From 3a3100a35baa885399196fc0256500464307e9cc Mon Sep 17 00:00:00 2001 From: Cary Clark Date: Mon, 8 Jun 2009 14:29:40 -0400 Subject: add security fix to webkit do not merge bug is described by http://b/issue?id=1892983 (23148) originally fixed by http://trac.webkit.org/changeset/42216 with this fix in place, these exploits fail: http://evil.webblaze.org/jww/tests/location-exploit.html generates: D/WebCore ( 788): Console: Unsafe JavaScript attempt to access frame with URL http://evil.webblaze.org/jww/tests/location-exploit.html from frame with URL http://good.webblaze.org/jww/tests/location-exploit-iframe.html. Domains, protocols and ports must match. D/WebCore ( 788): line: 1 source: D/WebCore ( 788): Console: TypeError: Result of expression 'location.__defineGetter__.argumentNames' [undefined] is not a function. line: 3 source: http://evil.webblaze.org/jww/tests/location-exploit.html http://evil.webblaze.org/jww/tests/location-test.html puts up an alert that says "undefined" http://evil.webblaze.org/jww/tests/history-test.html puts up an alert that says "undefined" --- WebCore/bindings/js/JSDocumentCustom.cpp | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) (limited to 'WebCore/bindings/js/JSDocumentCustom.cpp') diff --git a/WebCore/bindings/js/JSDocumentCustom.cpp b/WebCore/bindings/js/JSDocumentCustom.cpp index fff0ea5..596b78f 100644 --- a/WebCore/bindings/js/JSDocumentCustom.cpp +++ b/WebCore/bindings/js/JSDocumentCustom.cpp @@ -55,7 +55,14 @@ JSValuePtr JSDocument::location(ExecState* exec) const if (!frame) return jsNull(); - return toJS(exec, frame->domWindow()->location()); + Location* location = frame->domWindow()->location(); + if (DOMObject* wrapper = getCachedDOMObjectWrapper(exec->globalData(), location)) + return wrapper; + + JSDOMWindow* window = static_cast(exec->lexicalGlobalObject()); + JSLocation* jsLocation = new (exec) JSLocation(getDOMStructure(exec, window), location); + cacheDOMObjectWrapper(exec->globalData(), location, jsLocation); + return jsLocation; } void JSDocument::setLocation(ExecState* exec, JSValuePtr value) -- cgit v1.1