diff options
Diffstat (limited to 'deps/v8/src')
-rw-r--r-- | deps/v8/src/builtins/builtins-console.cc | 16 | ||||
-rw-r--r-- | deps/v8/src/flags/flag-definitions.h | 2 |
2 files changed, 17 insertions, 1 deletions
diff --git a/deps/v8/src/builtins/builtins-console.cc b/deps/v8/src/builtins/builtins-console.cc index 9ab3566cec..28c9261ed4 100644 --- a/deps/v8/src/builtins/builtins-console.cc +++ b/deps/v8/src/builtins/builtins-console.cc @@ -47,6 +47,22 @@ void ConsoleCall( CHECK(!isolate->has_scheduled_exception()); if (!isolate->console_delegate()) return; HandleScope scope(isolate); + + // Access check. The current context has to match the context of all + // arguments, otherwise the inspector might leak objects across contexts. + Handle<Context> context = handle(isolate->context(), isolate); + for (int i = 0; i < args.length(); ++i) { + Handle<Object> argument = args.at<Object>(i); + if (!argument->IsJSObject()) continue; + + Handle<JSObject> argument_obj = Handle<JSObject>::cast(argument); + if (argument->IsAccessCheckNeeded(isolate) && + !isolate->MayAccess(context, argument_obj)) { + isolate->ReportFailedAccessCheck(argument_obj); + return; + } + } + debug::ConsoleCallArguments wrapper(args); Handle<Object> context_id_obj = JSObject::GetDataProperty( args.target(), isolate->factory()->console_context_id_symbol()); diff --git a/deps/v8/src/flags/flag-definitions.h b/deps/v8/src/flags/flag-definitions.h index 40edde3443..c32bb03407 100644 --- a/deps/v8/src/flags/flag-definitions.h +++ b/deps/v8/src/flags/flag-definitions.h @@ -361,7 +361,7 @@ DEFINE_BOOL(enable_one_shot_optimization, true, "only be executed once") // Flag for sealed, frozen elements kind instead of dictionary elements kind -DEFINE_BOOL_READONLY(enable_sealed_frozen_elements_kind, true, +DEFINE_BOOL_READONLY(enable_sealed_frozen_elements_kind, false, "Enable sealed, frozen elements kind") // Flags for data representation optimizations |