[webkit-changes] [95011] trunk

[weinig]

Title: [95011] trunk

Revision

95011

Author

wei...@apple.com

Date

2011-09-12 21:01:59 -0700 (Mon, 12 Sep 2011)

Log Message

Don't allow setting __proto__ to be a getter or setter
https://bugs.webkit.org/show_bug.cgi?id=67982

Reviewed by Gavin Barraclough.

Source/_javascript_Core: 

* runtime/JSObject.cpp:
(JSC::JSObject::defineGetter):
(JSC::JSObject::defineSetter):
Disallow setting a getter or setter on __proto__.

LayoutTests: 

* fast/js/prototypes-expected.txt:
* fast/js/script-tests/prototypes.js:
Add test that we disallow setting a getter or setter on __proto__.

Modified Paths

• trunk/LayoutTests/ChangeLog
• trunk/LayoutTests/fast/js/prototypes-expected.txt
• trunk/LayoutTests/fast/js/script-tests/prototypes.js
• trunk/Source/_javascript_Core/ChangeLog
• trunk/Source/_javascript_Core/runtime/JSObject.cpp

Diff

Modified: trunk/LayoutTests/ChangeLog (95010 => 95011)

--- trunk/LayoutTests/ChangeLog	2011-09-13 03:55:41 UTC (rev 95010)
+++ trunk/LayoutTests/ChangeLog	2011-09-13 04:01:59 UTC (rev 95011)
@@ -1,3 +1,14 @@
+2011-09-12  Sam Weinig  <s...@webkit.org>
+
+        Don't allow setting __proto__ to be a getter or setter
+        https://bugs.webkit.org/show_bug.cgi?id=67982
+
+        Reviewed by Gavin Barraclough.
+
+        * fast/js/prototypes-expected.txt:
+        * fast/js/script-tests/prototypes.js:
+        Add test that we disallow setting a getter or setter on __proto__.
+
 2011-09-12  Jacky Jiang  <zhaji...@rim.com>
 
         Setting document.title doesn't affect contents of title tag of XHTML documents

Modified: trunk/LayoutTests/fast/js/prototypes-expected.txt (95010 => 95011)

--- trunk/LayoutTests/fast/js/prototypes-expected.txt	2011-09-13 03:55:41 UTC (rev 95010)
+++ trunk/LayoutTests/fast/js/prototypes-expected.txt	2011-09-13 04:01:59 UTC (rev 95011)
@@ -53,6 +53,8 @@
 PASS Object.__proto__.isPrototypeOf(Date) is true
 PASS Object.__proto__.isPrototypeOf(Number) is true
 PASS Object.__proto__.isPrototypeOf(String) is true
+PASS var wasSet = false; var o = { }; o.__defineGetter__("__proto__", function() { wasSet = true }); o.__proto__; wasSet; is false
+PASS var wasSet = false; var o = { }; o.__defineSetter__("__proto__", function() { wasSet = true }); o.__proto__ = {}; wasSet; is false
 PASS successfullyParsed is true
 
 TEST COMPLETE

Modified: trunk/LayoutTests/fast/js/script-tests/prototypes.js (95010 => 95011)

--- trunk/LayoutTests/fast/js/script-tests/prototypes.js	2011-09-13 03:55:41 UTC (rev 95010)
+++ trunk/LayoutTests/fast/js/script-tests/prototypes.js	2011-09-13 04:01:59 UTC (rev 95011)
@@ -55,4 +55,7 @@
 shouldBeTrue("Object.__proto__.isPrototypeOf(Number)");
 shouldBeTrue("Object.__proto__.isPrototypeOf(String)");
 
+shouldBeFalse("var wasSet = false; var o = { }; o.__defineGetter__(\"__proto__\", function() { wasSet = true }); o.__proto__; wasSet;");
+shouldBeFalse("var wasSet = false; var o = { }; o.__defineSetter__(\"__proto__\", function() { wasSet = true }); o.__proto__ = {}; wasSet;");
+
 var successfullyParsed = true;

Modified: trunk/Source/_javascript_Core/ChangeLog (95010 => 95011)

--- trunk/Source/_javascript_Core/ChangeLog	2011-09-13 03:55:41 UTC (rev 95010)
+++ trunk/Source/_javascript_Core/ChangeLog	2011-09-13 04:01:59 UTC (rev 95011)
@@ -1,3 +1,15 @@
+2011-09-12  Sam Weinig  <s...@webkit.org>
+
+        Don't allow setting __proto__ to be a getter or setter
+        https://bugs.webkit.org/show_bug.cgi?id=67982
+
+        Reviewed by Gavin Barraclough.
+
+        * runtime/JSObject.cpp:
+        (JSC::JSObject::defineGetter):
+        (JSC::JSObject::defineSetter):
+        Disallow setting a getter or setter on __proto__.
+
 2011-09-12  James Robinson  <jam...@chromium.org>
 
         Unreviewed build fix for chromium.

Modified: trunk/Source/_javascript_Core/runtime/JSObject.cpp (95010 => 95011)

--- trunk/Source/_javascript_Core/runtime/JSObject.cpp	2011-09-13 03:55:41 UTC (rev 95010)
+++ trunk/Source/_javascript_Core/runtime/JSObject.cpp	2011-09-13 04:01:59 UTC (rev 95011)
@@ -322,6 +322,11 @@
 
 void JSObject::defineGetter(ExecState* exec, const Identifier& propertyName, JSObject* getterFunction, unsigned attributes)
 {
+    if (propertyName == exec->propertyNames().underscoreProto) {
+        // Defining a getter for __proto__ is silently ignored.
+        return;
+    }
+
     JSValue object = getDirect(exec->globalData(), propertyName);
     if (object && object.isGetterSetter()) {
         ASSERT(m_structure->hasGetterSetterProperties());
@@ -348,6 +353,11 @@
 
 void JSObject::defineSetter(ExecState* exec, const Identifier& propertyName, JSObject* setterFunction, unsigned attributes)
 {
+    if (propertyName == exec->propertyNames().underscoreProto) {
+        // Defining a setter for __proto__ is silently ignored.
+        return;
+    }
+
     JSValue object = getDirect(exec->globalData(), propertyName);
     if (object && object.isGetterSetter()) {
         ASSERT(m_structure->hasGetterSetterProperties());

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes