
D/WebCore ( 788): Console: Unsafe JavaScript attempt to access frame with URL http://evil.webblaze.org/jww/tests/location-exploit.html from frame with URL http://good.webblaze.org/jww/tests/location-exploit-iframe.html. Domains, protocols and ports must match.
D/WebCore ( 788): line: 1 source:
D/WebCore ( 788): Console: TypeError: Result of expression 'location.__defineGetter__.argumentNames' [undefined] is not a function. line: 3 source: http://evil.webblaze.org/jww/tests/location-exploit.html
http://evil.webblaze.org/jww/tests/location-test.html
puts up an alert that says "undefined"
http://evil.webblaze.org/jww/tests/history-test.html
puts up an alert that says "undefined"
Diffstat (limited to 'JavaScriptCore/runtime/StructureChain.cpp')
0 files changed, 0 insertions, 0 deletions