Rietveld Code Review Tool
Help | Bug tracker | Discussion group | Source code | Sign in
(1437)

Issue 214110043: Repair Safari Throw-Thaw Vulnerability (Closed)

Can't Edit
Can't Publish+Mail
Start Review
Created:
9 years ago by MarkM
Modified:
9 years ago
Reviewers:
Jasvir, kpreid2
CC:
caja-discuss-undisclosed_googlegroups.com, felix8a, ihab.awad, metaweta, MikeSamuel, MarkM, kpreid2, google-caja-discuss_googlegroups.com
Base URL:
http://google-caja.googlecode.com/svn/trunk/
Visibility:
Public.

Description

Webkit bug https://bugs.webkit.org/show_bug.cgi?id=141878 is that throwing a frozen object unfreezes it in a way that creates an opportunity for a capability leak. This CL adds a repair to make us safe from this bug on Safari. Note: The first snapshot does none of this, but just merges the outstanding changes from https://codereview.appspot.com/202030043/ and https://codereview.appspot.com/202040043/ . The actual content of this CL will be the differential from those.

Patch Set 1 #

Patch Set 2 : Repair Safari Throw-Thaw Vulnerability #

Patch Set 3 : Repair Safari Throw-Thaw Vulnerability #

Total comments: 10

Patch Set 4 : Repair Safari Throw-Thaw Vulnerability #

Patch Set 5 : Repair Safari Throw-Thaw Vulnerability #

Unified diffs Side-by-side diffs Delta from patch set Stats (+1131 lines, -172 lines) Patch
M src/com/google/caja/ses/WeakMap.js View 1 2 3 4 1 chunk +11 lines, -0 lines 0 comments Download
M src/com/google/caja/ses/repair-framework.js View 1 2 3 4 3 chunks +8 lines, -5 lines 0 comments Download
M src/com/google/caja/ses/repairES5.js View 1 2 3 4 16 chunks +808 lines, -49 lines 0 comments Download
M src/com/google/caja/ses/startSES.js View 1 2 3 4 12 chunks +173 lines, -86 lines 0 comments Download
M src/com/google/caja/ses/whitelist.js View 1 2 3 4 5 chunks +63 lines, -18 lines 0 comments Download
M tests/com/google/caja/plugin/test-scan-core.js View 1 2 3 4 1 chunk +5 lines, -1 line 0 comments Download
M tests/com/google/caja/plugin/test-scan-guest.js View 1 2 3 4 5 chunks +55 lines, -6 lines 0 comments Download
M tests/com/google/caja/ses/test-repair-framework.js View 1 2 3 4 5 chunks +8 lines, -7 lines 0 comments Download

Messages

Total messages: 14
MarkM
9 years ago (2015-03-11 03:18:36 UTC) #1
MarkM
Webkit bug https://bugs.webkit.org/show_bug.cgi?id=141878 is that throwing a frozen object unfreezes it in a way that ...
9 years ago (2015-03-11 06:10:33 UTC) #2
MarkM
I think I got it. Please take a look.
9 years ago (2015-03-11 06:13:45 UTC) #3
MarkM
Webkit bug https://bugs.webkit.org/show_bug.cgi?id=141878 is that throwing a frozen object unfreezes it in a way that ...
9 years ago (2015-03-11 06:27:22 UTC) #4
Jasvir
I've reviewed the Safari repair but I don't understand security properties we're trying to maintain ...
9 years ago (2015-03-11 13:40:07 UTC) #5
MarkM
On 2015/03/11 13:40:07, Jasvir wrote: > I've reviewed the Safari repair but I don't understand ...
9 years ago (2015-03-11 14:14:53 UTC) #6
MarkM
Only review the changes since patchset 1. All the changes between base and patchset 1 ...
9 years ago (2015-03-11 14:15:47 UTC) #7
kpreid2
https://codereview.appspot.com/214110043/diff/40001/src/com/google/caja/ses/repairES5.js File src/com/google/caja/ses/repairES5.js (right): https://codereview.appspot.com/214110043/diff/40001/src/com/google/caja/ses/repairES5.js#newcode4370 src/com/google/caja/ses/repairES5.js:4370: enumerable: false, // so it is invisible to ES3 ...
9 years ago (2015-03-11 16:29:22 UTC) #8
MarkM
Webkit bug https://bugs.webkit.org/show_bug.cgi?id=141878 is that throwing a frozen object unfreezes it in a way that ...
9 years ago (2015-03-11 16:59:40 UTC) #9
MarkM
https://codereview.appspot.com/214110043/diff/40001/src/com/google/caja/ses/repairES5.js File src/com/google/caja/ses/repairES5.js (right): https://codereview.appspot.com/214110043/diff/40001/src/com/google/caja/ses/repairES5.js#newcode4370 src/com/google/caja/ses/repairES5.js:4370: enumerable: false, // so it is invisible to ES3 ...
9 years ago (2015-03-11 17:07:31 UTC) #10
MarkM
https://codereview.appspot.com/214110043/diff/40001/src/com/google/caja/ses/repairES5.js File src/com/google/caja/ses/repairES5.js (right): https://codereview.appspot.com/214110043/diff/40001/src/com/google/caja/ses/repairES5.js#newcode4370 src/com/google/caja/ses/repairES5.js:4370: enumerable: false, // so it is invisible to ES3 ...
9 years ago (2015-03-11 17:15:29 UTC) #11
Jasvir
On 2015/03/11 17:15:29, MarkM wrote: > https://codereview.appspot.com/214110043/diff/40001/src/com/google/caja/ses/repairES5.js > File src/com/google/caja/ses/repairES5.js (right): > > https://codereview.appspot.com/214110043/diff/40001/src/com/google/caja/ses/repairES5.js#newcode4370 > ...
9 years ago (2015-03-11 17:23:31 UTC) #12
kpreid2
LGTM https://codereview.appspot.com/214110043/diff/40001/src/com/google/caja/ses/repairES5.js File src/com/google/caja/ses/repairES5.js (right): https://codereview.appspot.com/214110043/diff/40001/src/com/google/caja/ses/repairES5.js#newcode4370 src/com/google/caja/ses/repairES5.js:4370: enumerable: false, // so it is invisible to ...
9 years ago (2015-03-11 17:25:56 UTC) #13
MarkM
9 years ago (2015-03-13 19:41:51 UTC) #14
Webkit bug https://bugs.webkit.org/show_bug.cgi?id=141878 is that
throwing a frozen object unfreezes it in a way that creates an
opportunity for a capability leak. This CL extends the existing test
and adds a repair to make things safe from this bug on Safari.

Note: The first snapshot does none of this, but just merges the
outstanding changes from https://codereview.appspot.com/202030043/ and
https://codereview.appspot.com/202040043/ . The actual content of this
CL will be the differential from those.
Sign in to reply to this message.

Powered by Google App Engine
RSS Feeds Recent Issues | This issue
This is Rietveld f62528b