Bug 1042996 - Always set an explicit version in evalInSandbox. r=gabor

If setVersion() is not invoked on compileOptions, it ends up with JSVERSION_UNKNOWN, which invokes findVersion() on the JSContext, which does a bunch of crazy hunting of previous scripted stack frames that we most certainly don't want for sandboxes, which are supposed to be controlled environments. Using a separate JSContext in evalInSandbox isolates us from these effects, so once we stop doing that we need to be more explicit here.
2024-09-13 09:24:08 -07:00 · 2014-07-28 14:55:51 -07:00 · 2014-07-28 14:55:51 -07:00 · 0ac3502f9a
commit 0ac3502f9a
parent 4c9192bc02
2 changed files with 29 additions and 3 deletions
--- a/js/xpconnect/src/Sandbox.cpp
+++ b/js/xpconnect/src/Sandbox.cpp
@ -1507,9 +1507,8 @@ xpc::EvalInSandbox(JSContext *cx, HandleObject sandboxArg, const nsAString& sour
        JSAutoCompartment ac(sandcx, sandbox);

        JS::CompileOptions options(sandcx);
-        options.setFileAndLine(filenameBuf.get(), lineNo);
-        if (jsVersion != JSVERSION_DEFAULT)
-               options.setVersion(jsVersion);
+        options.setFileAndLine(filenameBuf.get(), lineNo)
+               .setVersion(jsVersion);
        JS::RootedObject rootedSandbox(sandcx, sandbox);
        ok = JS::Evaluate(sandcx, rootedSandbox, options,
                          PromiseFlatString(source).get(), source.Length(), &v);
--- a/js/xpconnect/tests/chrome/test_evalInSandbox.xul
+++ b/js/xpconnect/tests/chrome/test_evalInSandbox.xul
@ -151,6 +151,33 @@ https://bugzilla.mozilla.org/show_bug.cgi?id=533596
        ok(false, "sameZoneAs works");
      }

+      // The 'let' keyword only appears with JS 1.7 and above. We use this fact
+      // to make sure that sandboxes get explict JS versions and don't inherit
+      // them from the most recent scripted frame.
+      function checkExplicitVersions() {
+        const Cu = Components.utils;
+        var sb = new Cu.Sandbox(sop);
+        Cu.evalInSandbox('let someVariable = 42', sb, '1.7');
+        ok(true, "Didn't throw with let");
+        try {
+          Cu.evalInSandbox('let someVariable = 42', sb);
+          ok(false, "Should have thrown with let");
+        } catch (e) {
+          ok(true, "Threw with let: " + e);
+        }
+        try {
+          Cu.evalInSandbox('let someVariable = 42', sb, '1.5');
+          ok(false, "Should have thrown with let");
+        } catch (e) {
+          ok(true, "Threw with let: " + e);
+        }
+      }
+      var outerSB = new Cu.Sandbox(this);
+      Cu.evalInSandbox(checkExplicitVersions.toSource(), outerSB, '1.7');
+      outerSB.ok = ok;
+      outerSB.sop = this;
+      Cu.evalInSandbox('checkExplicitVersions();', outerSB);
+
      Cu.import("resource://gre/modules/jsdebugger.jsm");
      addDebuggerToGlobal(this);