[v8] Security feature: JavaScript Bindings hardening
https://bugs.webkit.org/show_bug.cgi?id=106608
Source/WebCore:
The patch adds a check at wrapper creation time to enuse that the
object being wrapped is not already free, to the extent that we know
the information about the type of the object as provided in the IDL.
Patch by Tom Sepez <tsepez@chromium.org> on 2013-01-28
Reviewed by Adam Barth.
Patch is correct if existing tests pass without new crashes.
* bindings/scripts/CodeGeneratorV8.pm:
(GenerateImplementation):
(GenerateToV8Converters):
(GetNativeTypeForConversions):
(GetGnuVTableRefForInterface):
(GetGnuVTableNameForInterface):
(GetGnuMangledNameForInterface):
(GetGnuVTableOffsetForType):
(GetWinVTableRefForInterface):
(GetWinVTableNameForInterface):
(GetWinMangledNameForInterface):
(GetNamespaceForInterface):
(GetImplementationLacksVTableForInterface):
(GetV8SkipVTableValidationForInterface):
Update code generation to add object validity tests under the control
of the ENABLE_BINDING_INTEGRITY option.
* Modules/filesystem/DirectoryReader.idl:
* Modules/filesystem/DirectoryReaderSync.idl:
* Modules/filesystem/EntryArray.idl:
* Modules/filesystem/EntryArraySync.idl:
* Modules/filesystem/Metadata.idl:
* Modules/gamepad/Gamepad.idl:
* Modules/gamepad/GamepadList.idl:
* Modules/geolocation/Geoposition.idl:
* Modules/geolocation/PositionError.idl:
* Modules/indexeddb/IDBFactory.idl:
* Modules/indexeddb/IDBIndex.idl:
* Modules/indexeddb/IDBKeyRange.idl:
* Modules/indexeddb/IDBObjectStore.idl:
* Modules/mediastream/RTCStatsElement.idl:
* Modules/mediastream/RTCStatsReport.idl:
* Modules/quota/StorageInfo.idl:
* Modules/speech/SpeechGrammar.idl:
* Modules/speech/SpeechGrammarList.idl:
* Modules/speech/SpeechRecognitionAlternative.idl:
* Modules/speech/SpeechRecognitionResult.idl:
* Modules/speech/SpeechRecognitionResultList.idl:
* Modules/webaudio/AudioBuffer.idl:
* Modules/webaudio/AudioDestinationNode.idl:
* Modules/webaudio/AudioListener.idl:
* Modules/webaudio/AudioSourceNode.idl:
* Modules/webaudio/WaveTable.idl:
* Modules/webdatabase/SQLError.idl:
* Modules/webdatabase/SQLException.idl:
* Modules/webdatabase/SQLResultSet.idl:
* Modules/webdatabase/SQLResultSetRowList.idl:
* Modules/webdatabase/SQLTransaction.idl:
* Modules/webdatabase/SQLTransactionSync.idl:
* bindings/scripts/IDLAttributes.txt:
* css/CSSPrimitiveValue.idl:
* css/CSSRule.idl:
* css/CSSRuleList.idl:
* css/CSSStyleDeclaration.idl:
* css/CSSValue.idl:
* css/CSSValueList.idl:
* css/Counter.idl:
* css/MediaList.idl:
* css/MediaQueryList.idl:
* css/RGBColor.idl:
* css/Rect.idl:
* css/StyleSheetList.idl:
* css/WebKitCSSFilterValue.idl:
* css/WebKitCSSMixFunctionValue.idl:
* css/WebKitCSSTransformValue.idl:
* dom/ClientRect.idl:
* dom/ClientRectList.idl:
* dom/Clipboard.idl:
* dom/DOMCoreException.idl:
* dom/DOMError.idl:
* dom/DOMImplementation.idl:
* dom/DOMNamedFlowCollection.idl:
* dom/DOMStringList.idl:
* dom/DOMStringMap.idl:
* dom/DataTransferItem.idl:
* dom/DataTransferItemList.idl:
* dom/DocumentFragment.idl:
* dom/Element.idl:
* dom/Entity.idl:
* dom/Event.idl:
* dom/EventException.idl:
* dom/MessageChannel.idl:
* dom/MouseEvent.idl:
* dom/MutationObserver.idl:
* dom/MutationRecord.idl:
* dom/NamedNodeMap.idl:
* dom/NodeFilter.idl:
* dom/NodeIterator.idl:
* dom/NodeList.idl:
* dom/Range.idl:
* dom/RangeException.idl:
* dom/Touch.idl:
* dom/TouchList.idl:
* dom/TreeWalker.idl:
* fileapi/FileError.idl:
* fileapi/FileException.idl:
* fileapi/FileList.idl:
* html/DOMFormData.idl:
* html/DOMTokenList.idl:
* html/DOMURL.idl:
* html/HTMLAllCollection.idl:
* html/HTMLCollection.idl:
* html/HTMLDialogElement.idl:
* html/HTMLDivElement.idl:
* html/HTMLDocument.idl:
* html/HTMLElement.idl:
* html/HTMLImageElement.idl:
* html/HTMLInputElement.idl:
* html/HTMLSelectElement.idl:
* html/HTMLSpanElement.idl:
* html/HTMLUnknownElement.idl:
* html/ImageData.idl:
* html/MediaError.idl:
* html/MediaKeyError.idl:
* html/TimeRanges.idl:
* html/ValidityState.idl:
* html/canvas/ArrayBuffer.idl:
* html/canvas/ArrayBufferView.idl:
* html/canvas/CanvasGradient.idl:
* html/canvas/CanvasPattern.idl:
* html/canvas/Float32Array.idl:
* html/canvas/Float64Array.idl:
* html/canvas/Int16Array.idl:
* html/canvas/Int32Array.idl:
* html/canvas/Int8Array.idl:
* html/canvas/Uint16Array.idl:
* html/canvas/Uint32Array.idl:
* html/canvas/Uint8Array.idl:
* html/canvas/Uint8ClampedArray.idl:
* html/canvas/WebGLActiveInfo.idl:
* html/canvas/WebGLShaderPrecisionFormat.idl:
* html/track/TextTrack.idl:
* html/track/TextTrackCue.idl:
* html/track/TextTrackCueList.idl:
* inspector/InjectedScriptHost.idl:
* inspector/InspectorFrontendHost.idl:
* inspector/JavaScriptCallFrame.idl:
* page/Coordinates.idl:
* page/Crypto.idl:
* page/MemoryInfo.idl:
* page/PagePopupController.idl:
* page/PerformanceEntryList.idl:
* page/SpeechInputResult.idl:
* page/SpeechInputResultList.idl:
* page/WebKitPoint.idl:
* svg/SVGAnimatedAngle.idl:
* svg/SVGAnimatedBoolean.idl:
* svg/SVGAnimatedEnumeration.idl:
* svg/SVGAnimatedInteger.idl:
* svg/SVGAnimatedLength.idl:
* svg/SVGAnimatedLengthList.idl:
* svg/SVGAnimatedNumber.idl:
* svg/SVGAnimatedNumberList.idl:
* svg/SVGAnimatedPreserveAspectRatio.idl:
* svg/SVGAnimatedRect.idl:
* svg/SVGAnimatedString.idl:
* svg/SVGAnimatedTransformList.idl:
* svg/SVGColor.idl:
* svg/SVGException.idl:
* svg/SVGPaint.idl:
* svg/SVGPathSeg.idl:
* svg/SVGRenderingIntent.idl:
* svg/SVGUnitTypes.idl:
* svg/SVGZoomAndPan.idl:
* testing/MallocStatistics.idl:
* testing/TypeConversions.idl:
* workers/WorkerLocation.idl:
* xml/DOMParser.idl:
* xml/XMLHttpRequestException.idl:
* xml/XMLSerializer.idl:
* xml/XPathEvaluator.idl:
* xml/XPathException.idl:
* xml/XPathExpression.idl:
* xml/XPathNSResolver.idl:
* xml/XPathResult.idl:
* xml/XSLTProcessor.idl:
Add exceptions to binding integrity checks to IDL.
Source/WebKit/chromium:
Patch by Tom Sepez <tsepez@chromium.org> on 2013-01-28
Reviewed by Adam Barth.
* features.gypi:
Added ENABLE_BINDING_INTEGRITY option.
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@141034 268f45cc-cd09-0410-ab3c-d52691b4dbfc
163 files changed
