Allow global prototype to be a Proxy
There was a security issue from allowing WindowProxy to have its prototype mutated in https://bugs.chromium.org/p/chromium/issues/detail?id=399951 . This has since been resolved by making `window`, `location`, and `Object.prototype.__proto__` immutable. This change was fixed in https://bugs.chromium.org/p/v8/issues/detail?id=5149 . Reverts https://codereview.chromium.org/1529303003 R=littledan@chromium.org R=verwaest@chromium.org Review-Url: https://codereview.chromium.org/2671553006 Cr-Commit-Position: refs/heads/master@{#44078}
This commit is contained in:
Bradley.Meck
Commit bot
parent
e741957a6f
commit
b123ee3411
@ -450,7 +450,6 @@ class ErrorUtils : public AllStatic {
|
||||
T(ProxyTrapReturnedFalsish, "'%' on proxy: trap returned falsish") \
|
||||
T(ProxyTrapReturnedFalsishFor, \
|
||||
"'%' on proxy: trap returned falsish for property '%'") \
|
||||
T(ReadGlobalReferenceThroughProxy, "Trying to access '%' through proxy") \
|
||||
T(RedefineDisallowed, "Cannot redefine property: %") \
|
||||
T(RedefineExternalArray, \
|
||||
"Cannot redefine a property of an object with external array elements") \
|
||||
|
||||
@ -1051,12 +1051,6 @@ MaybeHandle<Object> JSProxy::GetProperty(Isolate* isolate,
|
||||
Handle<Object> receiver,
|
||||
bool* was_found) {
|
||||
*was_found = true;
|
||||
if (receiver->IsJSGlobalObject()) {
|
||||
THROW_NEW_ERROR(
|
||||
isolate,
|
||||
NewTypeError(MessageTemplate::kReadGlobalReferenceThroughProxy, name),
|
||||
Object);
|
||||
}
|
||||
|
||||
DCHECK(!name->IsPrivate());
|
||||
STACK_CHECK(isolate, MaybeHandle<Object>());
|
||||
|
||||
@ -217,7 +217,7 @@ bytecodes: [
|
||||
B(TestTypeOf), U8(5),
|
||||
B(JumpIfFalse), U8(4),
|
||||
B(Jump), U8(18),
|
||||
B(Wide), B(LdaSmi), I16(130),
|
||||
B(Wide), B(LdaSmi), I16(129),
|
||||
B(Star), R(12),
|
||||
B(LdaConstant), U8(11),
|
||||
B(Star), R(13),
|
||||
@ -701,7 +701,7 @@ bytecodes: [
|
||||
B(TestTypeOf), U8(5),
|
||||
B(JumpIfFalse), U8(4),
|
||||
B(Jump), U8(18),
|
||||
B(Wide), B(LdaSmi), I16(130),
|
||||
B(Wide), B(LdaSmi), I16(129),
|
||||
B(Star), R(12),
|
||||
B(LdaConstant), U8(11),
|
||||
B(Star), R(13),
|
||||
@ -1219,7 +1219,7 @@ bytecodes: [
|
||||
B(TestTypeOf), U8(5),
|
||||
B(JumpIfFalse), U8(4),
|
||||
B(Jump), U8(18),
|
||||
B(Wide), B(LdaSmi), I16(130),
|
||||
B(Wide), B(LdaSmi), I16(129),
|
||||
B(Star), R(12),
|
||||
B(LdaConstant), U8(11),
|
||||
B(Star), R(13),
|
||||
@ -1627,7 +1627,7 @@ bytecodes: [
|
||||
B(TestTypeOf), U8(5),
|
||||
B(JumpIfFalse), U8(4),
|
||||
B(Jump), U8(18),
|
||||
B(Wide), B(LdaSmi), I16(130),
|
||||
B(Wide), B(LdaSmi), I16(129),
|
||||
B(Star), R(11),
|
||||
B(LdaConstant), U8(10),
|
||||
B(Star), R(12),
|
||||
|
||||
@ -85,7 +85,7 @@ bytecodes: [
|
||||
B(TestTypeOf), U8(5),
|
||||
B(JumpIfFalse), U8(4),
|
||||
B(Jump), U8(18),
|
||||
B(Wide), B(LdaSmi), I16(130),
|
||||
B(Wide), B(LdaSmi), I16(129),
|
||||
B(Star), R(12),
|
||||
B(LdaConstant), U8(8),
|
||||
B(Star), R(13),
|
||||
@ -226,7 +226,7 @@ bytecodes: [
|
||||
B(TestTypeOf), U8(5),
|
||||
B(JumpIfFalse), U8(4),
|
||||
B(Jump), U8(18),
|
||||
B(Wide), B(LdaSmi), I16(130),
|
||||
B(Wide), B(LdaSmi), I16(129),
|
||||
B(Star), R(13),
|
||||
B(LdaConstant), U8(8),
|
||||
B(Star), R(14),
|
||||
@ -380,7 +380,7 @@ bytecodes: [
|
||||
B(TestTypeOf), U8(5),
|
||||
B(JumpIfFalse), U8(4),
|
||||
B(Jump), U8(18),
|
||||
B(Wide), B(LdaSmi), I16(130),
|
||||
B(Wide), B(LdaSmi), I16(129),
|
||||
B(Star), R(12),
|
||||
B(LdaConstant), U8(8),
|
||||
B(Star), R(13),
|
||||
@ -524,7 +524,7 @@ bytecodes: [
|
||||
B(TestTypeOf), U8(5),
|
||||
B(JumpIfFalse), U8(4),
|
||||
B(Jump), U8(18),
|
||||
B(Wide), B(LdaSmi), I16(130),
|
||||
B(Wide), B(LdaSmi), I16(129),
|
||||
B(Star), R(11),
|
||||
B(LdaConstant), U8(10),
|
||||
B(Star), R(12),
|
||||
|
||||
@ -493,7 +493,7 @@ bytecodes: [
|
||||
B(TestTypeOf), U8(5),
|
||||
B(JumpIfFalse), U8(4),
|
||||
B(Jump), U8(18),
|
||||
B(Wide), B(LdaSmi), I16(130),
|
||||
B(Wide), B(LdaSmi), I16(129),
|
||||
B(Star), R(11),
|
||||
B(LdaConstant), U8(10),
|
||||
B(Star), R(12),
|
||||
|
||||
41
test/mjsunit/es6/global-proto-proxy.js
Normal file
41
test/mjsunit/es6/global-proto-proxy.js
Normal file
@ -0,0 +1,41 @@
|
||||
// Copyright 2017 the V8 project authors. All rights reserved.
|
||||
// Use of this source code is governed by a BSD-style license that can be
|
||||
// found in the LICENSE file.
|
||||
|
||||
var global = this;
|
||||
;(function () {
|
||||
var calledDelete = false;
|
||||
var calledGet = false;
|
||||
var calledHas = false;
|
||||
var calledSet = false;
|
||||
var target = {};
|
||||
var assertEquals = global.assertEquals;
|
||||
var proxy = new Proxy(target, {
|
||||
has(target, property) {
|
||||
calledHas = true;
|
||||
return Reflect.has(target, property);
|
||||
},
|
||||
get(target, property, receiver) {
|
||||
calledGet = true;
|
||||
return Reflect.get(target, property, receiver);
|
||||
},
|
||||
set(targer, property, value, receiver) {
|
||||
calledSet = true;
|
||||
return Reflect.set(target, property, value, receiver);
|
||||
},
|
||||
delete(target, property, receiver) {
|
||||
calledDelete = true;
|
||||
return Reflect.delete(target, property, receiver);
|
||||
}
|
||||
});
|
||||
Object.setPrototypeOf(global, proxy);
|
||||
getGlobal;
|
||||
assertTrue(calledGet);
|
||||
makeGlobal = 2;
|
||||
assertTrue(calledSet);
|
||||
"findGlobal" in global;
|
||||
assertTrue(calledHas);
|
||||
var deletedOwn = delete makeGlobal;
|
||||
assertTrue(deletedOwn);
|
||||
assertEquals(void 0, makeGlobal);
|
||||
})();
|
||||
Loading…
Reference in New Issue
Block a user