angler-fishThe Vulnerability History Project

IndexedDB: Avoid side effects by evaluating key paths w/ HasOwnProperty

      Although key path evaluation is always done against clones (so getters
are flattened into simple data properties), property lookups were
not restricted to inherited properties, allowing getters on prototypes
to be executed. This allows evaluation to be observable, and cause
side effects.

Restrict the lookup to own properties, and introduce special-case code
for those non-own values identified in the spec[1] as special cases.

[1] https://w3c.github.io/IndexedDB/#key-path-construct

BUG=637963
R=haraken@chromium.org

Review-Url: https://codereview.chromium.org/2255413004
Cr-Commit-Position: refs/heads/master@{#414170}
by Winifred the Arctic Wolf 2016-08-24 22:17:54 UTC
commit fb18204c77e3f6e43ce05dd3ce24f00e0201bac1
Chromium Fix CVE-2016-5150
third_party/WebKit/LayoutTests/storage/indexeddb/bindings-edges.html
+35 -35
third_party/WebKit/LayoutTests/storage/indexeddb/key_conversion_exceptions.html
+14 -18
third_party/WebKit/Source/bindings/modules/v8/V8BindingForModules.cpp
+10 -52
expand_less