RESOLVED FIXED 213075
RegExp.prototype getters should throw on cross-realm access 
https://bugs.webkit.org/show_bug.cgi?id=213075
Summary RegExp.prototype getters should throw on cross-realm access
Alexey Shvayka
Reported 2020-06-11 08:00:25 PDT
RegExp.prototype getters should throw on cross-realm access
Attachments
Patch (9.29 KB, patch)
2020-06-11 08:01 PDT, Alexey Shvayka 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Alexey Shvayka
Comment 1 2020-06-11 08:01:49 PDT
Created attachment 401644 [details] Patch
Saam Barati
Comment 2 2020-06-11 09:19:02 PDT
Comment on attachment 401644 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=401644&action=review > Source/JavaScriptCore/runtime/RegExpPrototype.cpp:242 > + if (thisValue == globalObject->regExpPrototype()) Which realm is used by the spec? The realm from the object? Or the realm of the static code running? This is using the latter. Is that intentional?
Alexey Shvayka
Comment 3 2020-06-11 09:32:45 PDT
(In reply to Saam Barati from comment #2) > Comment on attachment 401644 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=401644&action=review > > > Source/JavaScriptCore/runtime/RegExpPrototype.cpp:242 > > + if (thisValue == globalObject->regExpPrototype()) > > Which realm is used by the spec? The realm from the object? Or the realm of > the static code running? This is using the latter. Is that intentional? The spec uses realm of static code (of a getter). Otherwise, the check would never fail: if `object` is a %RegExp.prototype%, `object.realm.RegExp.prototype` is `object` itself.
EWS
Comment 4 2020-06-11 10:24:00 PDT
Committed r262908: <https://trac.webkit.org/changeset/262908> All reviewed patches have been landed. Closing bug and clearing flags on attachment 401644 [details].
Radar WebKit Bug Importer
Comment 5 2020-06-11 10:24:17 PDT
<rdar://problem/64259571>
Note You need to log in before you can comment on or make changes to this bug.