From 26a118b43a5a989e237b777a6e58a25a9c2e394b Mon Sep 17 00:00:00 2001
From: Bobby Holley <bobbyholley@gmail.com>
Date: Wed, 23 Jan 2013 06:04:38 +0100
Subject: [PATCH] Bug 823348 - Make NNXOWs use an explicitly opaque Policy.
 r=mrbkap

There's no reason to be doing a dynamic check here, given that the JSClasses
will never match. Lets be explicit and safe.
---
 js/xpconnect/wrappers/AccessCheck.h        | 15 +++++++++++++++
 js/xpconnect/wrappers/FilteringWrapper.cpp |  2 +-
 js/xpconnect/wrappers/WrapperFactory.cpp   |  3 +--
 3 files changed, 17 insertions(+), 3 deletions(-)

diff --git a/js/xpconnect/wrappers/AccessCheck.h b/js/xpconnect/wrappers/AccessCheck.h
index 2861b1283996..8a7dcc5a5b45 100644
--- a/js/xpconnect/wrappers/AccessCheck.h
+++ b/js/xpconnect/wrappers/AccessCheck.h
@@ -40,6 +40,21 @@ class AccessCheck {
 struct Policy {
 };
 
+// This policy only allows calling the underlying callable. All other operations throw.
+struct Opaque : public Policy {
+    static bool check(JSContext *cx, JSObject *wrapper, jsid id, js::Wrapper::Action act) {
+        return act == js::Wrapper::CALL;
+    }
+    static bool deny(JSContext *cx, jsid id, js::Wrapper::Action act) {
+        AccessCheck::deny(cx, id);
+        return false;
+    }
+    static bool allowNativeCall(JSContext *cx, JS::IsAcceptableThis test, JS::NativeImpl impl)
+    {
+        return false;
+    }
+};
+
 // This policy only permits access to the object if the subject can touch
 // system objects.
 struct OnlyIfSubjectIsSystem : public Policy {
diff --git a/js/xpconnect/wrappers/FilteringWrapper.cpp b/js/xpconnect/wrappers/FilteringWrapper.cpp
index fe299184f5df..da60024ffa2b 100644
--- a/js/xpconnect/wrappers/FilteringWrapper.cpp
+++ b/js/xpconnect/wrappers/FilteringWrapper.cpp
@@ -146,7 +146,7 @@ FilteringWrapper<Base, Policy>::enter(JSContext *cx, JSObject *wrapper, jsid id,
 #define SCSOW FilteringWrapper<SameCompartmentSecurityWrapper, OnlyIfSubjectIsSystem>
 #define XOW FilteringWrapper<SecurityXrayXPCWN, CrossOriginAccessiblePropertiesOnly>
 #define DXOW   FilteringWrapper<SecurityXrayDOM, CrossOriginAccessiblePropertiesOnly>
-#define NNXOW FilteringWrapper<CrossCompartmentSecurityWrapper, CrossOriginAccessiblePropertiesOnly>
+#define NNXOW FilteringWrapper<CrossCompartmentSecurityWrapper, Opaque>
 #define CW FilteringWrapper<SameCompartmentSecurityWrapper, ComponentsObjectPolicy>
 #define XCW FilteringWrapper<CrossCompartmentSecurityWrapper, ComponentsObjectPolicy>
 template<> SOW SOW::singleton(WrapperFactory::SCRIPT_ACCESS_ONLY_FLAG |
diff --git a/js/xpconnect/wrappers/WrapperFactory.cpp b/js/xpconnect/wrappers/WrapperFactory.cpp
index 9732e7d3c789..f3b8fcdf4727 100644
--- a/js/xpconnect/wrappers/WrapperFactory.cpp
+++ b/js/xpconnect/wrappers/WrapperFactory.cpp
@@ -445,8 +445,7 @@ WrapperFactory::Rewrap(JSContext *cx, JSObject *existing, JSObject *obj,
         // a predefined set of properties.
         XrayType type = GetXrayType(obj);
         if (type == NotXray) {
-            wrapper = &FilteringWrapper<CrossCompartmentSecurityWrapper,
-                                        CrossOriginAccessiblePropertiesOnly>::singleton;
+            wrapper = &FilteringWrapper<CrossCompartmentSecurityWrapper, Opaque>::singleton;
         } else if (type == XrayForDOMObject) {
             wrapper = &FilteringWrapper<SecurityXrayDOM,
                                         CrossOriginAccessiblePropertiesOnly>::singleton;