JS security and enumerating a Window

Koos Vriezen koos.vriezen at xs4all.nl
Fri Oct 25 15:35:56 BST 2002 

On Fri, 25 Oct 2002, Koos Vriezen wrote:

> On Thu, 24 Oct 2002, Koos Vriezen wrote:
>
> > <HTML><HEAD><SCRIPT>
> > function doIt() {
> >   myframe1.document.open();
> >   myframe1.document.write("<html><body>");
> >   for(var i in frames[1]) {
> >     try{
> >       myframe1.document.write(i + "=" + frames[1][i] + "<br>");
> >     } catch(e) {
> >       myframe1.document.write(i + " error<br>");
> >     }
> >   }
> >   myframe1.document.write("</body></html>");
> >   myframe1.document.close();
> > }
> > </SCRIPT> </HEAD>
> > <FRAMESET ROWS="300,*" onLoad="doIt()">
> >   <FRAME NAME="myframe1" SRC="about:blank">
> >   <FRAME NAME="myframe2" SRC="http://localhost/~koos/test.html">
> > </FRAMESET></HTML>
> >
> > where test.html is:
> >   <html><head><script>
> >     var foo="bar";
> >   </script></head>
> >   <body></body></html>
> >
> > Document opened with konq's filemanager, domain file:/.... As is myframe1.
> > And myframe2 has domain http://localhost/.
> > Does give a lot of 'WARNING: Javascript: access denied for current
> > frame...', but I can see JS variable name 'foo'. Don't see the value of it
> > though.

When I do JS 'typeof eval("frames[1]")' from the FRAMESET page, it return
"object". Doing '"" + frames[1]' generates
khtml (jscript): WARNING: Script threw exception: TypeError: No default
value
at the console (where did I see that before :) ).
Anyways,

diff -u -3 -p -r1.282 kjs_window.cpp
--- ecma/kjs_window.cpp 2002/10/24 17:05:01     1.282
+++ ecma/kjs_window.cpp 2002/10/25 14:31:23
@@ -1531,6 +1531,9 @@ Value FrameArray::get(ExecState *exec, c
   // Therefore we have to be a bit careful with memory managment.
   if (frame && frame->inherits("KHTMLPart")) {
     KHTMLPart *khtml = static_cast<KHTMLPart*>(frame);
+    Window* window = Window::retrieveWindow( khtml );
+    if (!window->isSafeScript(exec))
+      return Undefined();
     return Window::retrieve(khtml);
   }

does reject enumerating this frame.

>
> In my attempt to add something like this in Window::isSafeScript before
> returning false (there is no SecurityError in kjs/object.h)
>   Object err = Error::create(exec, GeneralError);
>   exec->setException(err);

Shouldn't JS throw a security exception like above (adding a SecurityError
in kjs/object.h as well).

Koos

More information about the kfm-devel mailing list