Allow CefV8Context::Eval to bypass CSP (issue #2024)

This commit is contained in:
Marshall Greenblatt
2016-10-27 12:34:19 -04:00
parent f7a4102978
commit 0e97c527ae
14 changed files with 274 additions and 52 deletions

View File

@ -162,8 +162,8 @@ void CefFrameImpl::ExecuteJavaScript(const CefString& jsCode,
if (jsCode.empty())
return;
if (startLine < 0)
startLine = 0;
if (startLine < 1)
startLine = 1;
if (frame_) {
GURL gurl = GURL(scriptUrl.ToString());

View File

@ -1014,8 +1014,13 @@ bool CefV8ContextImpl::IsSame(CefRefPtr<CefV8Context> that) {
}
bool CefV8ContextImpl::Eval(const CefString& code,
const CefString& script_url,
int start_line,
CefRefPtr<CefV8Value>& retval,
CefRefPtr<CefV8Exception>& exception) {
retval = NULL;
exception = NULL;
CEF_V8_REQUIRE_VALID_HANDLE_RETURN(false);
if (webkit_glue::IsScriptForbidden())
@ -1030,33 +1035,28 @@ bool CefV8ContextImpl::Eval(const CefString& code,
v8::HandleScope handle_scope(isolate);
v8::Local<v8::Context> context = GetV8Context();
v8::Context::Scope context_scope(context);
v8::Local<v8::Object> obj = context->Global();
// Retrieve the eval function.
v8::Local<v8::Value> val = obj->Get(v8::String::NewFromUtf8(isolate, "eval"));
if (val.IsEmpty() || !val->IsFunction())
return false;
v8::Local<v8::Function> func = v8::Local<v8::Function>::Cast(val);
v8::Local<v8::Value> code_val = GetV8String(isolate, code);
const blink::WebString& source = code.ToString16();
const blink::WebString& source_url = script_url.ToString16();
v8::TryCatch try_catch(isolate);
try_catch.SetVerbose(true);
retval = NULL;
exception = NULL;
v8::MaybeLocal<v8::Value> func_rv =
webkit_glue::CallV8Function(context, func, obj, 1, &code_val,
handle_->isolate());
webkit_glue::ExecuteV8ScriptAndReturnValue(source, source_url, start_line,
context, isolate, try_catch,
blink::AccessControlStatus::NotSharableCrossOrigin);
if (try_catch.HasCaught()) {
exception = new CefV8ExceptionImpl(context, try_catch.Message());
return false;
} else if (!func_rv.IsEmpty()) {
retval = new CefV8ValueImpl(isolate, context, func_rv.ToLocalChecked());
return true;
}
return true;
NOTREACHED();
return false;
}
v8::Local<v8::Context> CefV8ContextImpl::GetV8Context() {

View File

@ -182,6 +182,8 @@ class CefV8ContextImpl : public CefV8Context {
bool Exit() override;
bool IsSame(CefRefPtr<CefV8Context> that) override;
bool Eval(const CefString& code,
const CefString& script_url,
int start_line,
CefRefPtr<CefV8Value>& retval,
CefRefPtr<CefV8Exception>& exception) override;

View File

@ -25,12 +25,14 @@ MSVC_PUSH_WARNING_LEVEL(0);
#include "third_party/WebKit/public/web/WebViewClient.h"
#include "third_party/WebKit/Source/bindings/core/v8/ScriptController.h"
#include "third_party/WebKit/Source/bindings/core/v8/ScriptSourceCode.h"
#include "third_party/WebKit/Source/bindings/core/v8/V8Binding.h"
#include "third_party/WebKit/Source/core/dom/Document.h"
#include "third_party/WebKit/Source/core/dom/Element.h"
#include "third_party/WebKit/Source/core/dom/Node.h"
#include "third_party/WebKit/Source/core/editing/serializers/Serialization.h"
#include "third_party/WebKit/Source/core/frame/LocalFrame.h"
#include "third_party/WebKit/Source/core/frame/Settings.h"
#include "third_party/WebKit/Source/web/WebLocalFrameImpl.h"
#include "third_party/WebKit/Source/web/WebViewImpl.h"
MSVC_POP_WARNING();
@ -184,6 +186,51 @@ v8::MaybeLocal<v8::Value> CallV8Function(v8::Local<v8::Context> context,
return func_rv;
}
v8::MaybeLocal<v8::Value> ExecuteV8ScriptAndReturnValue(
const blink::WebString& source,
const blink::WebString& source_url,
int start_line,
v8::Local<v8::Context> context,
v8::Isolate* isolate,
v8::TryCatch& tryCatch,
blink::AccessControlStatus accessControlStatus) {
// Based on ScriptController::executeScriptAndReturnValue
DCHECK(isolate);
if (start_line < 1)
start_line = 1;
const blink::KURL kurl = source_url.isEmpty() ?
blink::KURL() : blink::KURL(blink::ParsedURLString, source_url);
const blink::ScriptSourceCode ssc = blink::ScriptSourceCode(source, kurl,
WTF::TextPosition(WTF::OrdinalNumber::fromOneBasedInt(start_line),
WTF::OrdinalNumber::fromZeroBasedInt(0)));
v8::MaybeLocal<v8::Value> result;
blink::LocalFrame* frame =
toLocalFrame(blink::toFrameIfNotDetached(context));
DCHECK(frame);
if (frame) {
blink::V8CacheOptions v8CacheOptions(blink::V8CacheOptionsDefault);
if (frame && frame->settings())
v8CacheOptions = frame->settings()->v8CacheOptions();
v8::Local<v8::Script> script;
if (!blink::v8Call(blink::V8ScriptRunner::compileScript(ssc, isolate,
accessControlStatus, v8CacheOptions), script, tryCatch)) {
return result;
}
result = blink::V8ScriptRunner::runCompiledScript(isolate, script,
blink::toExecutionContext(context));
}
return result;
}
bool IsScriptForbidden() {
return blink::ScriptForbiddenScope::isScriptForbidden();
}

View File

@ -11,6 +11,7 @@
#include <string>
#include "include/internal/cef_types.h"
#include "third_party/WebKit/Source/core/fetch/AccessControlStatus.h"
#include "v8/include/v8.h"
namespace blink {
@ -52,6 +53,15 @@ v8::MaybeLocal<v8::Value> CallV8Function(v8::Local<v8::Context> context,
v8::Local<v8::Value> args[],
v8::Isolate* isolate);
v8::MaybeLocal<v8::Value> ExecuteV8ScriptAndReturnValue(
const blink::WebString& source,
const blink::WebString& source_url,
int start_line,
v8::Local<v8::Context> context,
v8::Isolate* isolate,
v8::TryCatch& tryCatch,
blink::AccessControlStatus accessControlStatus);
bool IsScriptForbidden();
} // webkit_glue