Bug 60240 - CSP should block Function constructor
Summary: CSP should block Function constructor
Alias: None
Product: WebKit
Classification: Unclassified
Component: New Bugs (show other bugs)
Version: 528+ (Nightly build)
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Adam Barth
Depends on:
Blocks: 53572
  Show dependency treegraph
Reported: 2011-05-04 19:42 PDT by Adam Barth
Modified: 2011-05-09 16:06 PDT (History)
4 users (show)

See Also:

Patch (12.06 KB, patch)
2011-05-04 20:35 PDT, Adam Barth
no flags Details | Formatted Diff | Diff
Patch for landing (11.84 KB, patch)
2011-05-09 15:21 PDT, Adam Barth
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Adam Barth 2011-05-04 19:42:42 PDT
CSP should block Function constructor
Comment 1 Adam Barth 2011-05-04 20:35:41 PDT
Created attachment 92368 [details]
Comment 2 Eric Seidel (no email) 2011-05-06 12:11:06 PDT
Comment on attachment 92368 [details]

View in context: https://bugs.webkit.org/attachment.cgi?id=92368&action=review


> Source/JavaScriptCore/runtime/FunctionConstructor.cpp:75
>  JSObject* constructFunction(ExecState* exec, JSGlobalObject* globalObject, const ArgList& args, const Identifier& functionName, const UString& sourceURL, int lineNumber)

One could also just have added an enum argument to this call.
Comment 3 Adam Barth 2011-05-06 12:53:41 PDT
Thoughts from ggaren and/or sam would be useful.  I'll leave this patch up here for a bit in case they'd like to comment.
Comment 4 Geoffrey Garen 2011-05-09 13:48:10 PDT
Comment 5 Adam Barth 2011-05-09 13:51:28 PDT
(In reply to comment #4)

Thanks for taking a look.
Comment 6 Adam Barth 2011-05-09 15:21:21 PDT
Created attachment 92863 [details]
Patch for landing
Comment 7 WebKit Commit Bot 2011-05-09 16:06:10 PDT
Comment on attachment 92863 [details]
Patch for landing

Clearing flags on attachment: 92863

Committed r86100: <http://trac.webkit.org/changeset/86100>
Comment 8 WebKit Commit Bot 2011-05-09 16:06:14 PDT
All reviewed patches have been landed.  Closing bug.