Named property confusion with __proto__
authorabarth@webkit.org <abarth@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 19 Sep 2011 22:56:22 +0000 (22:56 +0000)
committerabarth@webkit.org <abarth@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 19 Sep 2011 22:56:22 +0000 (22:56 +0000)
commit9e21c2a8410d12e9c5b9cde20b353fc060b62184
tree5c9501a5fa4b564a0bd46ec48880a9908361dc6a
parent2fca7fac029cfd9f10cd3d780d58e2f962a78594
Named property confusion with __proto__
https://bugs.webkit.org/show_bug.cgi?id=68221

Reviewed by Eric Seidel.

Source/WebCore:

The __proto__ property is super magical because it's not a real named
property and it has higher precedence than even interceptors.  This
confuses this check, which is meant to detech which names will get
handled by our interceptor.

Test: http/tests/security/window-named-proto.html

* bindings/v8/custom/V8DOMWindowCustom.cpp:
(WebCore::V8DOMWindow::namedSecurityCheck):

LayoutTests:

* http/tests/security/resources/innocent-victim-with-iframe.html: Added.
* http/tests/security/window-named-proto-expected.txt: Added.
* http/tests/security/window-named-proto.html: Added.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@95488 268f45cc-cd09-0410-ab3c-d52691b4dbfc
LayoutTests/ChangeLog
LayoutTests/http/tests/security/resources/innocent-victim-with-iframe.html [new file with mode: 0644]
LayoutTests/http/tests/security/window-named-proto-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/window-named-proto.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/bindings/v8/custom/V8DOMWindowCustom.cpp