Bug 658909 - Make isSafeToUnwrap pseudo-dynamic for SOWs. r=mrbkap

This can go away as soon as XBL scopes are no longer behind a pref.
This commit is contained in:
Bobby Holley 2013-03-21 08:20:41 -07:00
Родитель 1ee0eb91c2
Коммит 13040f7556
6 изменённых файлов: 45 добавлений и 4 удалений

Просмотреть файл

@ -46,7 +46,7 @@ class JS_FRIEND_API(Wrapper) : public DirectProxyHandler
* object (via UnwrapObjectChecked) will throw. Otherwise, they will succeed.
*/
void setSafeToUnwrap(bool safe) { mSafeToUnwrap = safe; }
bool isSafeToUnwrap() { return mSafeToUnwrap; }
virtual bool isSafeToUnwrap() { return mSafeToUnwrap; }
static JSObject *New(JSContext *cx, JSObject *obj, JSObject *proto,
JSObject *parent, Wrapper *handler);

Просмотреть файл

@ -269,6 +269,19 @@ AccessCheck::isScriptAccessOnly(JSContext *cx, JSObject *wrapper)
return false;
}
bool
OnlyIfSubjectIsSystem::isSafeToUnwrap()
{
if (XPCJSRuntime::Get()->XBLScopesEnabled())
return false;
// It's nasty to use the context stack here, but the alternative is passing cx all
// the way down through UnwrapObjectChecked, which we just undid in a 100k patch. :-(
JSContext *cx = nsContentUtils::GetCurrentJSContext();
if (!cx)
return true;
return AccessCheck::isSystemOnlyAccessPermitted(cx);
}
enum Access { READ = (1<<0), WRITE = (1<<1), NO_ACCESS = 0 };
static bool

Просмотреть файл

@ -50,6 +50,9 @@ struct Opaque : public Policy {
{
return false;
}
static bool isSafeToUnwrap() {
return false;
}
};
// This policy only permits access to the object if the subject can touch
@ -67,6 +70,8 @@ struct OnlyIfSubjectIsSystem : public Policy {
{
return AccessCheck::isSystemOnlyAccessPermitted(cx);
}
static bool isSafeToUnwrap();
};
// This policy only permits access to properties that are safe to be used
@ -82,6 +87,10 @@ struct CrossOriginAccessiblePropertiesOnly : public Policy {
{
return false;
}
static bool isSafeToUnwrap() {
return false;
}
};
// This policy only permits access to properties if they appear in the
@ -94,6 +103,10 @@ struct ExposedPropertiesOnly : public Policy {
return act == js::Wrapper::GET;
}
static bool allowNativeCall(JSContext *cx, JS::IsAcceptableThis test, JS::NativeImpl impl);
static bool isSafeToUnwrap() {
return false;
}
};
// Components specific policy
@ -106,6 +119,10 @@ struct ComponentsObjectPolicy : public Policy {
static bool allowNativeCall(JSContext *cx, JS::IsAcceptableThis test, JS::NativeImpl impl) {
return false;
}
static bool isSafeToUnwrap() {
return false;
}
};
}

Просмотреть файл

@ -29,6 +29,13 @@ FilteringWrapper<Base, Policy>::~FilteringWrapper()
{
}
template <typename Base, typename Policy>
bool
FilteringWrapper<Base, Policy>::isSafeToUnwrap()
{
return Policy::isSafeToUnwrap();
}
template <typename Policy>
static bool
Filter(JSContext *cx, JSObject *wrapper, AutoIdVector &props)

Просмотреть файл

@ -19,6 +19,9 @@ class FilteringWrapper : public Base {
FilteringWrapper(unsigned flags);
virtual ~FilteringWrapper();
// This is potentially dynamic until XBL scopes are no longer behind a pref.
virtual bool isSafeToUnwrap();
virtual bool getPropertyDescriptor(JSContext *cx, JSObject *wrapper, jsid id, js::PropertyDescriptor *desc, unsigned flags) MOZ_OVERRIDE;
virtual bool getOwnPropertyDescriptor(JSContext *cx, JSObject *wrapper, jsid id, js::PropertyDescriptor *desc, unsigned flags) MOZ_OVERRIDE;
virtual bool getOwnPropertyNames(JSContext *cx, JSObject *wrapper, js::AutoIdVector &props) MOZ_OVERRIDE;

Просмотреть файл

@ -284,8 +284,8 @@ DEBUG_CheckUnwrapSafety(JSObject *obj, js::Wrapper *handler,
// The Components object that is restricted regardless of origin.
MOZ_ASSERT(!handler->isSafeToUnwrap());
} else if (AccessCheck::needsSystemOnlyWrapper(obj)) {
// SOWs are opaque to everyone but Chrome and XBL scopes.
MOZ_ASSERT(handler->isSafeToUnwrap() == nsContentUtils::CanAccessNativeAnon());
// SOWs have a dynamic unwrap check, so we can't really say anything useful
// about them here :-(
} else {
// Otherwise, it should depend on whether the target subsumes the origin.
MOZ_ASSERT(handler->isSafeToUnwrap() == AccessCheck::subsumes(target, origin));
@ -499,7 +499,8 @@ WrapperFactory::WrapForSameCompartment(JSContext *cx, JSObject *obj)
// The WN knows what to do.
JSObject *wrapper = wn->GetSameCompartmentSecurityWrapper(cx);
MOZ_ASSERT_IF(wrapper != obj, !Wrapper::wrapperHandler(wrapper)->isSafeToUnwrap());
MOZ_ASSERT_IF(wrapper != obj && IsComponentsObject(js::UnwrapObject(obj)),
!Wrapper::wrapperHandler(wrapper)->isSafeToUnwrap());
return wrapper;
}