Ignore:
Timestamp:
Dec 10, 2015, 6:08:31 PM (10 years ago)
Author:
[email protected]
Message:

[CSP] eval() is not blocked for stringified literals
https://bugs.webkit.org/show_bug.cgi?id=152158
<rdar://problem/15775625>

Reviewed by Saam Barati.

Source/JavaScriptCore:

Fixes an issue where stringified literals can be eval()ed despite being disallowed by
Content Security Policy of the page.

  • interpreter/Interpreter.cpp:

(JSC::eval): Throw a JavaScript EvalError exception if eval() is disallowed for the page
and return undefined.

  • runtime/JSGlobalObjectFunctions.cpp:

(JSC::globalFuncEval): Ditto.

LayoutTests:

Update test LayoutTests/http/tests/security/contentSecurityPolicy/eval-blocked.html to be
more comprehensive.

Add tests to ensure that we block eval() from within an external JavaScript script when the
policy of the page disallows eval() and that we block eval() inside a subframe that disallows
eval() when the page in the main frame allows eval().

  • http/tests/security/contentSecurityPolicy/eval-blocked-expected.txt:
  • http/tests/security/contentSecurityPolicy/eval-blocked-in-external-script-expected.txt: Added.
  • http/tests/security/contentSecurityPolicy/eval-blocked-in-external-script.html: Added.
  • http/tests/security/contentSecurityPolicy/eval-blocked-in-subframe-expected.txt: Copied from LayoutTests/http/tests/security/contentSecurityPolicy/eval-blocked-expected.txt.
  • http/tests/security/contentSecurityPolicy/eval-blocked-in-subframe.html: Added.
  • http/tests/security/contentSecurityPolicy/eval-blocked.html:
  • http/tests/security/contentSecurityPolicy/resources/eval-blocked-in-external-script.js: Added.
File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/interpreter/Interpreter.cpp

    r193766 r193939  
    145145    if (!program.isString())
    146146        return program;
    147    
     147
    148148    TopCallFrameSetter topCallFrame(callFrame->vm(), callFrame);
     149    JSGlobalObject* globalObject = callFrame->lexicalGlobalObject();
     150    if (!globalObject->evalEnabled()) {
     151        callFrame->vm().throwException(callFrame, createEvalError(callFrame, globalObject->evalDisabledErrorMessage()));
     152        return jsUndefined();
     153    }
    149154    String programSource = asString(program)->value(callFrame);
    150155    if (callFrame->hadException())
Note: See TracChangeset for help on using the changeset viewer.