From 5ebbbb4ebd47677690ac650630e356f7bbbc55fb Mon Sep 17 00:00:00 2001
From: Bobby Holley <bobbyholley@gmail.com>
Date: Tue, 25 Feb 2014 08:38:33 -0800
Subject: [PATCH] Bug 976151 - Anti eval/Function() check during wrapping
 should use |subsumes|. r=gabor

---
 js/xpconnect/tests/unit/test_bug976151.js | 24 +++++++++++++++++++++++
 js/xpconnect/tests/unit/xpcshell.ini      |  1 +
 js/xpconnect/wrappers/WrapperFactory.cpp  |  8 ++++----
 3 files changed, 29 insertions(+), 4 deletions(-)
 create mode 100644 js/xpconnect/tests/unit/test_bug976151.js

diff --git a/js/xpconnect/tests/unit/test_bug976151.js b/js/xpconnect/tests/unit/test_bug976151.js
new file mode 100644
index 000000000000..d27c7e91d200
--- /dev/null
+++ b/js/xpconnect/tests/unit/test_bug976151.js
@@ -0,0 +1,24 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+const Cu = Components.utils;
+function run_test() {
+  let unprivilegedSb = new Cu.Sandbox('http://www.example.com');
+  function checkCantWrap(val) {
+    try {
+      unprivilegedSb.prop = val;
+      do_check_true(false);
+    } catch (e) {
+      do_check_true(/denied|insecure|/.test(e));
+    }
+  }
+  let xoSb = new Cu.Sandbox('http://www.example.net');
+  let epSb = new Cu.Sandbox(['http://www.example.com']);
+  checkCantWrap(eval);
+  checkCantWrap(xoSb.eval);
+  checkCantWrap(epSb.eval);
+  checkCantWrap(Function);
+  checkCantWrap(xoSb.Function);
+  checkCantWrap(epSb.Function);
+}
diff --git a/js/xpconnect/tests/unit/xpcshell.ini b/js/xpconnect/tests/unit/xpcshell.ini
index 8d22f5a2092a..abdf7ed996ec 100644
--- a/js/xpconnect/tests/unit/xpcshell.ini
+++ b/js/xpconnect/tests/unit/xpcshell.ini
@@ -40,6 +40,7 @@ support-files =
 [test_bug872772.js]
 [test_bug885800.js]
 [test_bug961054.js]
+[test_bug976151.js]
 [test_bug_442086.js]
 [test_file.js]
 [test_blob.js]
diff --git a/js/xpconnect/wrappers/WrapperFactory.cpp b/js/xpconnect/wrappers/WrapperFactory.cpp
index fc55644461ea..1082af6c1c56 100644
--- a/js/xpconnect/wrappers/WrapperFactory.cpp
+++ b/js/xpconnect/wrappers/WrapperFactory.cpp
@@ -459,13 +459,13 @@ WrapperFactory::Rewrap(JSContext *cx, HandleObject existing, HandleObject obj,
         wrapper = SelectWrapper(securityWrapper, wantXrays, xrayType, waiveXrays);
     }
 
-    if (wrapper == &ChromeObjectWrapper::singleton) {
-        // This shouldn't happen, but do a quick check to make some dumb addon
-        // doesn't expose chrome eval or Function().
+    if (!targetSubsumesOrigin) {
+        // Do a belt-and-suspenders check against exposing eval()/Function() to
+        // non-subsuming content.
         JSFunction *fun = JS_GetObjectFunction(obj);
         if (fun) {
             if (JS_IsBuiltinEvalFunction(fun) || JS_IsBuiltinFunctionConstructor(fun)) {
-                JS_ReportError(cx, "Not allowed to access chrome eval or Function from content");
+                JS_ReportError(cx, "Permission denied to expose eval or Function to non-subsuming content");
                 return nullptr;
             }
         }