Bug 213075 - RegExp.prototype getters should throw on cross-realm access
Summary: RegExp.prototype getters should throw on cross-realm access
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: WebKit Nightly Build
Hardware: All All
: P2 Trivial
Assignee: Alexey Shvayka
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2020-06-11 08:00 PDT by Alexey Shvayka
Modified: 2020-06-11 10:29 PDT (History)
10 users (show)

See Also:

Attachments
Patch (9.29 KB, patch)
2020-06-11 08:01 PDT, Alexey Shvayka 		no flags Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alexey Shvayka 2020-06-11 08:00:25 PDT 
RegExp.prototype getters should throw on cross-realm access
Comment 1 Alexey Shvayka 2020-06-11 08:01:49 PDT 
Created attachment 401644 [details]
Patch
Comment 2 Saam Barati 2020-06-11 09:19:02 PDT 
Comment on attachment 401644 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=401644&action=review

> Source/JavaScriptCore/runtime/RegExpPrototype.cpp:242
> +        if (thisValue == globalObject->regExpPrototype())

Which realm is used by the spec? The realm from the object? Or the realm of the static code running? This is using the latter. Is that intentional?
Comment 3 Alexey Shvayka 2020-06-11 09:32:45 PDT 
(In reply to Saam Barati from comment #2)
> Comment on attachment 401644 [details]
> Patch
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=401644&action=review
> 
> > Source/JavaScriptCore/runtime/RegExpPrototype.cpp:242
> > +        if (thisValue == globalObject->regExpPrototype())
> 
> Which realm is used by the spec? The realm from the object? Or the realm of
> the static code running? This is using the latter. Is that intentional?

The spec uses realm of static code (of a getter).
Otherwise, the check would never fail: if `object` is a %RegExp.prototype%, `object.realm.RegExp.prototype` is `object` itself.
Comment 4 EWS 2020-06-11 10:24:00 PDT 
Committed r262908: <https://trac.webkit.org/changeset/262908>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 401644 [details].
Comment 5 Radar WebKit Bug Importer 2020-06-11 10:24:17 PDT 
<rdar://problem/64259571>