diff options
Diffstat (limited to 'deps/v8')
-rw-r--r-- | deps/v8/include/v8-version.h | 2 | ||||
-rw-r--r-- | deps/v8/src/builtins/builtins-console.cc | 16 | ||||
-rw-r--r-- | deps/v8/src/flags/flag-definitions.h | 2 | ||||
-rw-r--r-- | deps/v8/test/unittests/api/access-check-unittest.cc | 48 |
4 files changed, 66 insertions, 2 deletions
diff --git a/deps/v8/include/v8-version.h b/deps/v8/include/v8-version.h index 91d7633b05..8c333c3e1c 100644 --- a/deps/v8/include/v8-version.h +++ b/deps/v8/include/v8-version.h @@ -11,7 +11,7 @@ #define V8_MAJOR_VERSION 7 #define V8_MINOR_VERSION 7 #define V8_BUILD_NUMBER 299 -#define V8_PATCH_LEVEL 4 +#define V8_PATCH_LEVEL 8 // Use 1 for candidates and 0 otherwise. // (Boolean macro values are not supported by all preprocessors.) diff --git a/deps/v8/src/builtins/builtins-console.cc b/deps/v8/src/builtins/builtins-console.cc index 9ab3566cec..28c9261ed4 100644 --- a/deps/v8/src/builtins/builtins-console.cc +++ b/deps/v8/src/builtins/builtins-console.cc @@ -47,6 +47,22 @@ void ConsoleCall( CHECK(!isolate->has_scheduled_exception()); if (!isolate->console_delegate()) return; HandleScope scope(isolate); + + // Access check. The current context has to match the context of all + // arguments, otherwise the inspector might leak objects across contexts. + Handle<Context> context = handle(isolate->context(), isolate); + for (int i = 0; i < args.length(); ++i) { + Handle<Object> argument = args.at<Object>(i); + if (!argument->IsJSObject()) continue; + + Handle<JSObject> argument_obj = Handle<JSObject>::cast(argument); + if (argument->IsAccessCheckNeeded(isolate) && + !isolate->MayAccess(context, argument_obj)) { + isolate->ReportFailedAccessCheck(argument_obj); + return; + } + } + debug::ConsoleCallArguments wrapper(args); Handle<Object> context_id_obj = JSObject::GetDataProperty( args.target(), isolate->factory()->console_context_id_symbol()); diff --git a/deps/v8/src/flags/flag-definitions.h b/deps/v8/src/flags/flag-definitions.h index 40edde3443..c32bb03407 100644 --- a/deps/v8/src/flags/flag-definitions.h +++ b/deps/v8/src/flags/flag-definitions.h @@ -361,7 +361,7 @@ DEFINE_BOOL(enable_one_shot_optimization, true, "only be executed once") // Flag for sealed, frozen elements kind instead of dictionary elements kind -DEFINE_BOOL_READONLY(enable_sealed_frozen_elements_kind, true, +DEFINE_BOOL_READONLY(enable_sealed_frozen_elements_kind, false, "Enable sealed, frozen elements kind") // Flags for data representation optimizations diff --git a/deps/v8/test/unittests/api/access-check-unittest.cc b/deps/v8/test/unittests/api/access-check-unittest.cc index 8bfb507a7c..65e20d2510 100644 --- a/deps/v8/test/unittests/api/access-check-unittest.cc +++ b/deps/v8/test/unittests/api/access-check-unittest.cc @@ -71,4 +71,52 @@ TEST_F(AccessCheckTest, GetOwnPropertyDescriptor) { " .set.call(other, 42);"); } +namespace { +bool failed_access_check_callback_called; + +v8::Local<v8::String> v8_str(const char* x) { + return v8::String::NewFromUtf8(v8::Isolate::GetCurrent(), x, + v8::NewStringType::kNormal) + .ToLocalChecked(); +} + +class AccessCheckTestConsoleDelegate : public debug::ConsoleDelegate { + public: + void Log(const debug::ConsoleCallArguments& args, + const debug::ConsoleContext& context) { + FAIL(); + } +}; + +} // namespace + +// Ensure that {console.log} does an access check for its arguments. +TEST_F(AccessCheckTest, ConsoleLog) { + isolate()->SetFailedAccessCheckCallbackFunction( + [](v8::Local<v8::Object> host, v8::AccessType type, + v8::Local<v8::Value> data) { + failed_access_check_callback_called = true; + }); + AccessCheckTestConsoleDelegate console{}; + debug::SetConsoleDelegate(isolate(), &console); + + Local<ObjectTemplate> object_template = ObjectTemplate::New(isolate()); + object_template->SetAccessCheckCallback(AccessCheck); + + Local<Context> context1 = Context::New(isolate(), nullptr); + Local<Context> context2 = Context::New(isolate(), nullptr); + + Local<Object> object1 = + object_template->NewInstance(context1).ToLocalChecked(); + EXPECT_TRUE(context2->Global() + ->Set(context2, v8_str("object_from_context1"), object1) + .IsJust()); + + Context::Scope context_scope(context2); + failed_access_check_callback_called = false; + CompileRun(isolate(), "console.log(object_from_context1);").ToLocalChecked(); + + ASSERT_TRUE(failed_access_check_callback_called); +} + } // namespace v8 |