2014-04-03 15:58:00 +04:00
|
|
|
/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
|
|
|
|
/* vim: set ts=8 sts=4 et sw=4 tw=99: */
|
|
|
|
/* This Source Code Form is subject to the terms of the Mozilla Public
|
2012-05-21 15:12:37 +04:00
|
|
|
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
|
|
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
2010-06-26 02:58:09 +04:00
|
|
|
|
2010-07-03 00:54:53 +04:00
|
|
|
#include "AccessCheck.h"
|
2010-06-26 02:58:09 +04:00
|
|
|
|
|
|
|
#include "nsJSPrincipals.h"
|
2013-11-05 12:47:59 +04:00
|
|
|
#include "nsGlobalWindow.h"
|
2010-06-26 02:58:09 +04:00
|
|
|
|
2010-07-03 00:54:53 +04:00
|
|
|
#include "XPCWrapper.h"
|
2010-09-18 01:54:40 +04:00
|
|
|
#include "XrayWrapper.h"
|
2010-06-26 02:58:09 +04:00
|
|
|
|
2011-04-13 20:27:37 +04:00
|
|
|
#include "jsfriendapi.h"
|
2012-09-13 00:29:30 +04:00
|
|
|
#include "mozilla/dom/BindingUtils.h"
|
2014-07-12 03:34:44 +04:00
|
|
|
#include "mozilla/dom/LocationBinding.h"
|
2013-12-09 19:34:03 +04:00
|
|
|
#include "mozilla/dom/WindowBinding.h"
|
2015-01-27 00:32:18 +03:00
|
|
|
#include "mozilla/jsipc/CrossProcessObjectWrappers.h"
|
2013-11-05 12:47:59 +04:00
|
|
|
#include "nsIDOMWindowCollection.h"
|
|
|
|
#include "nsJSUtils.h"
|
2016-08-04 21:14:35 +03:00
|
|
|
#include "xpcprivate.h"
|
2010-10-28 19:15:53 +04:00
|
|
|
|
2011-10-11 09:50:08 +04:00
|
|
|
using namespace mozilla;
|
2013-09-02 08:51:02 +04:00
|
|
|
using namespace JS;
|
2011-09-09 07:29:15 +04:00
|
|
|
using namespace js;
|
|
|
|
|
2010-06-26 02:58:09 +04:00
|
|
|
namespace xpc {
|
|
|
|
|
2015-03-29 01:22:11 +03:00
|
|
|
nsIPrincipal*
|
|
|
|
GetCompartmentPrincipal(JSCompartment* compartment)
|
2010-06-26 02:58:09 +04:00
|
|
|
{
|
2012-03-09 13:48:50 +04:00
|
|
|
return nsJSPrincipals::get(JS_GetCompartmentPrincipals(compartment));
|
2010-06-26 02:58:09 +04:00
|
|
|
}
|
|
|
|
|
2015-03-29 01:22:11 +03:00
|
|
|
nsIPrincipal*
|
|
|
|
GetObjectPrincipal(JSObject* obj)
|
2013-05-07 03:53:10 +04:00
|
|
|
{
|
|
|
|
return GetCompartmentPrincipal(js::GetObjectCompartment(obj));
|
|
|
|
}
|
|
|
|
|
2012-07-12 12:10:15 +04:00
|
|
|
// Does the principal of compartment a subsume the principal of compartment b?
|
2010-06-26 02:58:09 +04:00
|
|
|
bool
|
2015-03-29 01:22:11 +03:00
|
|
|
AccessCheck::subsumes(JSCompartment* a, JSCompartment* b)
|
2010-07-03 00:54:53 +04:00
|
|
|
{
|
2015-03-29 01:22:11 +03:00
|
|
|
nsIPrincipal* aprin = GetCompartmentPrincipal(a);
|
|
|
|
nsIPrincipal* bprin = GetCompartmentPrincipal(b);
|
2014-02-14 06:57:34 +04:00
|
|
|
return aprin->Subsumes(bprin);
|
2010-07-03 00:54:53 +04:00
|
|
|
}
|
|
|
|
|
2012-12-08 02:49:11 +04:00
|
|
|
bool
|
2015-03-29 01:22:11 +03:00
|
|
|
AccessCheck::subsumes(JSObject* a, JSObject* b)
|
2012-12-08 02:49:11 +04:00
|
|
|
{
|
|
|
|
return subsumes(js::GetObjectCompartment(a), js::GetObjectCompartment(b));
|
|
|
|
}
|
|
|
|
|
2014-02-14 06:57:34 +04:00
|
|
|
// Same as above, but considering document.domain.
|
|
|
|
bool
|
2015-03-29 01:22:11 +03:00
|
|
|
AccessCheck::subsumesConsideringDomain(JSCompartment* a, JSCompartment* b)
|
2014-02-14 06:57:34 +04:00
|
|
|
{
|
2015-03-29 01:22:11 +03:00
|
|
|
nsIPrincipal* aprin = GetCompartmentPrincipal(a);
|
|
|
|
nsIPrincipal* bprin = GetCompartmentPrincipal(b);
|
2014-02-14 06:57:34 +04:00
|
|
|
return aprin->SubsumesConsideringDomain(bprin);
|
2012-09-11 21:23:20 +04:00
|
|
|
}
|
|
|
|
|
2012-09-11 12:05:10 +04:00
|
|
|
// Does the compartment of the wrapper subsumes the compartment of the wrappee?
|
|
|
|
bool
|
2015-03-29 01:22:11 +03:00
|
|
|
AccessCheck::wrapperSubsumes(JSObject* wrapper)
|
2012-09-11 12:05:10 +04:00
|
|
|
{
|
|
|
|
MOZ_ASSERT(js::IsWrapper(wrapper));
|
2015-03-29 01:22:11 +03:00
|
|
|
JSObject* wrapped = js::UncheckedUnwrap(wrapper);
|
2012-09-11 12:05:10 +04:00
|
|
|
return AccessCheck::subsumes(js::GetObjectCompartment(wrapper),
|
|
|
|
js::GetObjectCompartment(wrapped));
|
|
|
|
}
|
|
|
|
|
2010-07-03 00:54:53 +04:00
|
|
|
bool
|
2015-03-29 01:22:11 +03:00
|
|
|
AccessCheck::isChrome(JSCompartment* compartment)
|
2010-06-26 02:58:09 +04:00
|
|
|
{
|
2011-09-29 10:19:26 +04:00
|
|
|
bool privileged;
|
2015-03-29 01:22:11 +03:00
|
|
|
nsIPrincipal* principal = GetCompartmentPrincipal(compartment);
|
2014-05-07 10:17:43 +04:00
|
|
|
return NS_SUCCEEDED(nsXPConnect::SecurityManager()->IsSystemPrincipal(principal, &privileged)) && privileged;
|
2010-07-03 00:54:53 +04:00
|
|
|
}
|
|
|
|
|
2012-09-11 12:05:10 +04:00
|
|
|
bool
|
2015-03-29 01:22:11 +03:00
|
|
|
AccessCheck::isChrome(JSObject* obj)
|
2012-09-11 12:05:10 +04:00
|
|
|
{
|
|
|
|
return isChrome(js::GetObjectCompartment(obj));
|
|
|
|
}
|
|
|
|
|
2015-03-29 01:22:11 +03:00
|
|
|
nsIPrincipal*
|
|
|
|
AccessCheck::getPrincipal(JSCompartment* compartment)
|
2010-09-25 05:00:58 +04:00
|
|
|
{
|
|
|
|
return GetCompartmentPrincipal(compartment);
|
|
|
|
}
|
|
|
|
|
2014-07-15 20:04:19 +04:00
|
|
|
// Hardcoded policy for cross origin property access. See the HTML5 Spec.
|
2010-07-03 00:54:53 +04:00
|
|
|
static bool
|
2015-03-29 01:22:11 +03:00
|
|
|
IsPermitted(CrossOriginObjectType type, JSFlatString* prop, bool set)
|
2010-07-03 00:54:53 +04:00
|
|
|
{
|
2014-07-10 19:36:35 +04:00
|
|
|
size_t propLength = JS_GetStringLength(JS_FORGET_STRING_FLATNESS(prop));
|
2010-10-28 19:15:53 +04:00
|
|
|
if (!propLength)
|
|
|
|
return false;
|
2014-07-10 19:36:35 +04:00
|
|
|
|
2014-07-22 08:43:21 +04:00
|
|
|
char16_t propChar0 = JS_GetFlatStringCharAt(prop, 0);
|
2014-10-17 18:17:02 +04:00
|
|
|
if (type == CrossOriginLocation)
|
2014-07-15 20:04:19 +04:00
|
|
|
return dom::LocationBinding::IsPermitted(prop, propChar0, set);
|
2014-10-17 18:17:02 +04:00
|
|
|
if (type == CrossOriginWindow)
|
2014-07-15 20:04:19 +04:00
|
|
|
return dom::WindowBinding::IsPermitted(prop, propChar0, set);
|
|
|
|
|
2010-07-03 00:54:53 +04:00
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
2013-09-20 21:32:32 +04:00
|
|
|
static bool
|
2015-04-10 00:09:54 +03:00
|
|
|
IsFrameId(JSContext* cx, JSObject* obj, jsid idArg)
|
2013-09-20 21:32:32 +04:00
|
|
|
{
|
2015-04-10 00:09:54 +03:00
|
|
|
MOZ_ASSERT(!js::IsWrapper(obj));
|
2013-09-20 21:32:32 +04:00
|
|
|
RootedId id(cx, idArg);
|
|
|
|
|
2013-11-05 12:47:59 +04:00
|
|
|
nsGlobalWindow* win = WindowOrNull(obj);
|
|
|
|
if (!win) {
|
2013-09-20 21:32:32 +04:00
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
2015-10-27 00:37:32 +03:00
|
|
|
nsCOMPtr<nsIDOMWindowCollection> col = win->GetFrames();
|
2013-09-20 21:32:32 +04:00
|
|
|
if (!col) {
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
2016-01-30 20:05:36 +03:00
|
|
|
nsCOMPtr<mozIDOMWindowProxy> domwin;
|
2013-09-20 21:32:32 +04:00
|
|
|
if (JSID_IS_INT(id)) {
|
|
|
|
col->Item(JSID_TO_INT(id), getter_AddRefs(domwin));
|
|
|
|
} else if (JSID_IS_STRING(id)) {
|
2014-07-05 19:30:54 +04:00
|
|
|
nsAutoJSString idAsString;
|
|
|
|
if (!idAsString.init(cx, JSID_TO_STRING(id))) {
|
|
|
|
return false;
|
|
|
|
}
|
2014-06-11 07:15:56 +04:00
|
|
|
col->NamedItem(idAsString, getter_AddRefs(domwin));
|
2013-09-20 21:32:32 +04:00
|
|
|
}
|
|
|
|
|
|
|
|
return domwin != nullptr;
|
|
|
|
}
|
|
|
|
|
2014-10-17 18:17:02 +04:00
|
|
|
CrossOriginObjectType
|
2015-03-29 01:22:11 +03:00
|
|
|
IdentifyCrossOriginObject(JSObject* obj)
|
2013-09-20 21:32:32 +04:00
|
|
|
{
|
2015-11-06 21:03:52 +03:00
|
|
|
obj = js::UncheckedUnwrap(obj, /* stopAtWindowProxy = */ false);
|
2015-03-29 01:22:11 +03:00
|
|
|
const js::Class* clasp = js::GetObjectClass(obj);
|
2014-10-17 18:17:02 +04:00
|
|
|
MOZ_ASSERT(!XrayUtils::IsXPCWNHolderClass(Jsvalify(clasp)), "shouldn't have a holder here");
|
|
|
|
|
|
|
|
if (clasp->name[0] == 'L' && !strcmp(clasp->name, "Location"))
|
|
|
|
return CrossOriginLocation;
|
|
|
|
if (clasp->name[0] == 'W' && !strcmp(clasp->name, "Window"))
|
|
|
|
return CrossOriginWindow;
|
|
|
|
|
|
|
|
return CrossOriginOpaque;
|
2013-09-20 21:32:32 +04:00
|
|
|
}
|
|
|
|
|
2010-07-03 00:54:53 +04:00
|
|
|
bool
|
2015-03-29 01:22:11 +03:00
|
|
|
AccessCheck::isCrossOriginAccessPermitted(JSContext* cx, HandleObject wrapper, HandleId id,
|
2011-09-09 07:29:15 +04:00
|
|
|
Wrapper::Action act)
|
2010-07-03 00:54:53 +04:00
|
|
|
{
|
2011-09-09 07:29:15 +04:00
|
|
|
if (act == Wrapper::CALL)
|
2013-05-23 08:27:16 +04:00
|
|
|
return false;
|
2010-09-18 01:54:40 +04:00
|
|
|
|
2014-07-30 23:23:02 +04:00
|
|
|
if (act == Wrapper::ENUMERATE)
|
|
|
|
return true;
|
|
|
|
|
2014-07-30 23:23:03 +04:00
|
|
|
// For the case of getting a property descriptor, we allow if either GET or SET
|
|
|
|
// is allowed, and rely on FilteringWrapper to filter out any disallowed accessors.
|
|
|
|
if (act == Wrapper::GET_PROPERTY_DESCRIPTOR) {
|
2014-07-30 23:23:04 +04:00
|
|
|
return isCrossOriginAccessPermitted(cx, wrapper, id, Wrapper::GET) ||
|
|
|
|
isCrossOriginAccessPermitted(cx, wrapper, id, Wrapper::SET);
|
2014-07-30 23:23:03 +04:00
|
|
|
}
|
|
|
|
|
2015-11-06 21:03:52 +03:00
|
|
|
RootedObject obj(cx, js::UncheckedUnwrap(wrapper, /* stopAtWindowProxy = */ false));
|
2014-10-17 18:17:02 +04:00
|
|
|
CrossOriginObjectType type = IdentifyCrossOriginObject(obj);
|
2012-01-15 12:13:07 +04:00
|
|
|
if (JSID_IS_STRING(id)) {
|
2014-10-17 18:17:02 +04:00
|
|
|
if (IsPermitted(type, JSID_TO_FLAT_STRING(id), act == Wrapper::SET))
|
2010-07-03 00:54:53 +04:00
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
2013-09-20 21:32:32 +04:00
|
|
|
if (act != Wrapper::GET)
|
|
|
|
return false;
|
|
|
|
|
|
|
|
// Check for frame IDs. If we're resolving named frames, make sure to only
|
|
|
|
// resolve ones that don't shadow native properties. See bug 860494.
|
2014-10-17 18:17:02 +04:00
|
|
|
if (type == CrossOriginWindow) {
|
2014-09-15 16:13:02 +04:00
|
|
|
if (JSID_IS_STRING(id)) {
|
2013-09-20 21:32:32 +04:00
|
|
|
bool wouldShadow = false;
|
|
|
|
if (!XrayUtils::HasNativeProperty(cx, wrapper, id, &wouldShadow) ||
|
|
|
|
wouldShadow)
|
|
|
|
{
|
2014-07-30 23:23:03 +04:00
|
|
|
// If the named subframe matches the name of a DOM constructor,
|
|
|
|
// the global resolve triggered by the HasNativeProperty call
|
|
|
|
// above will try to perform a CheckedUnwrap on |wrapper|, and
|
|
|
|
// throw a security error if it fails. That exception isn't
|
|
|
|
// really useful for our callers, so we silence it and just
|
|
|
|
// deny access to the property (since it matched a builtin).
|
|
|
|
//
|
|
|
|
// Note that this would be a problem if the resolve code ever
|
|
|
|
// tried to CheckedUnwrap the wrapper _before_ concluding that
|
|
|
|
// the name corresponds to a builtin global property, since it
|
|
|
|
// would mean that we'd never permit cross-origin named subframe
|
|
|
|
// access (something we regrettably need to support).
|
|
|
|
JS_ClearPendingException(cx);
|
2013-09-20 21:32:32 +04:00
|
|
|
return false;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return IsFrameId(cx, obj, id);
|
|
|
|
}
|
2013-04-23 20:50:17 +04:00
|
|
|
return false;
|
2010-07-03 00:54:53 +04:00
|
|
|
}
|
|
|
|
|
2014-10-20 17:52:52 +04:00
|
|
|
bool
|
2015-03-29 01:22:11 +03:00
|
|
|
AccessCheck::checkPassToPrivilegedCode(JSContext* cx, HandleObject wrapper, HandleValue v)
|
2014-10-20 17:52:52 +04:00
|
|
|
{
|
|
|
|
// Primitives are fine.
|
|
|
|
if (!v.isObject())
|
|
|
|
return true;
|
|
|
|
RootedObject obj(cx, &v.toObject());
|
|
|
|
|
|
|
|
// Non-wrappers are fine.
|
|
|
|
if (!js::IsWrapper(obj))
|
|
|
|
return true;
|
|
|
|
|
|
|
|
// CPOWs use COWs (in the unprivileged junk scope) for all child->parent
|
|
|
|
// references. Without this test, the child process wouldn't be able to
|
|
|
|
// pass any objects at all to CPOWs.
|
|
|
|
if (mozilla::jsipc::IsWrappedCPOW(obj) &&
|
|
|
|
js::GetObjectCompartment(wrapper) == js::GetObjectCompartment(xpc::UnprivilegedJunkScope()) &&
|
2015-07-04 04:29:00 +03:00
|
|
|
XRE_IsParentProcess())
|
2014-10-20 17:52:52 +04:00
|
|
|
{
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
|
|
|
// COWs are fine to pass to chrome if and only if they have __exposedProps__,
|
|
|
|
// since presumably content should never have a reason to pass an opaque
|
|
|
|
// object back to chrome.
|
|
|
|
if (AccessCheck::isChrome(js::UncheckedUnwrap(wrapper)) && WrapperFactory::IsCOW(obj)) {
|
|
|
|
RootedObject target(cx, js::UncheckedUnwrap(obj));
|
|
|
|
JSAutoCompartment ac(cx, target);
|
2016-09-14 16:48:17 +03:00
|
|
|
RootedId id(cx, GetJSIDByIndex(cx, XPCJSContext::IDX_EXPOSEDPROPS));
|
2014-10-20 17:52:52 +04:00
|
|
|
bool found = false;
|
|
|
|
if (!JS_HasPropertyById(cx, target, id, &found))
|
|
|
|
return false;
|
|
|
|
if (found)
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
|
|
|
// Same-origin wrappers are fine.
|
|
|
|
if (AccessCheck::wrapperSubsumes(obj))
|
|
|
|
return true;
|
|
|
|
|
|
|
|
// Badness.
|
|
|
|
JS_ReportError(cx, "Permission denied to pass object to privileged code");
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
bool
|
2015-03-29 01:22:11 +03:00
|
|
|
AccessCheck::checkPassToPrivilegedCode(JSContext* cx, HandleObject wrapper, const CallArgs& args)
|
2014-10-20 17:52:52 +04:00
|
|
|
{
|
|
|
|
if (!checkPassToPrivilegedCode(cx, wrapper, args.thisv()))
|
|
|
|
return false;
|
|
|
|
for (size_t i = 0; i < args.length(); ++i) {
|
|
|
|
if (!checkPassToPrivilegedCode(cx, wrapper, args[i]))
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
2011-01-30 05:47:17 +03:00
|
|
|
enum Access { READ = (1<<0), WRITE = (1<<1), NO_ACCESS = 0 };
|
|
|
|
|
2012-12-08 02:49:11 +04:00
|
|
|
static void
|
2015-03-29 01:22:11 +03:00
|
|
|
EnterAndThrow(JSContext* cx, JSObject* wrapper, const char* msg)
|
2012-12-08 02:49:11 +04:00
|
|
|
{
|
|
|
|
JSAutoCompartment ac(cx, wrapper);
|
|
|
|
JS_ReportError(cx, msg);
|
|
|
|
}
|
|
|
|
|
2010-06-26 02:58:09 +04:00
|
|
|
bool
|
2015-03-29 01:22:11 +03:00
|
|
|
ExposedPropertiesOnly::check(JSContext* cx, HandleObject wrapper, HandleId id, Wrapper::Action act)
|
2010-06-26 02:58:09 +04:00
|
|
|
{
|
2013-04-17 19:38:44 +04:00
|
|
|
RootedObject wrappedObject(cx, Wrapper::wrappedObject(wrapper));
|
2011-01-30 05:47:17 +03:00
|
|
|
|
2012-11-03 04:47:49 +04:00
|
|
|
if (act == Wrapper::CALL)
|
2014-10-18 13:02:10 +04:00
|
|
|
return false;
|
2014-07-30 23:23:03 +04:00
|
|
|
|
|
|
|
// For the case of getting a property descriptor, we allow if either GET or SET
|
|
|
|
// is allowed, and rely on FilteringWrapper to filter out any disallowed accessors.
|
|
|
|
if (act == Wrapper::GET_PROPERTY_DESCRIPTOR) {
|
2014-07-30 23:23:04 +04:00
|
|
|
return check(cx, wrapper, id, Wrapper::GET) ||
|
|
|
|
check(cx, wrapper, id, Wrapper::SET);
|
2014-07-30 23:23:03 +04:00
|
|
|
}
|
|
|
|
|
2016-09-14 16:48:17 +03:00
|
|
|
RootedId exposedPropsId(cx, GetJSIDByIndex(cx, XPCJSContext::IDX_EXPOSEDPROPS));
|
2010-07-03 00:54:53 +04:00
|
|
|
|
2012-06-18 17:47:09 +04:00
|
|
|
// We need to enter the wrappee's compartment to look at __exposedProps__,
|
2012-09-11 12:05:10 +04:00
|
|
|
// but we want to be in the wrapper's compartment if we call Deny().
|
2012-06-18 17:47:09 +04:00
|
|
|
//
|
|
|
|
// Unfortunately, |cx| can be in either compartment when we call ::check. :-(
|
2012-08-22 05:42:53 +04:00
|
|
|
JSAutoCompartment ac(cx, wrappedObject);
|
2012-06-18 17:47:09 +04:00
|
|
|
|
2013-08-09 02:53:04 +04:00
|
|
|
bool found = false;
|
2012-06-18 17:47:09 +04:00
|
|
|
if (!JS_HasPropertyById(cx, wrappedObject, exposedPropsId, &found))
|
2010-07-03 00:54:53 +04:00
|
|
|
return false;
|
2011-01-30 05:47:17 +03:00
|
|
|
|
|
|
|
// If no __exposedProps__ existed, deny access.
|
|
|
|
if (!found) {
|
2014-10-03 12:05:52 +04:00
|
|
|
// Previously we automatically granted access to indexed properties and
|
|
|
|
// .length for Array COWs. We're not doing that anymore, so make sure to
|
|
|
|
// let people know what's going on.
|
2015-08-29 07:55:40 +03:00
|
|
|
bool isArray;
|
|
|
|
if (!JS_IsArrayObject(cx, wrappedObject, &isArray))
|
|
|
|
return false;
|
|
|
|
if (!isArray)
|
|
|
|
isArray = JS_IsTypedArrayObject(wrappedObject);
|
2014-10-03 12:05:52 +04:00
|
|
|
bool isIndexedAccessOnArray = isArray && JSID_IS_INT(id) && JSID_TO_INT(id) >= 0;
|
|
|
|
bool isLengthAccessOnArray = isArray && JSID_IS_STRING(id) &&
|
|
|
|
JS_FlatStringEqualsAscii(JSID_TO_FLAT_STRING(id), "length");
|
|
|
|
if (isIndexedAccessOnArray || isLengthAccessOnArray) {
|
|
|
|
JSAutoCompartment ac2(cx, wrapper);
|
|
|
|
ReportWrapperDenial(cx, id, WrapperDenialForCOW,
|
|
|
|
"Access to elements and length of privileged Array not permitted");
|
|
|
|
}
|
|
|
|
|
2012-11-03 04:47:49 +04:00
|
|
|
return false;
|
2011-01-30 05:47:17 +03:00
|
|
|
}
|
|
|
|
|
2013-12-17 06:27:43 +04:00
|
|
|
if (id == JSID_VOID)
|
2010-06-26 02:58:09 +04:00
|
|
|
return true;
|
2010-07-03 00:54:53 +04:00
|
|
|
|
2016-01-28 13:28:04 +03:00
|
|
|
Rooted<PropertyDescriptor> desc(cx);
|
2014-12-17 02:28:39 +03:00
|
|
|
if (!JS_GetPropertyDescriptorById(cx, wrappedObject, exposedPropsId, &desc))
|
|
|
|
return false;
|
|
|
|
|
|
|
|
if (!desc.object())
|
2010-07-02 02:45:08 +04:00
|
|
|
return false;
|
2010-07-03 00:54:53 +04:00
|
|
|
|
2014-12-17 02:28:39 +03:00
|
|
|
if (desc.hasGetterOrSetter()) {
|
|
|
|
EnterAndThrow(cx, wrapper, "__exposedProps__ must be a value property");
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
RootedValue exposedProps(cx, desc.value());
|
2012-11-03 04:47:49 +04:00
|
|
|
if (exposedProps.isNullOrUndefined())
|
|
|
|
return false;
|
2010-07-02 02:45:08 +04:00
|
|
|
|
2012-05-11 19:46:26 +04:00
|
|
|
if (!exposedProps.isObject()) {
|
2012-12-08 02:49:11 +04:00
|
|
|
EnterAndThrow(cx, wrapper, "__exposedProps__ must be undefined, null, or an Object");
|
2010-07-03 00:54:53 +04:00
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
2013-04-26 21:50:18 +04:00
|
|
|
RootedObject hallpass(cx, &exposedProps.toObject());
|
2010-07-03 00:54:53 +04:00
|
|
|
|
2013-04-11 22:50:18 +04:00
|
|
|
if (!AccessCheck::subsumes(js::UncheckedUnwrap(hallpass), wrappedObject)) {
|
2012-12-08 02:49:11 +04:00
|
|
|
EnterAndThrow(cx, wrapper, "Invalid __exposedProps__");
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
2010-07-03 00:54:53 +04:00
|
|
|
Access access = NO_ACCESS;
|
|
|
|
|
2014-04-26 01:11:01 +04:00
|
|
|
if (!JS_GetPropertyDescriptorById(cx, hallpass, id, &desc)) {
|
2010-07-03 00:54:53 +04:00
|
|
|
return false; // Error
|
2010-07-02 02:45:08 +04:00
|
|
|
}
|
2015-02-15 15:18:30 +03:00
|
|
|
if (!desc.object() || !desc.enumerable())
|
2012-11-03 04:47:49 +04:00
|
|
|
return false;
|
2010-07-03 00:54:53 +04:00
|
|
|
|
2013-04-26 21:50:18 +04:00
|
|
|
if (!desc.value().isString()) {
|
2012-12-08 02:49:11 +04:00
|
|
|
EnterAndThrow(cx, wrapper, "property must be a string");
|
2010-07-03 00:54:53 +04:00
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
2015-03-29 01:22:11 +03:00
|
|
|
JSFlatString* flat = JS_FlattenString(cx, desc.value().toString());
|
2014-07-10 19:36:35 +04:00
|
|
|
if (!flat)
|
2010-12-03 11:24:17 +03:00
|
|
|
return false;
|
|
|
|
|
2014-07-10 19:36:35 +04:00
|
|
|
size_t length = JS_GetStringLength(JS_FORGET_STRING_FLATNESS(flat));
|
|
|
|
|
2010-07-03 00:54:53 +04:00
|
|
|
for (size_t i = 0; i < length; ++i) {
|
2014-07-22 08:43:21 +04:00
|
|
|
char16_t ch = JS_GetFlatStringCharAt(flat, i);
|
2014-07-10 19:36:35 +04:00
|
|
|
switch (ch) {
|
2010-07-03 00:54:53 +04:00
|
|
|
case 'r':
|
|
|
|
if (access & READ) {
|
2012-12-08 02:49:11 +04:00
|
|
|
EnterAndThrow(cx, wrapper, "duplicate 'readable' property flag");
|
2010-07-03 00:54:53 +04:00
|
|
|
return false;
|
|
|
|
}
|
|
|
|
access = Access(access | READ);
|
|
|
|
break;
|
|
|
|
|
|
|
|
case 'w':
|
|
|
|
if (access & WRITE) {
|
2012-12-08 02:49:11 +04:00
|
|
|
EnterAndThrow(cx, wrapper, "duplicate 'writable' property flag");
|
2010-07-03 00:54:53 +04:00
|
|
|
return false;
|
|
|
|
}
|
|
|
|
access = Access(access | WRITE);
|
|
|
|
break;
|
|
|
|
|
|
|
|
default:
|
2012-12-08 02:49:11 +04:00
|
|
|
EnterAndThrow(cx, wrapper, "properties can only be readable or read and writable");
|
2010-07-03 00:54:53 +04:00
|
|
|
return false;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if (access == NO_ACCESS) {
|
2012-12-08 02:49:11 +04:00
|
|
|
EnterAndThrow(cx, wrapper, "specified properties must have a permission bit set");
|
2010-07-03 00:54:53 +04:00
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
2011-09-09 07:29:15 +04:00
|
|
|
if ((act == Wrapper::SET && !(access & WRITE)) ||
|
|
|
|
(act != Wrapper::SET && !(access & READ))) {
|
2012-11-03 04:47:49 +04:00
|
|
|
return false;
|
2010-07-03 00:54:53 +04:00
|
|
|
}
|
|
|
|
|
2014-10-15 17:05:10 +04:00
|
|
|
// Inspect the property on the underlying object to check for red flags.
|
|
|
|
if (!JS_GetPropertyDescriptorById(cx, wrappedObject, id, &desc))
|
|
|
|
return false;
|
|
|
|
|
|
|
|
// Reject accessor properties.
|
2015-10-08 05:42:10 +03:00
|
|
|
if (desc.hasGetterOrSetter()) {
|
2014-10-15 17:05:10 +04:00
|
|
|
EnterAndThrow(cx, wrapper, "Exposing privileged accessor properties is prohibited");
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
2014-10-15 17:05:10 +04:00
|
|
|
// Reject privileged or cross-origin callables.
|
2015-10-08 05:42:10 +03:00
|
|
|
if (desc.value().isObject()) {
|
2014-10-15 17:05:10 +04:00
|
|
|
RootedObject maybeCallable(cx, js::UncheckedUnwrap(&desc.value().toObject()));
|
|
|
|
if (JS::IsCallable(maybeCallable) && !AccessCheck::subsumes(wrapper, maybeCallable)) {
|
|
|
|
EnterAndThrow(cx, wrapper, "Exposing privileged or cross-origin callable is prohibited");
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2012-11-03 04:47:49 +04:00
|
|
|
return true;
|
2010-06-26 02:58:09 +04:00
|
|
|
}
|
|
|
|
|
2014-10-03 12:05:51 +04:00
|
|
|
bool
|
|
|
|
ExposedPropertiesOnly::deny(js::Wrapper::Action act, HandleId id)
|
|
|
|
{
|
|
|
|
// Fail silently for GET, ENUMERATE, and GET_PROPERTY_DESCRIPTOR.
|
|
|
|
if (act == js::Wrapper::GET || act == js::Wrapper::ENUMERATE ||
|
|
|
|
act == js::Wrapper::GET_PROPERTY_DESCRIPTOR)
|
|
|
|
{
|
|
|
|
AutoJSContext cx;
|
|
|
|
return ReportWrapperDenial(cx, id, WrapperDenialForCOW,
|
|
|
|
"Access to privileged JS object not permitted");
|
|
|
|
}
|
|
|
|
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
2015-07-13 18:25:42 +03:00
|
|
|
} // namespace xpc
|