JS security and enumerating a Window
Koos Vriezen
koos.vriezen at xs4all.nl
Fri Oct 25 15:35:56 BST 2002
On Fri, 25 Oct 2002, Koos Vriezen wrote:
> On Thu, 24 Oct 2002, Koos Vriezen wrote:
>
> > <HTML><HEAD><SCRIPT>
> > function doIt() {
> > myframe1.document.open();
> > myframe1.document.write("<html><body>");
> > for(var i in frames[1]) {
> > try{
> > myframe1.document.write(i + "=" + frames[1][i] + "<br>");
> > } catch(e) {
> > myframe1.document.write(i + " error<br>");
> > }
> > }
> > myframe1.document.write("</body></html>");
> > myframe1.document.close();
> > }
> > </SCRIPT> </HEAD>
> > <FRAMESET ROWS="300,*" onLoad="doIt()">
> > <FRAME NAME="myframe1" SRC="about:blank">
> > <FRAME NAME="myframe2" SRC="http://localhost/~koos/test.html">
> > </FRAMESET></HTML>
> >
> > where test.html is:
> > <html><head><script>
> > var foo="bar";
> > </script></head>
> > <body></body></html>
> >
> > Document opened with konq's filemanager, domain file:/.... As is myframe1.
> > And myframe2 has domain http://localhost/.
> > Does give a lot of 'WARNING: Javascript: access denied for current
> > frame...', but I can see JS variable name 'foo'. Don't see the value of it
> > though.
When I do JS 'typeof eval("frames[1]")' from the FRAMESET page, it return
"object". Doing '"" + frames[1]' generates
khtml (jscript): WARNING: Script threw exception: TypeError: No default
value
at the console (where did I see that before :) ).
Anyways,
diff -u -3 -p -r1.282 kjs_window.cpp
--- ecma/kjs_window.cpp 2002/10/24 17:05:01 1.282
+++ ecma/kjs_window.cpp 2002/10/25 14:31:23
@@ -1531,6 +1531,9 @@ Value FrameArray::get(ExecState *exec, c
// Therefore we have to be a bit careful with memory managment.
if (frame && frame->inherits("KHTMLPart")) {
KHTMLPart *khtml = static_cast<KHTMLPart*>(frame);
+ Window* window = Window::retrieveWindow( khtml );
+ if (!window->isSafeScript(exec))
+ return Undefined();
return Window::retrieve(khtml);
}
does reject enumerating this frame.
>
> In my attempt to add something like this in Window::isSafeScript before
> returning false (there is no SecurityError in kjs/object.h)
> Object err = Error::create(exec, GeneralError);
> exec->setException(err);
Shouldn't JS throw a security exception like above (adding a SecurityError
in kjs/object.h as well).
Koos
More information about the kfm-devel
mailing list