Bug 809652 - Deny nativeCall for SecurityWrapper except under specific circumstances. r=jorendorff

2024-09-13 09:24:08 -07:00 · 2012-12-20 22:33:26 -08:00 · 2012-12-20 22:33:26 -08:00 · 2ca33ed4e3
commit 2ca33ed4e3
parent c769a0aaa2
6 changed files with 41 additions and 5 deletions
--- a/js/src/jswrapper.cpp
+++ b/js/src/jswrapper.cpp
@ -795,11 +795,8 @@ SecurityWrapper<Base>::enter(JSContext *cx, JSObject *wrapper, jsid id,
 SecurityWrapper<Base>::nativeCall(JSContext *cx, IsAcceptableThis test, NativeImpl impl,
                                  CallArgs args)
 {
-    /*
-     * Let this through until compartment-per-global lets us have stronger
-     * invariants wrt document.domain (bug 714547).
-     */
-    return Base::nativeCall(cx, test, impl, args);
+    JS_ReportErrorNumber(cx, js_GetErrorMessage, NULL, JSMSG_UNWRAP_DENIED);
+    return false;
 }

 template <class Base>
--- a/js/src/jswrapper.h
+++ b/js/src/jswrapper.h
@ -187,6 +187,13 @@ class JS_FRIEND_API(SecurityWrapper) : public Base
                            CallArgs args) MOZ_OVERRIDE;
    virtual bool objectClassIs(JSObject *obj, ESClassValue classValue, JSContext *cx) MOZ_OVERRIDE;
    virtual bool regexp_toShared(JSContext *cx, JSObject *proxy, RegExpGuard *g) MOZ_OVERRIDE;
+
+    /*
+     * Allow our subclasses to select the superclass behavior they want without
+     * needing to specify an exact superclass.
+     */
+    typedef Base Permissive;
+    typedef SecurityWrapper<Base> Restrictive;
 };

 typedef SecurityWrapper<Wrapper> SameCompartmentSecurityWrapper;
--- a/js/xpconnect/wrappers/AccessCheck.cpp
+++ b/js/xpconnect/wrappers/AccessCheck.cpp
@ -446,6 +446,13 @@ ExposedPropertiesOnly::check(JSContext *cx, JSObject *wrapper, jsid id, Wrapper:
    return true;
 }

+bool
+ExposedPropertiesOnly::allowNativeCall(JSContext *cx, JS::IsAcceptableThis test,
+                                       JS::NativeImpl impl)
+{
+    return js::IsReadOnlyDateMethod(test, impl) || js::IsTypedArrayThisCheck(test);
+}
+
 bool
 ComponentsObjectPolicy::check(JSContext *cx, JSObject *wrapper, jsid id, Wrapper::Action act)
 {
--- a/js/xpconnect/wrappers/AccessCheck.h
+++ b/js/xpconnect/wrappers/AccessCheck.h
@ -51,6 +51,11 @@ struct OnlyIfSubjectIsSystem : public Policy {
        AccessCheck::deny(cx, id);
        return false;
    }
+
+    static bool allowNativeCall(JSContext *cx, JS::IsAcceptableThis test, JS::NativeImpl impl)
+    {
+        return AccessCheck::isSystemOnlyAccessPermitted(cx);
+    }
 };

 // This policy only permits access to properties that are safe to be used
@ -63,6 +68,10 @@ struct CrossOriginAccessiblePropertiesOnly : public Policy {
        AccessCheck::deny(cx, id);
        return false;
    }
+    static bool allowNativeCall(JSContext *cx, JS::IsAcceptableThis test, JS::NativeImpl impl)
+    {
+        return false;
+    }
 };

 // This policy only permits access to properties if they appear in the
@ -78,6 +87,7 @@ struct ExposedPropertiesOnly : public Policy {
        AccessCheck::deny(cx, id);
        return false;
    }
+    static bool allowNativeCall(JSContext *cx, JS::IsAcceptableThis test, JS::NativeImpl impl);
 };

 // Components specific policy
@ -88,6 +98,9 @@ struct ComponentsObjectPolicy : public Policy {
        AccessCheck::deny(cx, id);
        return false;
    }
+    static bool allowNativeCall(JSContext *cx, JS::IsAcceptableThis test, JS::NativeImpl impl) {
+        return false;
+    }
 };

 }
--- a/js/xpconnect/wrappers/FilteringWrapper.cpp
+++ b/js/xpconnect/wrappers/FilteringWrapper.cpp
@ -113,6 +113,16 @@ FilteringWrapper<Base, Policy>::iterate(JSContext *cx, JSObject *wrapper, unsign
    return js::BaseProxyHandler::iterate(cx, wrapper, flags, vp);
 }

+template <typename Base, typename Policy>
+bool
+FilteringWrapper<Base, Policy>::nativeCall(JSContext *cx, JS::IsAcceptableThis test,
+                                           JS::NativeImpl impl, JS::CallArgs args)
+{
+    if (Policy::allowNativeCall(cx, test, impl))
+        return Base::Permissive::nativeCall(cx, test, impl, args);
+    return Base::Restrictive::nativeCall(cx, test, impl, args);
+}
+
 template <typename Base, typename Policy>
 bool
 FilteringWrapper<Base, Policy>::enter(JSContext *cx, JSObject *wrapper, jsid id,
--- a/js/xpconnect/wrappers/FilteringWrapper.h
+++ b/js/xpconnect/wrappers/FilteringWrapper.h
@ -25,6 +25,8 @@ class FilteringWrapper : public Base {
    virtual bool enumerate(JSContext *cx, JSObject *wrapper, js::AutoIdVector &props) MOZ_OVERRIDE;
    virtual bool keys(JSContext *cx, JSObject *wrapper, js::AutoIdVector &props) MOZ_OVERRIDE;
    virtual bool iterate(JSContext *cx, JSObject *proxy, unsigned flags, js::Value *vp) MOZ_OVERRIDE;
+    virtual bool nativeCall(JSContext *cx, JS::IsAcceptableThis test, JS::NativeImpl impl,
+                            JS::CallArgs args) MOZ_OVERRIDE;

    virtual bool enter(JSContext *cx, JSObject *wrapper, jsid id, js::Wrapper::Action act, bool *bp) MOZ_OVERRIDE;