V8Object and V8Function need to be protected.

phpv8 / v8js

V8 Javascript Engine for PHP — This PHP extension embeds the Google V8 Javascript Engine

http://pecl.php.net/package/v8js

MIT License

1.83k stars 200 forks source link

V8Object and V8Function need to be protected. #75

Closed cscott closed 10 years ago

cscott commented 10 years ago

From PHP code you can do

new V8Object;

new V8Function;

which then segfaults. We need to protect these constructors from user code.

cscott commented 10 years ago

..and I would appreciate some suggestions on the best way to do that in PHP. On the V8 side we check to see if the constructor argument is an V8::External to distinguish between internal and user invocation of the constructor. I don't see any easy way to distinguish user invocation of the constructor on the PHP side, although we could sort of copy the V8 approach and register a new resource type, which we passed to the constructor only when invoking it internally. Invoking the constructor without the proper resource would either be an error or (again aping the V8 approach) automatically create an appropriate empty V8 object to wrap. (It makes sense for new V8Object to be the PHP equivalent of the JavaScript Object.create(null), but new V8Function should throw an exception, I can't see any reasonable thing that should do.)

Thoughts?

cscott commented 10 years ago

On review of the code ... The V8Object constructor would need to take a reference to a V8Js object in order to obtain the proper isolate. So the PHP code would be $obj = new V8Object($v8js). Is this API actually worth implementing, or should new V8Object from user code just throw an exception?

stesie commented 10 years ago

I don't think new V8Object could be useful. After all, if I'd like to pass back a simple object from PHP to V8 I could always

$foo = new stdClass();
$foo->bar = 23;
$whatever->callback($foo);

Contrary I think it's useful if you can rely on objects from JS context to be derived from V8Object, and further, that only those can have that particular class.

For example at one place I expose a factory to JS, which allows to request certain object instances from PHP and I expect the JS code to configure those, build a collection of them and pass them back to another PHP method (which calls methods on the object collection in turn). The JS code could easily provide an object looking equally, but I need to detect those cases not to leak certain objects to (untrusted) JS code. If I would create V8Object instances in PHP as well, detecting those would be painful, if they get passed back.

cscott commented 10 years ago

Accomplished with pull #76. Keep your eyes open for other issues of this sort (although I don't know of any at this time).