Title: [95011] trunk
- Revision
- 95011
- Author
- wei...@apple.com
- Date
- 2011-09-12 21:01:59 -0700 (Mon, 12 Sep 2011)
Log Message
Don't allow setting __proto__ to be a getter or setter
https://bugs.webkit.org/show_bug.cgi?id=67982
Reviewed by Gavin Barraclough.
Source/_javascript_Core:
* runtime/JSObject.cpp:
(JSC::JSObject::defineGetter):
(JSC::JSObject::defineSetter):
Disallow setting a getter or setter on __proto__.
LayoutTests:
* fast/js/prototypes-expected.txt:
* fast/js/script-tests/prototypes.js:
Add test that we disallow setting a getter or setter on __proto__.
Modified Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (95010 => 95011)
--- trunk/LayoutTests/ChangeLog 2011-09-13 03:55:41 UTC (rev 95010)
+++ trunk/LayoutTests/ChangeLog 2011-09-13 04:01:59 UTC (rev 95011)
@@ -1,3 +1,14 @@
+2011-09-12 Sam Weinig <s...@webkit.org>
+
+ Don't allow setting __proto__ to be a getter or setter
+ https://bugs.webkit.org/show_bug.cgi?id=67982
+
+ Reviewed by Gavin Barraclough.
+
+ * fast/js/prototypes-expected.txt:
+ * fast/js/script-tests/prototypes.js:
+ Add test that we disallow setting a getter or setter on __proto__.
+
2011-09-12 Jacky Jiang <zhaji...@rim.com>
Setting document.title doesn't affect contents of title tag of XHTML documents
Modified: trunk/LayoutTests/fast/js/prototypes-expected.txt (95010 => 95011)
--- trunk/LayoutTests/fast/js/prototypes-expected.txt 2011-09-13 03:55:41 UTC (rev 95010)
+++ trunk/LayoutTests/fast/js/prototypes-expected.txt 2011-09-13 04:01:59 UTC (rev 95011)
@@ -53,6 +53,8 @@
PASS Object.__proto__.isPrototypeOf(Date) is true
PASS Object.__proto__.isPrototypeOf(Number) is true
PASS Object.__proto__.isPrototypeOf(String) is true
+PASS var wasSet = false; var o = { }; o.__defineGetter__("__proto__", function() { wasSet = true }); o.__proto__; wasSet; is false
+PASS var wasSet = false; var o = { }; o.__defineSetter__("__proto__", function() { wasSet = true }); o.__proto__ = {}; wasSet; is false
PASS successfullyParsed is true
TEST COMPLETE
Modified: trunk/LayoutTests/fast/js/script-tests/prototypes.js (95010 => 95011)
--- trunk/LayoutTests/fast/js/script-tests/prototypes.js 2011-09-13 03:55:41 UTC (rev 95010)
+++ trunk/LayoutTests/fast/js/script-tests/prototypes.js 2011-09-13 04:01:59 UTC (rev 95011)
@@ -55,4 +55,7 @@
shouldBeTrue("Object.__proto__.isPrototypeOf(Number)");
shouldBeTrue("Object.__proto__.isPrototypeOf(String)");
+shouldBeFalse("var wasSet = false; var o = { }; o.__defineGetter__(\"__proto__\", function() { wasSet = true }); o.__proto__; wasSet;");
+shouldBeFalse("var wasSet = false; var o = { }; o.__defineSetter__(\"__proto__\", function() { wasSet = true }); o.__proto__ = {}; wasSet;");
+
var successfullyParsed = true;
Modified: trunk/Source/_javascript_Core/ChangeLog (95010 => 95011)
--- trunk/Source/_javascript_Core/ChangeLog 2011-09-13 03:55:41 UTC (rev 95010)
+++ trunk/Source/_javascript_Core/ChangeLog 2011-09-13 04:01:59 UTC (rev 95011)
@@ -1,3 +1,15 @@
+2011-09-12 Sam Weinig <s...@webkit.org>
+
+ Don't allow setting __proto__ to be a getter or setter
+ https://bugs.webkit.org/show_bug.cgi?id=67982
+
+ Reviewed by Gavin Barraclough.
+
+ * runtime/JSObject.cpp:
+ (JSC::JSObject::defineGetter):
+ (JSC::JSObject::defineSetter):
+ Disallow setting a getter or setter on __proto__.
+
2011-09-12 James Robinson <jam...@chromium.org>
Unreviewed build fix for chromium.
Modified: trunk/Source/_javascript_Core/runtime/JSObject.cpp (95010 => 95011)
--- trunk/Source/_javascript_Core/runtime/JSObject.cpp 2011-09-13 03:55:41 UTC (rev 95010)
+++ trunk/Source/_javascript_Core/runtime/JSObject.cpp 2011-09-13 04:01:59 UTC (rev 95011)
@@ -322,6 +322,11 @@
void JSObject::defineGetter(ExecState* exec, const Identifier& propertyName, JSObject* getterFunction, unsigned attributes)
{
+ if (propertyName == exec->propertyNames().underscoreProto) {
+ // Defining a getter for __proto__ is silently ignored.
+ return;
+ }
+
JSValue object = getDirect(exec->globalData(), propertyName);
if (object && object.isGetterSetter()) {
ASSERT(m_structure->hasGetterSetterProperties());
@@ -348,6 +353,11 @@
void JSObject::defineSetter(ExecState* exec, const Identifier& propertyName, JSObject* setterFunction, unsigned attributes)
{
+ if (propertyName == exec->propertyNames().underscoreProto) {
+ // Defining a setter for __proto__ is silently ignored.
+ return;
+ }
+
JSValue object = getDirect(exec->globalData(), propertyName);
if (object && object.isGetterSetter()) {
ASSERT(m_structure->hasGetterSetterProperties());
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes