зеркало из https://github.com/mozilla/gecko-dev.git
Bug 976151 - Anti eval/Function() check during wrapping should use |subsumes|. r=gabor
This commit is contained in:
Родитель
cde3a3dad9
Коммит
5ebbbb4ebd
|
@ -0,0 +1,24 @@
|
|||
/* This Source Code Form is subject to the terms of the Mozilla Public
|
||||
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
||||
|
||||
const Cu = Components.utils;
|
||||
function run_test() {
|
||||
let unprivilegedSb = new Cu.Sandbox('http://www.example.com');
|
||||
function checkCantWrap(val) {
|
||||
try {
|
||||
unprivilegedSb.prop = val;
|
||||
do_check_true(false);
|
||||
} catch (e) {
|
||||
do_check_true(/denied|insecure|/.test(e));
|
||||
}
|
||||
}
|
||||
let xoSb = new Cu.Sandbox('http://www.example.net');
|
||||
let epSb = new Cu.Sandbox(['http://www.example.com']);
|
||||
checkCantWrap(eval);
|
||||
checkCantWrap(xoSb.eval);
|
||||
checkCantWrap(epSb.eval);
|
||||
checkCantWrap(Function);
|
||||
checkCantWrap(xoSb.Function);
|
||||
checkCantWrap(epSb.Function);
|
||||
}
|
|
@ -40,6 +40,7 @@ support-files =
|
|||
[test_bug872772.js]
|
||||
[test_bug885800.js]
|
||||
[test_bug961054.js]
|
||||
[test_bug976151.js]
|
||||
[test_bug_442086.js]
|
||||
[test_file.js]
|
||||
[test_blob.js]
|
||||
|
|
|
@ -459,13 +459,13 @@ WrapperFactory::Rewrap(JSContext *cx, HandleObject existing, HandleObject obj,
|
|||
wrapper = SelectWrapper(securityWrapper, wantXrays, xrayType, waiveXrays);
|
||||
}
|
||||
|
||||
if (wrapper == &ChromeObjectWrapper::singleton) {
|
||||
// This shouldn't happen, but do a quick check to make some dumb addon
|
||||
// doesn't expose chrome eval or Function().
|
||||
if (!targetSubsumesOrigin) {
|
||||
// Do a belt-and-suspenders check against exposing eval()/Function() to
|
||||
// non-subsuming content.
|
||||
JSFunction *fun = JS_GetObjectFunction(obj);
|
||||
if (fun) {
|
||||
if (JS_IsBuiltinEvalFunction(fun) || JS_IsBuiltinFunctionConstructor(fun)) {
|
||||
JS_ReportError(cx, "Not allowed to access chrome eval or Function from content");
|
||||
JS_ReportError(cx, "Permission denied to expose eval or Function to non-subsuming content");
|
||||
return nullptr;
|
||||
}
|
||||
}
|
||||
|
|
Загрузка…
Ссылка в новой задаче