mirror of
https://bitbucket.org/chromiumembedded/cef
synced 2025-06-05 21:39:12 +02:00
Allow CefV8Context::Eval to bypass CSP (issue #2024)
This commit is contained in:
@ -162,8 +162,8 @@ void CefFrameImpl::ExecuteJavaScript(const CefString& jsCode,
|
||||
|
||||
if (jsCode.empty())
|
||||
return;
|
||||
if (startLine < 0)
|
||||
startLine = 0;
|
||||
if (startLine < 1)
|
||||
startLine = 1;
|
||||
|
||||
if (frame_) {
|
||||
GURL gurl = GURL(scriptUrl.ToString());
|
||||
|
@ -1014,8 +1014,13 @@ bool CefV8ContextImpl::IsSame(CefRefPtr<CefV8Context> that) {
|
||||
}
|
||||
|
||||
bool CefV8ContextImpl::Eval(const CefString& code,
|
||||
const CefString& script_url,
|
||||
int start_line,
|
||||
CefRefPtr<CefV8Value>& retval,
|
||||
CefRefPtr<CefV8Exception>& exception) {
|
||||
retval = NULL;
|
||||
exception = NULL;
|
||||
|
||||
CEF_V8_REQUIRE_VALID_HANDLE_RETURN(false);
|
||||
|
||||
if (webkit_glue::IsScriptForbidden())
|
||||
@ -1030,33 +1035,28 @@ bool CefV8ContextImpl::Eval(const CefString& code,
|
||||
v8::HandleScope handle_scope(isolate);
|
||||
v8::Local<v8::Context> context = GetV8Context();
|
||||
v8::Context::Scope context_scope(context);
|
||||
v8::Local<v8::Object> obj = context->Global();
|
||||
|
||||
// Retrieve the eval function.
|
||||
v8::Local<v8::Value> val = obj->Get(v8::String::NewFromUtf8(isolate, "eval"));
|
||||
if (val.IsEmpty() || !val->IsFunction())
|
||||
return false;
|
||||
|
||||
v8::Local<v8::Function> func = v8::Local<v8::Function>::Cast(val);
|
||||
v8::Local<v8::Value> code_val = GetV8String(isolate, code);
|
||||
const blink::WebString& source = code.ToString16();
|
||||
const blink::WebString& source_url = script_url.ToString16();
|
||||
|
||||
v8::TryCatch try_catch(isolate);
|
||||
try_catch.SetVerbose(true);
|
||||
|
||||
retval = NULL;
|
||||
exception = NULL;
|
||||
|
||||
v8::MaybeLocal<v8::Value> func_rv =
|
||||
webkit_glue::CallV8Function(context, func, obj, 1, &code_val,
|
||||
handle_->isolate());
|
||||
webkit_glue::ExecuteV8ScriptAndReturnValue(source, source_url, start_line,
|
||||
context, isolate, try_catch,
|
||||
blink::AccessControlStatus::NotSharableCrossOrigin);
|
||||
|
||||
if (try_catch.HasCaught()) {
|
||||
exception = new CefV8ExceptionImpl(context, try_catch.Message());
|
||||
return false;
|
||||
} else if (!func_rv.IsEmpty()) {
|
||||
retval = new CefV8ValueImpl(isolate, context, func_rv.ToLocalChecked());
|
||||
return true;
|
||||
}
|
||||
return true;
|
||||
|
||||
NOTREACHED();
|
||||
return false;
|
||||
}
|
||||
|
||||
v8::Local<v8::Context> CefV8ContextImpl::GetV8Context() {
|
||||
|
@ -182,6 +182,8 @@ class CefV8ContextImpl : public CefV8Context {
|
||||
bool Exit() override;
|
||||
bool IsSame(CefRefPtr<CefV8Context> that) override;
|
||||
bool Eval(const CefString& code,
|
||||
const CefString& script_url,
|
||||
int start_line,
|
||||
CefRefPtr<CefV8Value>& retval,
|
||||
CefRefPtr<CefV8Exception>& exception) override;
|
||||
|
||||
|
@ -25,12 +25,14 @@ MSVC_PUSH_WARNING_LEVEL(0);
|
||||
#include "third_party/WebKit/public/web/WebViewClient.h"
|
||||
|
||||
#include "third_party/WebKit/Source/bindings/core/v8/ScriptController.h"
|
||||
#include "third_party/WebKit/Source/bindings/core/v8/ScriptSourceCode.h"
|
||||
#include "third_party/WebKit/Source/bindings/core/v8/V8Binding.h"
|
||||
#include "third_party/WebKit/Source/core/dom/Document.h"
|
||||
#include "third_party/WebKit/Source/core/dom/Element.h"
|
||||
#include "third_party/WebKit/Source/core/dom/Node.h"
|
||||
#include "third_party/WebKit/Source/core/editing/serializers/Serialization.h"
|
||||
#include "third_party/WebKit/Source/core/frame/LocalFrame.h"
|
||||
#include "third_party/WebKit/Source/core/frame/Settings.h"
|
||||
#include "third_party/WebKit/Source/web/WebLocalFrameImpl.h"
|
||||
#include "third_party/WebKit/Source/web/WebViewImpl.h"
|
||||
MSVC_POP_WARNING();
|
||||
@ -184,6 +186,51 @@ v8::MaybeLocal<v8::Value> CallV8Function(v8::Local<v8::Context> context,
|
||||
return func_rv;
|
||||
}
|
||||
|
||||
v8::MaybeLocal<v8::Value> ExecuteV8ScriptAndReturnValue(
|
||||
const blink::WebString& source,
|
||||
const blink::WebString& source_url,
|
||||
int start_line,
|
||||
v8::Local<v8::Context> context,
|
||||
v8::Isolate* isolate,
|
||||
v8::TryCatch& tryCatch,
|
||||
blink::AccessControlStatus accessControlStatus) {
|
||||
// Based on ScriptController::executeScriptAndReturnValue
|
||||
DCHECK(isolate);
|
||||
|
||||
if (start_line < 1)
|
||||
start_line = 1;
|
||||
|
||||
const blink::KURL kurl = source_url.isEmpty() ?
|
||||
blink::KURL() : blink::KURL(blink::ParsedURLString, source_url);
|
||||
|
||||
const blink::ScriptSourceCode ssc = blink::ScriptSourceCode(source, kurl,
|
||||
WTF::TextPosition(WTF::OrdinalNumber::fromOneBasedInt(start_line),
|
||||
WTF::OrdinalNumber::fromZeroBasedInt(0)));
|
||||
|
||||
v8::MaybeLocal<v8::Value> result;
|
||||
|
||||
blink::LocalFrame* frame =
|
||||
toLocalFrame(blink::toFrameIfNotDetached(context));
|
||||
DCHECK(frame);
|
||||
|
||||
if (frame) {
|
||||
blink::V8CacheOptions v8CacheOptions(blink::V8CacheOptionsDefault);
|
||||
if (frame && frame->settings())
|
||||
v8CacheOptions = frame->settings()->v8CacheOptions();
|
||||
|
||||
v8::Local<v8::Script> script;
|
||||
if (!blink::v8Call(blink::V8ScriptRunner::compileScript(ssc, isolate,
|
||||
accessControlStatus, v8CacheOptions), script, tryCatch)) {
|
||||
return result;
|
||||
}
|
||||
|
||||
result = blink::V8ScriptRunner::runCompiledScript(isolate, script,
|
||||
blink::toExecutionContext(context));
|
||||
}
|
||||
|
||||
return result;
|
||||
}
|
||||
|
||||
bool IsScriptForbidden() {
|
||||
return blink::ScriptForbiddenScope::isScriptForbidden();
|
||||
}
|
||||
|
@ -11,6 +11,7 @@
|
||||
#include <string>
|
||||
|
||||
#include "include/internal/cef_types.h"
|
||||
#include "third_party/WebKit/Source/core/fetch/AccessControlStatus.h"
|
||||
#include "v8/include/v8.h"
|
||||
|
||||
namespace blink {
|
||||
@ -52,6 +53,15 @@ v8::MaybeLocal<v8::Value> CallV8Function(v8::Local<v8::Context> context,
|
||||
v8::Local<v8::Value> args[],
|
||||
v8::Isolate* isolate);
|
||||
|
||||
v8::MaybeLocal<v8::Value> ExecuteV8ScriptAndReturnValue(
|
||||
const blink::WebString& source,
|
||||
const blink::WebString& source_url,
|
||||
int start_line,
|
||||
v8::Local<v8::Context> context,
|
||||
v8::Isolate* isolate,
|
||||
v8::TryCatch& tryCatch,
|
||||
blink::AccessControlStatus accessControlStatus);
|
||||
|
||||
bool IsScriptForbidden();
|
||||
|
||||
} // webkit_glue
|
||||
|
Reference in New Issue
Block a user