From ee5cb1d9351c4fbcb6f8f2f8b35f1f5c20342309 Mon Sep 17 00:00:00 2001
From: Bobby Holley <bobbyholley@gmail.com>
Date: Thu, 20 Dec 2012 22:33:26 -0800
Subject: [PATCH] Bug 809652 - Have SecurityWrapper::enter default to deny, and
 override SecurityWrapper::objectClassIs. r=jorendorff

---
 js/src/js.msg                              |  1 +
 js/src/jswrapper.cpp                       | 16 +++++++++++-----
 js/src/jswrapper.h                         |  2 ++
 js/xpconnect/wrappers/FilteringWrapper.cpp |  2 +-
 4 files changed, 15 insertions(+), 6 deletions(-)

diff --git a/js/src/js.msg b/js/src/js.msg
index 71fc75458736..bb1818a18714 100644
--- a/js/src/js.msg
+++ b/js/src/js.msg
@@ -376,3 +376,4 @@ MSG_DEF(JSMSG_CANT_SET_NW_NC,         322, 0, JSEXN_TYPEERR, "proxy can't succes
 MSG_DEF(JSMSG_CANT_SET_WO_SETTER,     323, 0, JSEXN_TYPEERR, "proxy can't succesfully set an accessor property without a setter")
 MSG_DEF(JSMSG_DEBUG_BAD_REFERENT,     324, 2, JSEXN_TYPEERR, "{0} does not refer to {1}")
 MSG_DEF(JSMSG_DEBUG_WRAPPER_IN_WAY,   325, 2, JSEXN_TYPEERR, "{0} is a wrapper around {1}, but a direct reference is required")
+MSG_DEF(JSMSG_UNWRAP_DENIED,          326, 0, JSEXN_ERR, "permission denied to unwrap object")
diff --git a/js/src/jswrapper.cpp b/js/src/jswrapper.cpp
index b8aef6d2ea11..9269669389d9 100644
--- a/js/src/jswrapper.cpp
+++ b/js/src/jswrapper.cpp
@@ -782,6 +782,16 @@ SecurityWrapper<Base>::SecurityWrapper(unsigned flags)
 
 template <class Base>
 bool
+SecurityWrapper<Base>::enter(JSContext *cx, JSObject *wrapper, jsid id,
+                             Wrapper::Action act, bool *bp)
+{
+    JS_ReportErrorNumber(cx, js_GetErrorMessage, NULL, JSMSG_UNWRAP_DENIED);
+    *bp = false;
+    return false;
+}
+
+ template <class Base>
+ bool
 SecurityWrapper<Base>::nativeCall(JSContext *cx, IsAcceptableThis test, NativeImpl impl,
                                   CallArgs args)
 {
@@ -796,11 +806,7 @@ template <class Base>
 bool
 SecurityWrapper<Base>::objectClassIs(JSObject *obj, ESClassValue classValue, JSContext *cx)
 {
-    /*
-     * Let this through until compartment-per-global lets us have stronger
-     * invariants wrt document.domain (bug 714547).
-     */
-    return Base::objectClassIs(obj, classValue, cx);
+    return false;
 }
 
 template <class Base>
diff --git a/js/src/jswrapper.h b/js/src/jswrapper.h
index 1a220c0bfed4..7e9add66d243 100644
--- a/js/src/jswrapper.h
+++ b/js/src/jswrapper.h
@@ -181,6 +181,8 @@ class JS_FRIEND_API(SecurityWrapper) : public Base
   public:
     SecurityWrapper(unsigned flags);
 
+    virtual bool enter(JSContext *cx, JSObject *wrapper, jsid id, Wrapper::Action act,
+                       bool *bp) MOZ_OVERRIDE;
     virtual bool nativeCall(JSContext *cx, IsAcceptableThis test, NativeImpl impl,
                             CallArgs args) MOZ_OVERRIDE;
     virtual bool objectClassIs(JSObject *obj, ESClassValue classValue, JSContext *cx) MOZ_OVERRIDE;
diff --git a/js/xpconnect/wrappers/FilteringWrapper.cpp b/js/xpconnect/wrappers/FilteringWrapper.cpp
index a86225e36bee..2201f8f7c8ee 100644
--- a/js/xpconnect/wrappers/FilteringWrapper.cpp
+++ b/js/xpconnect/wrappers/FilteringWrapper.cpp
@@ -128,7 +128,7 @@ FilteringWrapper<Base, Policy>::enter(JSContext *cx, JSObject *wrapper, jsid id,
         return false;
     }
     *bp = true;
-    return Base::enter(cx, wrapper, id, act, bp);
+    return true;
 }
 
 #define SOW FilteringWrapper<CrossCompartmentSecurityWrapper, OnlyIfSubjectIsSystem>