Make sure that we can't access hidden properties by installing accessors on Object.prototype.

BUG:chromium:97784 TEST=cctest/test-api Review URL: http://codereview.chromium.org/8041020 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@9434 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

Make sure that we can't access hidden properties by installing accessors on Object.prototype.
BUG:chromium:97784 TEST=cctest/test-api Review URL: http://codereview.chromium.org/8041020 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@9434 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
7810ff70 · ricow@chromium.org · 083fd2a4 · 7810ff70 · 7810ff70
Commit 7810ff70 authored Sep 26, 2011 by ricow@chromium.org
Hide whitespace changes
Inline Side-by-side

Showing with 35 additions and 0 deletions

objects.cc src/objects.cc +7 -0

test-api.cc test/cctest/test-api.cc +28 -0

No files found.
--- a/src/objects.cc
+++ b/src/objects.cc
@@ -3310,6 +3310,13 @@ MaybeObject* JSObject::GetHiddenProperties(CreationFlag flag) {
            isolate->context()->global_context()->object_function());
        if (!maybe_obj->ToObject(&hidden_obj)) return maybe_obj;
      }
+      // Don't allow leakage of the hidden object through accessors
+      // on Object.prototype.
+      {
+        MaybeObject* maybe_obj =
+            JSObject::cast(hidden_obj)->SetPrototype(heap->null_value(), false);
+        if (maybe_obj->IsFailure()) return maybe_obj;
+      }
      return obj->SetHiddenPropertiesObject(hidden_obj);
    } else {
      return heap->undefined_value();

--- a/test/cctest/test-api.cc
+++ b/test/cctest/test-api.cc
@@ -2007,6 +2007,34 @@ THREADED_TEST(HiddenProperties) {
 }


+THREADED_TEST(Regress97784) {
+  // Regression test for crbug.com/97784
+  // Messing with the Object.prototype should not have effect on
+  // hidden properties.
+  v8::HandleScope scope;
+  LocalContext env;
+
+  v8::Local<v8::Object> obj = v8::Object::New();
+  v8::Local<v8::String> key = v8_str("hidden");
+
+  CompileRun(
+      "set_called = false;"
+      "Object.defineProperty("
+      "    Object.prototype,"
+      "    'hidden',"
+      "    {get: function() { return 45; },"
+      "     set: function() { set_called = true; }})");
+
+  CHECK(obj->GetHiddenValue(key).IsEmpty());
+  // Make sure that the getter and setter from Object.prototype is not invoked.
+  // If it did we would have full access to the hidden properties in
+  // the accessor.
+  CHECK(obj->SetHiddenValue(key, v8::Integer::New(42)));
+  ExpectFalse("set_called");
+  CHECK_EQ(42, obj->GetHiddenValue(key)->Int32Value());
+}
+
+
 static bool interceptor_for_hidden_properties_called;
 static v8::Handle<Value> InterceptorForHiddenProperties(
    Local<String> name, const AccessorInfo& info) {