зеркало из https://github.com/mozilla/gecko-dev.git
Bug 502959 - Restore code to make caps allow wrapping same-origin wrappedjs objects. r=jst sr=bzbarsky
This commit is contained in:
Blake Kaplan
Родитель
c2440a4cf3
Коммит
27e754d4d0
|
|
@ -537,22 +537,32 @@ private:
|
|||
* has set the "security.xpconnect.plugin.unrestricted" pref to allow
|
||||
* anybody to script plugin objects from anywhere.
|
||||
*
|
||||
* @param cx The context we're running on.
|
||||
* NB: If null, "sameOrigin" does not have any effect.
|
||||
* @param aObj The nsISupports representation of the object in question
|
||||
* object, possibly null.
|
||||
* @param aJSObject The JSObject representation of the object in question.
|
||||
* Only used if |aObjectSecurityLevel| is "sameOrigin".
|
||||
* @param aJSObject The JSObject representation of the object in question
|
||||
* if |cx| is non-null and |aObjectSecurityLevel| is
|
||||
* "sameOrigin". If null will be calculated from aObj (if
|
||||
* non-null) if and only if aObj is an XPCWrappedJS. The
|
||||
* rationale behind this is that if we're creating a JS
|
||||
* wrapper for an XPCWrappedJS, this object definitely
|
||||
* expects to be exposed to JS.
|
||||
* @param aSubjectPrincipal The nominal subject principal used when
|
||||
* aObjectSecurityLevel is "sameOrigin".
|
||||
* aObjectSecurityLevel is "sameOrigin". If null,
|
||||
* this is calculated if it's needed.
|
||||
* @param aObjectSecurityLevel Can be one of three values:
|
||||
* - allAccess: Allow access no matter what.
|
||||
* - noAccess: Deny access no matter what.
|
||||
* - sameOrigin: If both a subject principal and JS
|
||||
* object have been passed in, returns
|
||||
* true if the subject subsumes the object,
|
||||
* otherwise, behaves like noAccess.
|
||||
* - sameOrigin: If |cx| is null, behave like noAccess.
|
||||
* Otherwise, possibly compute a subject
|
||||
* and object principal and return true if
|
||||
* and only if the subject has greater than
|
||||
* or equal privileges to the object.
|
||||
*/
|
||||
nsresult
|
||||
CheckXPCPermissions(nsISupports* aObj, JSObject* aJSObject,
|
||||
CheckXPCPermissions(JSContext* cx,
|
||||
nsISupports* aObj, JSObject* aJSObject,
|
||||
nsIPrincipal* aSubjectPrincipal,
|
||||
const char* aObjectSecurityLevel);
|
||||
|
||||
|
|
|
|||
|
|
@ -812,7 +812,7 @@ nsScriptSecurityManager::CheckPropertyAccessImpl(PRUint32 aAction,
|
|||
}
|
||||
}
|
||||
}
|
||||
rv = CheckXPCPermissions(aObj, aJSObject, subjectPrincipal,
|
||||
rv = CheckXPCPermissions(cx, aObj, aJSObject, subjectPrincipal,
|
||||
objectSecurityLevel);
|
||||
#ifdef DEBUG_CAPS_CheckPropertyAccessImpl
|
||||
if(NS_SUCCEEDED(rv))
|
||||
|
|
@ -2937,7 +2937,7 @@ nsScriptSecurityManager::CanCreateWrapper(JSContext *cx,
|
|||
if (checkedComponent)
|
||||
checkedComponent->CanCreateWrapper((nsIID *)&aIID, getter_Copies(objectSecurityLevel));
|
||||
|
||||
nsresult rv = CheckXPCPermissions(aObj, nsnull, nsnull, objectSecurityLevel);
|
||||
nsresult rv = CheckXPCPermissions(cx, aObj, nsnull, nsnull, objectSecurityLevel);
|
||||
if (NS_FAILED(rv))
|
||||
{
|
||||
//-- Access denied, report an error
|
||||
|
|
@ -3048,7 +3048,7 @@ nsScriptSecurityManager::CanCreateInstance(JSContext *cx,
|
|||
NS_Free(cidStr);
|
||||
#endif
|
||||
|
||||
nsresult rv = CheckXPCPermissions(nsnull, nsnull, nsnull, nsnull);
|
||||
nsresult rv = CheckXPCPermissions(nsnull, nsnull, nsnull, nsnull, nsnull);
|
||||
if (NS_FAILED(rv))
|
||||
#ifdef XPC_IDISPATCH_SUPPORT
|
||||
{
|
||||
|
|
@ -3085,7 +3085,7 @@ nsScriptSecurityManager::CanGetService(JSContext *cx,
|
|||
NS_Free(cidStr);
|
||||
#endif
|
||||
|
||||
nsresult rv = CheckXPCPermissions(nsnull, nsnull, nsnull, nsnull);
|
||||
nsresult rv = CheckXPCPermissions(nsnull, nsnull, nsnull, nsnull, nsnull);
|
||||
if (NS_FAILED(rv))
|
||||
{
|
||||
//-- Access denied, report an error
|
||||
|
|
@ -3124,7 +3124,8 @@ nsScriptSecurityManager::CanAccess(PRUint32 aAction,
|
|||
}
|
||||
|
||||
nsresult
|
||||
nsScriptSecurityManager::CheckXPCPermissions(nsISupports* aObj, JSObject* aJSObject,
|
||||
nsScriptSecurityManager::CheckXPCPermissions(JSContext* cx,
|
||||
nsISupports* aObj, JSObject* aJSObject,
|
||||
nsIPrincipal* aSubjectPrincipal,
|
||||
const char* aObjectSecurityLevel)
|
||||
{
|
||||
|
|
@ -3138,20 +3139,40 @@ nsScriptSecurityManager::CheckXPCPermissions(nsISupports* aObj, JSObject* aJSObj
|
|||
{
|
||||
if (PL_strcasecmp(aObjectSecurityLevel, "allAccess") == 0)
|
||||
return NS_OK;
|
||||
if (aSubjectPrincipal && aJSObject &&
|
||||
PL_strcasecmp(aObjectSecurityLevel, "sameOrigin") == 0)
|
||||
if (cx && PL_strcasecmp(aObjectSecurityLevel, "sameOrigin") == 0)
|
||||
{
|
||||
nsIPrincipal* objectPrincipal = doGetObjectPrincipal(aJSObject);
|
||||
|
||||
// Only do anything if we have both a subject and object
|
||||
// principal.
|
||||
if (objectPrincipal)
|
||||
nsresult rv;
|
||||
if (!aJSObject)
|
||||
{
|
||||
PRBool subsumes;
|
||||
nsresult rv = aSubjectPrincipal->Subsumes(objectPrincipal, &subsumes);
|
||||
nsCOMPtr<nsIXPConnectWrappedJS> xpcwrappedjs =
|
||||
do_QueryInterface(aObj);
|
||||
if (xpcwrappedjs)
|
||||
{
|
||||
rv = xpcwrappedjs->GetJSObject(&aJSObject);
|
||||
NS_ENSURE_SUCCESS(rv, rv);
|
||||
}
|
||||
}
|
||||
|
||||
if (!aSubjectPrincipal)
|
||||
{
|
||||
// No subject principal passed in. Compute it.
|
||||
aSubjectPrincipal = GetSubjectPrincipal(cx, &rv);
|
||||
NS_ENSURE_SUCCESS(rv, rv);
|
||||
if (subsumes)
|
||||
return NS_OK;
|
||||
}
|
||||
if (aSubjectPrincipal && aJSObject)
|
||||
{
|
||||
nsIPrincipal* objectPrincipal = doGetObjectPrincipal(aJSObject);
|
||||
|
||||
// Only do anything if we have both a subject and object
|
||||
// principal.
|
||||
if (objectPrincipal)
|
||||
{
|
||||
PRBool subsumes;
|
||||
rv = aSubjectPrincipal->Subsumes(objectPrincipal, &subsumes);
|
||||
NS_ENSURE_SUCCESS(rv, rv);
|
||||
if (subsumes)
|
||||
return NS_OK;
|
||||
}
|
||||
}
|
||||
}
|
||||
else if (PL_strcasecmp(aObjectSecurityLevel, "noAccess") != 0)
|
||||
|
|
|
|||
|
|
@ -60,6 +60,7 @@ _TEST_FILES = bug500931_helper.html \
|
|||
test_bug484107.html \
|
||||
test_bug484459.html \
|
||||
test_bug500691.html \
|
||||
test_bug502959.html \
|
||||
test_bug503926.html \
|
||||
$(NULL)
|
||||
|
||||
|
|
|
|||
|
|
@ -0,0 +1,38 @@
|
|||
<!DOCTYPE HTML>
|
||||
<html>
|
||||
<!--
|
||||
https://bugzilla.mozilla.org/show_bug.cgi?id=502959
|
||||
-->
|
||||
<head>
|
||||
<title>Test for Bug 502959</title>
|
||||
<script type="application/javascript" src="/MochiKit/packed.js"></script>
|
||||
<script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
|
||||
<link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
|
||||
</head>
|
||||
<body>
|
||||
<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=502959">Mozilla Bug 502959</a>
|
||||
<p id="display"></p>
|
||||
<div id="content" style="display: none">
|
||||
|
||||
</div>
|
||||
<pre id="test">
|
||||
<script type="application/javascript">
|
||||
|
||||
/** Test for Bug 502959 **/
|
||||
var xhr = new XMLHttpRequest();
|
||||
|
||||
xhr.onreadystatechange = function() { ok(true, "Able to call the double-wrapped function"); };
|
||||
var doublewrapped = xhr.onreadystatechange;
|
||||
ok(doublewrapped.toString().indexOf("wrapped") > 0, "got a double-wrapped object back");
|
||||
|
||||
(function () {
|
||||
netscape.security.PrivilegeManager.enablePrivilege("UniversalXPConnect");
|
||||
Components.utils.forceGC();
|
||||
})();
|
||||
|
||||
doublewrapped.handleEvent({});
|
||||
|
||||
</script>
|
||||
</pre>
|
||||
</body>
|
||||
</html>
|
||||
Загрузка…
Ссылка в новой задаче