diff options
| author | Michaƫl Zasso <targos@protonmail.com> | 2019-08-27 09:51:09 +0200 |
|---|---|---|
| committer | Daniel Bevenius <daniel.bevenius@gmail.com> | 2019-08-30 07:43:44 +0200 |
| commit | 858db73a746c7b483f5caa416cd7aef82ba9af8a (patch) | |
| tree | 27e7a96cbdeccb7b2d45ae180e77f4ed6d219f0b /deps/v8/src | |
| parent | c746ba4982d3ec17cd7ce38468e6cea662462a84 (diff) | |
| download | android-node-v8-858db73a746c7b483f5caa416cd7aef82ba9af8a.tar.gz android-node-v8-858db73a746c7b483f5caa416cd7aef82ba9af8a.tar.bz2 android-node-v8-858db73a746c7b483f5caa416cd7aef82ba9af8a.zip | |
deps: patch V8 to 7.7.299.8
PR-URL: https://github.com/nodejs/node/pull/29336
Refs: https://github.com/v8/v8/compare/7.7.299.4...7.7.299.8
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Jiawen Geng <technicalcute@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Ujjwal Sharma <usharma1998@gmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Diffstat (limited to 'deps/v8/src')
| -rw-r--r-- | deps/v8/src/builtins/builtins-console.cc | 16 | ||||
| -rw-r--r-- | deps/v8/src/flags/flag-definitions.h | 2 |
2 files changed, 17 insertions, 1 deletions
diff --git a/deps/v8/src/builtins/builtins-console.cc b/deps/v8/src/builtins/builtins-console.cc index 9ab3566cec..28c9261ed4 100644 --- a/deps/v8/src/builtins/builtins-console.cc +++ b/deps/v8/src/builtins/builtins-console.cc @@ -47,6 +47,22 @@ void ConsoleCall( CHECK(!isolate->has_scheduled_exception()); if (!isolate->console_delegate()) return; HandleScope scope(isolate); + + // Access check. The current context has to match the context of all + // arguments, otherwise the inspector might leak objects across contexts. + Handle<Context> context = handle(isolate->context(), isolate); + for (int i = 0; i < args.length(); ++i) { + Handle<Object> argument = args.at<Object>(i); + if (!argument->IsJSObject()) continue; + + Handle<JSObject> argument_obj = Handle<JSObject>::cast(argument); + if (argument->IsAccessCheckNeeded(isolate) && + !isolate->MayAccess(context, argument_obj)) { + isolate->ReportFailedAccessCheck(argument_obj); + return; + } + } + debug::ConsoleCallArguments wrapper(args); Handle<Object> context_id_obj = JSObject::GetDataProperty( args.target(), isolate->factory()->console_context_id_symbol()); diff --git a/deps/v8/src/flags/flag-definitions.h b/deps/v8/src/flags/flag-definitions.h index 40edde3443..c32bb03407 100644 --- a/deps/v8/src/flags/flag-definitions.h +++ b/deps/v8/src/flags/flag-definitions.h @@ -361,7 +361,7 @@ DEFINE_BOOL(enable_one_shot_optimization, true, "only be executed once") // Flag for sealed, frozen elements kind instead of dictionary elements kind -DEFINE_BOOL_READONLY(enable_sealed_frozen_elements_kind, true, +DEFINE_BOOL_READONLY(enable_sealed_frozen_elements_kind, false, "Enable sealed, frozen elements kind") // Flags for data representation optimizations |