Defense in depth for eval on what should be an inaccessible scope (217195, r+sr=jst, a=chase).

2005-04-12 01:35:05 +00:00 · 2005-04-12 01:35:05 +00:00 · e4e03bd453
--- a/js/src/jsobj.c
+++ b/js/src/jsobj.c
@ -1005,7 +1005,7 @@ obj_eval(JSContext *cx, JSObject *obj, uintN argc, jsval *argv, jsval *rval)
    JSString *str;
    const char *file;
    uintN line;
-    JSPrincipals *principals;
+    JSPrincipals *principals, *scopePrincipals;
    JSScript *script;
    JSBool ok;
 #if JS_HAS_EVAL_THIS_SCOPE
@ -1123,6 +1123,14 @@ obj_eval(JSContext *cx, JSObject *obj, uintN argc, jsval *argv, jsval *rval)
            scopeobj = caller->scopeChain;
    }
 #endif
+
+    /* Belt-and-braces: check that this eval callee has access to scopeobj. */
+    if (cx->findObjectPrincipals) {
+        scopePrincipals = cx->findObjectPrincipals(cx, scopeobj);
+        if (scopePrincipals != principals)
+            scopeobj = OBJ_GET_PARENT(cx, JSVAL_TO_OBJECT(argv[-2]));
+    }
+
    ok = js_Execute(cx, scopeobj, script, caller, JSFRAME_EVAL, rval);
    JS_DestroyScript(cx, script);

--- a/js/src/jsscript.c
+++ b/js/src/jsscript.c
@ -238,6 +238,7 @@ script_exec(JSContext *cx, JSObject *obj, uintN argc, jsval *argv, jsval *rval)
    JSScript *script;
    JSObject *scopeobj, *parent;
    JSStackFrame *fp, *caller;
+    JSPrincipals *scopePrincipals;

    if (!JS_InstanceOf(cx, obj, &js_ScriptClass, argv))
        return JS_FALSE;
@ -297,6 +298,13 @@ script_exec(JSContext *cx, JSObject *obj, uintN argc, jsval *argv, jsval *rval)
        }
    }

+    /* Belt-and-braces: check that this script object has access to scopeobj. */
+    if (cx->findObjectPrincipals) {
+        scopePrincipals = cx->findObjectPrincipals(cx, scopeobj);
+        if (scopePrincipals != script->principals)
+            scopeobj = OBJ_GET_PARENT(cx, obj);
+    }
+
    return js_Execute(cx, scopeobj, script, caller, JSFRAME_EVAL, rval);
 }