mirror of
https://gitlab.winehq.org/wine/wine-gecko.git
synced 2024-09-13 09:24:08 -07:00
Do not innerize an object assigned to __proto__ or used as the target of a with statement. Bug 719841, r=mrbkap.
This commit is contained in:
parent
957d0ea231
commit
67533cf65a
@ -5669,6 +5669,9 @@ JSObject::splicePrototype(JSContext *cx, JSObject *proto)
|
|||||||
*/
|
*/
|
||||||
JS_ASSERT_IF(cx->typeInferenceEnabled(), hasSingletonType());
|
JS_ASSERT_IF(cx->typeInferenceEnabled(), hasSingletonType());
|
||||||
|
|
||||||
|
/* Inner objects may not appear on prototype chains. */
|
||||||
|
JS_ASSERT_IF(proto, !proto->getClass()->ext.outerObject);
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Force type instantiation when splicing lazy types. This may fail,
|
* Force type instantiation when splicing lazy types. This may fail,
|
||||||
* in which case inference will be disabled for the compartment.
|
* in which case inference will be disabled for the compartment.
|
||||||
|
@ -1159,6 +1159,9 @@ inline TypeObject::TypeObject(JSObject *proto, bool function, bool unknown)
|
|||||||
{
|
{
|
||||||
PodZero(this);
|
PodZero(this);
|
||||||
|
|
||||||
|
/* Inner objects may not appear on prototype chains. */
|
||||||
|
JS_ASSERT_IF(proto, !proto->getClass()->ext.outerObject);
|
||||||
|
|
||||||
this->proto = proto;
|
this->proto = proto;
|
||||||
|
|
||||||
if (function)
|
if (function)
|
||||||
|
@ -1014,10 +1014,6 @@ EnterWith(JSContext *cx, jsint stackIndex)
|
|||||||
if (!parent)
|
if (!parent)
|
||||||
return JS_FALSE;
|
return JS_FALSE;
|
||||||
|
|
||||||
OBJ_TO_INNER_OBJECT(cx, obj);
|
|
||||||
if (!obj)
|
|
||||||
return JS_FALSE;
|
|
||||||
|
|
||||||
JSObject *withobj = WithObject::create(cx, fp, *obj, *parent,
|
JSObject *withobj = WithObject::create(cx, fp, *obj, *parent,
|
||||||
sp + stackIndex - fp->base());
|
sp + stackIndex - fp->base());
|
||||||
if (!withobj)
|
if (!withobj)
|
||||||
|
@ -186,26 +186,15 @@ obj_setProto(JSContext *cx, JSObject *obj, jsid id, JSBool strict, Value *vp)
|
|||||||
}
|
}
|
||||||
|
|
||||||
if (!vp->isObjectOrNull())
|
if (!vp->isObjectOrNull())
|
||||||
return JS_TRUE;
|
return true;
|
||||||
|
|
||||||
JSObject *pobj = vp->toObjectOrNull();
|
JSObject *pobj = vp->toObjectOrNull();
|
||||||
if (pobj) {
|
|
||||||
/*
|
|
||||||
* Innerize pobj here to avoid sticking unwanted properties on the
|
|
||||||
* outer object. This ensures that any with statements only grant
|
|
||||||
* access to the inner object.
|
|
||||||
*/
|
|
||||||
OBJ_TO_INNER_OBJECT(cx, pobj);
|
|
||||||
if (!pobj)
|
|
||||||
return JS_FALSE;
|
|
||||||
}
|
|
||||||
|
|
||||||
uintN attrs;
|
uintN attrs;
|
||||||
id = ATOM_TO_JSID(cx->runtime->atomState.protoAtom);
|
id = ATOM_TO_JSID(cx->runtime->atomState.protoAtom);
|
||||||
if (!CheckAccess(cx, obj, id, JSAccessMode(JSACC_PROTO|JSACC_WRITE), vp, &attrs))
|
if (!CheckAccess(cx, obj, id, JSAccessMode(JSACC_PROTO|JSACC_WRITE), vp, &attrs))
|
||||||
return JS_FALSE;
|
return false;
|
||||||
|
|
||||||
return SetProto(cx, obj, pobj, JS_TRUE);
|
return SetProto(cx, obj, pobj, true);
|
||||||
}
|
}
|
||||||
|
|
||||||
#else /* !JS_HAS_OBJ_PROTO_PROP */
|
#else /* !JS_HAS_OBJ_PROTO_PROP */
|
||||||
|
Loading…
Reference in New Issue
Block a user