JS security and enumerating a Window
David Faure
david at mandrakesoft.com
Fri Oct 25 15:51:12 BST 2002
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Friday 25 October 2002 16:35, Koos Vriezen wrote:
> When I do JS 'typeof eval("frames[1]")' from the FRAMESET page, it return
> "object". Doing '"" + frames[1]' generates
> khtml (jscript): WARNING: Script threw exception: TypeError: No default
> value
> at the console (where did I see that before :) ).
> Anyways,
>
> diff -u -3 -p -r1.282 kjs_window.cpp
> --- ecma/kjs_window.cpp 2002/10/24 17:05:01 1.282
> +++ ecma/kjs_window.cpp 2002/10/25 14:31:23
> @@ -1531,6 +1531,9 @@ Value FrameArray::get(ExecState *exec, c
> // Therefore we have to be a bit careful with memory managment.
> if (frame && frame->inherits("KHTMLPart")) {
> KHTMLPart *khtml = static_cast<KHTMLPart*>(frame);
> + Window* window = Window::retrieveWindow( khtml );
> + if (!window->isSafeScript(exec))
> + return Undefined();
> return Window::retrieve(khtml);
> }
> does reject enumerating this frame.
Looks good, although I'd use window for speed reasons.
So that would be simply "return window" (implicitly: return Value(window)).
> > In my attempt to add something like this in Window::isSafeScript before
> > returning false (there is no SecurityError in kjs/object.h)
> > Object err = Error::create(exec, GeneralError);
> > exec->setException(err);
>
> Shouldn't JS throw a security exception like above (adding a SecurityError
> in kjs/object.h as well).
Sounds good to me. Big change to kjs_window.cpp, but should be rather safe.
- --
David FAURE, david at mandrakesoft.com, faure at kde.org
http://people.mandrakesoft.com/~david/
Contributing to: http://www.konqueror.org/, http://www.koffice.org/
Get the latest KOffice - http://download.kde.org/stable/koffice-1.2/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
iD8DBQE9uVpg72KcVAmwbhARAkkcAJoCtaVRLFGop8X1ZEs9Qp0+bCUEtQCgpnWt
3LyeIVf9ZpR6ydqtehMFOZ8=
=PueV
-----END PGP SIGNATURE-----
More information about the kfm-devel
mailing list