summaryrefslogtreecommitdiff
path: root/deps/v8/src/builtins/builtins-console.cc
diff options
context:
space:
mode:
Diffstat (limited to 'deps/v8/src/builtins/builtins-console.cc')
-rw-r--r--deps/v8/src/builtins/builtins-console.cc16
1 files changed, 16 insertions, 0 deletions
diff --git a/deps/v8/src/builtins/builtins-console.cc b/deps/v8/src/builtins/builtins-console.cc
index 9ab3566cec..28c9261ed4 100644
--- a/deps/v8/src/builtins/builtins-console.cc
+++ b/deps/v8/src/builtins/builtins-console.cc
@@ -47,6 +47,22 @@ void ConsoleCall(
CHECK(!isolate->has_scheduled_exception());
if (!isolate->console_delegate()) return;
HandleScope scope(isolate);
+
+ // Access check. The current context has to match the context of all
+ // arguments, otherwise the inspector might leak objects across contexts.
+ Handle<Context> context = handle(isolate->context(), isolate);
+ for (int i = 0; i < args.length(); ++i) {
+ Handle<Object> argument = args.at<Object>(i);
+ if (!argument->IsJSObject()) continue;
+
+ Handle<JSObject> argument_obj = Handle<JSObject>::cast(argument);
+ if (argument->IsAccessCheckNeeded(isolate) &&
+ !isolate->MayAccess(context, argument_obj)) {
+ isolate->ReportFailedAccessCheck(argument_obj);
+ return;
+ }
+ }
+
debug::ConsoleCallArguments wrapper(args);
Handle<Object> context_id_obj = JSObject::GetDataProperty(
args.target(), isolate->factory()->console_context_id_symbol());
generated by cgit v1.2.3 (git 2.39.1) at 2024-05-19 07:47:32 +0000