Bug 109113, second half of fix. r=jst, sr=brendan. Adding new CheckObjectAccess

callback to enforce the same-origin policy on function.caller.
2001-11-16 06:17:24 +00:00 · 2001-11-16 06:17:24 +00:00 · 144ebd46ff
--- a/caps/src/nsScriptSecurityManager.cpp
+++ b/caps/src/nsScriptSecurityManager.cpp
@ -80,6 +80,7 @@
 #include "nsIConsoleService.h"
 #include "nsISecurityCheckedComponent.h"
 #include "nsIPrefBranchInternal.h"
+#include "nsIJSRuntimeService.h"

 static NS_DEFINE_IID(kIIOServiceIID, NS_IIOSERVICE_IID);
 static NS_DEFINE_CID(kIOServiceCID, NS_IOSERVICE_CID);
@ -150,6 +151,41 @@ NS_IMPL_THREADSAFE_ISUPPORTS3(nsScriptSecurityManager,
 ///////////////////////////////////////////////////

 ///////////////// Security Checks /////////////////
+static JSBool JS_DLL_CALLBACK
+CheckJSFunctionCallerAccess(JSContext *cx, JSObject *obj, jsval id,
+                            JSAccessMode mode, jsval *vp)
+{
+    // Currently, this function will be called only when function.caller
+    // is accessed. If that changes, we will need to change this function.
+    NS_ASSERTION(nsCRT::strcmp(JS_GetStringChars(JSVAL_TO_STRING(id)),
+                               NS_LITERAL_STRING("caller").get()) == 0,
+                 "CheckJSFunctionCallerAccess called for a property other than \'caller\'");
+
+    // Get the security manager
+    //XXX: Any way to avoid this service lookup?
+    nsresult rv;
+    nsCOMPtr<nsIScriptSecurityManager> ssm =
+        do_GetService(NS_SCRIPTSECURITYMANAGER_CONTRACTID, &rv);
+    if (NS_FAILED(rv))
+    {
+        NS_ERROR("Failed to get security manager service");
+        return JS_FALSE;
+    }
+
+    // Get the caller function object
+    NS_ASSERTION(JSVAL_IS_OBJECT(*vp), "*vp is not an object");
+    JSObject* target = JSVAL_TO_OBJECT(*vp);
+
+    // Do the same-origin check - this sets a JS exception if the check fails
+    rv = ssm->CheckPropertyAccess(cx, target, "Function", "caller",
+                                  nsIXPCSecurityManager::ACCESS_GET_PROPERTY);
+
+    if (NS_FAILED(rv))
+        return JS_FALSE; // Security check failed
+
+    return JS_TRUE;
+}
+
 NS_IMETHODIMP
 nsScriptSecurityManager::CheckPropertyAccess(JSContext* aJSContext,
                                             JSObject* aJSObject,
@ -276,7 +312,7 @@ nsScriptSecurityManager::CheckPropertyAccessImpl(PRUint32 aAction,
    case SCRIPT_SECURITY_SAME_ORIGIN_ACCESS:
        {
 #ifdef DEBUG_mstoltz
-		    printf("Level: SameOrigin ");
+            printf("Level: SameOrigin ");
 #endif
            nsCOMPtr<nsIPrincipal> objectPrincipal;
            if(aJSObject)
@ -304,7 +340,7 @@ nsScriptSecurityManager::CheckPropertyAccessImpl(PRUint32 aAction,
    case SCRIPT_SECURITY_CAPABILITY_ONLY:
        {
 #ifdef DEBUG_mstoltz
-		    printf("Level: Capability ");
+            printf("Level: Capability ");
 #endif
            PRBool capabilityEnabled = PR_FALSE;
            rv = IsCapabilityEnabled(capability.get(), &capabilityEnabled);
@ -750,7 +786,7 @@ nsScriptSecurityManager::CheckLoadURIFromScript(JSContext *cx, nsIURI *aURI)
    nsXPIDLCString spec;
    if (NS_FAILED(aURI->GetSpec(getter_Copies(spec))))
        return NS_ERROR_FAILURE;
-	JS_ReportError(cx, "illegal URL method '%s'", (const char *)spec);
+    JS_ReportError(cx, "illegal URL method '%s'", (const char *)spec);
    return NS_ERROR_DOM_BAD_URI;
 }

@ -1071,9 +1107,29 @@ nsScriptSecurityManager::CanExecuteScripts(JSContext* cx,
        return NS_OK;
    }

+    //-- Always allow chrome pages to run scripts
+    //   This is for about: URLs, which are chrome but don't
+    //   have the system principal
+    nsresult rv;
+    if (!mIsJavaScriptEnabled)
+    {
+        nsCOMPtr<nsICodebasePrincipal> codebase(do_QueryInterface(principal));
+        if (codebase)
+        {
+            nsXPIDLCString origin;
+            rv = codebase->GetOrigin(getter_Copies(origin));
+            static const char chromePrefix[] = "chrome:";
+            if (NS_SUCCEEDED(rv) &&
+                (PL_strncmp(origin, chromePrefix, sizeof(chromePrefix)-1) == 0))
+            {
+                *result = PR_TRUE;
+                return NS_OK;
+            }
+        }
+    }
+
    //-- See if the current window allows JS execution
    nsCOMPtr<nsIDocShell> docshell;
-    nsresult rv;
    rv = GetRootDocShell(cx, getter_AddRefs(docshell));
    if (NS_SUCCEEDED(rv))
    {
@ -1190,7 +1246,7 @@ nsScriptSecurityManager::GetCertificatePrincipal(const char* aCertID,
 nsresult
 nsScriptSecurityManager::CreateCodebasePrincipal(nsIURI* aURI, nsIPrincipal **result)
 {
-	nsresult rv = NS_OK;
+    nsresult rv = NS_OK;
    nsCodebasePrincipal *codebase = new nsCodebasePrincipal();
    if (!codebase)
        return NS_ERROR_OUT_OF_MEMORY;
@ -1209,10 +1265,10 @@ NS_IMETHODIMP
 nsScriptSecurityManager::GetCodebasePrincipal(nsIURI *aURI,
                                              nsIPrincipal **result)
 {
-	nsresult rv;
-	nsCOMPtr<nsIPrincipal> principal;
-	rv = CreateCodebasePrincipal(aURI, getter_AddRefs(principal));
-	if (NS_FAILED(rv)) return rv;
+    nsresult rv;
+    nsCOMPtr<nsIPrincipal> principal;
+    rv = CreateCodebasePrincipal(aURI, getter_AddRefs(principal));
+    if (NS_FAILED(rv)) return rv;

    if (mPrincipals)
    {
@ -1221,23 +1277,23 @@ nsScriptSecurityManager::GetCodebasePrincipal(nsIURI *aURI,
        nsCOMPtr<nsIPrincipal> fromTable = (nsIPrincipal *) mPrincipals->Get(&key);
        if (fromTable)
            principal = fromTable;
-		else //-- Check to see if we have a more general principal
-		{
-			nsCOMPtr<nsICodebasePrincipal> codebasePrin(do_QueryInterface(principal));
-			nsXPIDLCString originUrl;
-			rv = codebasePrin->GetOrigin(getter_Copies(originUrl));
-			if (NS_FAILED(rv)) return rv;
-			nsCOMPtr<nsIURI> newURI;
-			rv = NS_NewURI(getter_AddRefs(newURI), originUrl, nsnull);
-			if (NS_FAILED(rv)) return rv;
-			nsCOMPtr<nsIPrincipal> principal2;
-			rv = CreateCodebasePrincipal(newURI, getter_AddRefs(principal2));
-			if (NS_FAILED(rv)) return rv;
-			 nsIPrincipalKey key2(principal2);
-				fromTable = (nsIPrincipal *) mPrincipals->Get(&key2);
-			if (fromTable)
-				principal = fromTable;
-		}		
+        else //-- Check to see if we have a more general principal
+        {
+            nsCOMPtr<nsICodebasePrincipal> codebasePrin(do_QueryInterface(principal));
+            nsXPIDLCString originUrl;
+            rv = codebasePrin->GetOrigin(getter_Copies(originUrl));
+            if (NS_FAILED(rv)) return rv;
+            nsCOMPtr<nsIURI> newURI;
+            rv = NS_NewURI(getter_AddRefs(newURI), originUrl, nsnull);
+            if (NS_FAILED(rv)) return rv;
+            nsCOMPtr<nsIPrincipal> principal2;
+            rv = CreateCodebasePrincipal(newURI, getter_AddRefs(principal2));
+            if (NS_FAILED(rv)) return rv;
+             nsIPrincipalKey key2(principal2);
+                fromTable = (nsIPrincipal *) mPrincipals->Get(&key2);
+            if (fromTable)
+                principal = fromTable;
+        }		
    }

    //-- Bundle this codebase principal into an aggregate principal
@ -1701,8 +1757,8 @@ nsScriptSecurityManager::EnableCapability(const char *capability)
    //-- Error checks for capability string length (200)
    if(PL_strlen(capability)>200)
    {
-		static const char msg[] = "Capability name too long";
-		JS_SetPendingException(cx, STRING_TO_JSVAL(JS_NewStringCopyZ(cx, msg)));
+        static const char msg[] = "Capability name too long";
+        JS_SetPendingException(cx, STRING_TO_JSVAL(JS_NewStringCopyZ(cx, msg)));
        return NS_ERROR_FAILURE;
    }

@ -1723,8 +1779,8 @@ nsScriptSecurityManager::EnableCapability(const char *capability)

    if (canEnable != nsIPrincipal::ENABLE_GRANTED)
    {
-		static const char msg[] = "enablePrivilege not granted";
-		JS_SetPendingException(cx, STRING_TO_JSVAL(JS_NewStringCopyZ(cx, msg)));
+        static const char msg[] = "enablePrivilege not granted";
+        JS_SetPendingException(cx, STRING_TO_JSVAL(JS_NewStringCopyZ(cx, msg)));
        return NS_ERROR_FAILURE; // XXX better error code?
    }
    if (NS_FAILED(principal->EnableCapability(capability, &annotation)))
@ -1817,7 +1873,7 @@ nsScriptSecurityManager::SetCanEnableCapability(const char* certificateID,
    {
        JSContext* cx = GetCurrentContextQuick();
        if (!cx) return NS_ERROR_FAILURE;
-		static const char msg1[] = "Only code signed by the system certificate may call SetCanEnableCapability or Invalidate";
+        static const char msg1[] = "Only code signed by the system certificate may call SetCanEnableCapability or Invalidate";
        static const char msg2[] = "Attempt to call SetCanEnableCapability or Invalidate when no system certificate has been established";
            JS_SetPendingException(cx, STRING_TO_JSVAL(JS_NewStringCopyZ(cx,
                                   mSystemCertificate ? msg1 : msg2)));
@ -2059,6 +2115,25 @@ nsScriptSecurityManager::nsScriptSecurityManager(void)
    NS_INIT_REFCNT();
    InitPrefs();
    mThreadJSContextStack = do_GetService("@mozilla.org/js/xpc/ContextStack;1");
+
+    //-- Register security check callback in the JS engine
+    //   Currently this is used to control access to function.caller
+    nsresult rv;
+    nsCOMPtr<nsIJSRuntimeService> runtimeService =
+        do_GetService("@mozilla.org/js/xpc/RuntimeService;1", &rv);
+    NS_ASSERTION(NS_SUCCEEDED(rv), "Failed to get runtime service");
+
+    JSRuntime *rt;
+    rv = runtimeService->GetRuntime(&rt);
+    NS_ASSERTION(NS_SUCCEEDED(rv), "Failed to get current JS runtime");
+
+#ifdef DEBUG
+    JSCheckAccessOp oldCallback =
+        JS_SetCheckObjectAccessCallback(rt, CheckJSFunctionCallerAccess);
+
+    // For now, assert that no callback was set previously
+    NS_ASSERTION(!oldCallback, "Someone already set a JS CheckObjectAccess callback");
+#endif
 }

 nsScriptSecurityManager::~nsScriptSecurityManager(void)