Bug 1082450 - Deny access to accessor properties on COWs. r=gabor

2024-09-13 09:24:08 -07:00 · 2014-10-15 15:05:10 +02:00 · 2014-10-15 15:05:10 +02:00 · 68628555ce
commit 68628555ce
parent e57ca30c94
5 changed files with 11 additions and 28 deletions
--- a/js/xpconnect/tests/chrome/test_cows.xul
+++ b/js/xpconnect/tests/chrome/test_cows.xul
@ -277,14 +277,6 @@ function COWTests() {
        ok(false, "Readable function exposed props should be callable" + e);
    }

-    // Readables with getters
-    var obj = {
-        get prop() { return { __exposedProps__: {}, test: "FAIL" } },
-        __exposedProps__: {prop: 'r'}
-    };
-    is(getCOW(obj).prop.test, undefined, "getting prop.test shouldn't return anything");
-    ok(!("test" in getCOW(obj).prop), "getting prop.test shouldn't return anything");
-
    // Alien objects
    try {
        is(alienObject.funProp(1), 2,
--- a/js/xpconnect/tests/chrome/test_exposeInDerived.xul
+++ b/js/xpconnect/tests/chrome/test_exposeInDerived.xul
@ -27,8 +27,7 @@ https://bugzilla.mozilla.org/show_bug.cgi?id=804630

  // Make a chrome object that exposes objects off its prototype.
  sb.proto = { read: 42, readWrite: 32, __exposedProps__: {} };
-  sb.proto.__defineSetter__('setterProp', function(val) { this._setterProp = val; });
-  sb.obj = { __exposedProps__: { read: 'r', readWrite: 'rw', setterProp: 'w' } };
+  sb.obj = { __exposedProps__: { read: 'r', readWrite: 'rw' } };
  sb.obj.__proto__ = sb.proto;

  // Make sure we can't access any of the properties on the prototype directly.
@ -36,16 +35,11 @@ https://bugzilla.mozilla.org/show_bug.cgi?id=804630
  Cu.evalInSandbox('var wrote = false; ' +
                   'try { proto.readWrite = 12; wrote = true; } catch(e) {} ' +
                   ' ok(!wrote, "Should not write proto property");', sb);
-  Cu.evalInSandbox('var wrote = false; ' +
-                   'try { proto.setterProp = 12; wrote = true; } catch(e) {} ' +
-                   ' ok(!wrote, "Should not write proto setter");', sb);

  // Make sure we can access the exposed properties via the derived object.
  Cu.evalInSandbox('is(obj.read, 42, "obj.read accessible");', sb);
  Cu.evalInSandbox('is(obj.readWrite, 32, "obj.readWrite is readable");', sb);
  Cu.evalInSandbox('obj.readWrite = 8; is(obj.readWrite, 8, "obj.readWrite is writable");', sb);
-  Cu.evalInSandbox('obj.setterProp = 3;', sb);
-  is(sb.obj._setterProp, 3, "obj.setterProp works");

  ]]>
  </script>
--- a/js/xpconnect/tests/chrome/test_xrayToJS.xul
+++ b/js/xpconnect/tests/chrome/test_xrayToJS.xul
@ -113,13 +113,6 @@ https://bugzilla.mozilla.org/show_bug.cgi?id=933681
    var forwardingProxy = new iwin.Proxy(targetObject, new iwin.Object());
    is(global(forwardingProxy), iwin, "proxy global correct");
    is(Cu.waiveXrays(forwardingProxy).foo, 9, "forwards correctly");
-    // NB: COW-implemented proxy handlers are super dangerous, and we should not
-    // encourage them.
-    var handler = {get: function(target, name) { return name * 2; }, __exposedProps__: {get: 'r'}};
-    var doublingProxy = new iwin.Proxy(targetObject, handler);
-    is(global(doublingProxy), iwin, "doubling proxy global correct");
-    is(Cu.waiveXrays(doublingProxy)[3], 6, "Doubles correctly");
-    is(Cu.waiveXrays(doublingProxy)[20], 40, "Doubles correctly");

    // Test eval.
    var toEval = "({a: 2, b: {foo: 'bar'}, f: function() { return window; }})";
--- a/js/xpconnect/tests/unit/test_bug853709.js
+++ b/js/xpconnect/tests/unit/test_bug853709.js
@ -2,10 +2,6 @@ const Cu = Components.utils;

 function setupChromeSandbox() {
  this.chromeObj = {a: 2, __exposedProps__: {a: "rw", b: "rw"} };
-  this._b = 3;
-  Object.defineProperty(chromeObj, 'b', { configurable: true,
-                                          get: function() { return _b; },
-                                          set: function(val) { _b = val; } });
  this.chromeArr = [4, 2, 1];
  this.chromeArr["__exposedProps__"] = { "1": "rw" };
 }
@ -25,8 +21,6 @@ function run_test() {
  contentSB.chromeArr = chromeSB.chromeArr;

  do_check_eq(Cu.evalInSandbox('chromeObj.a', contentSB), 2);
-  do_check_eq(Cu.evalInSandbox('chromeObj.b', contentSB), 3);
-  do_check_eq(Cu.evalInSandbox('chromeObj.b = 4; chromeObj.b', contentSB), 4);
  do_check_eq(Cu.evalInSandbox('chromeArr[1]', contentSB), 2);

  checkDefineThrows(contentSB, 'chromeObj', 'a', {get: function() { return 2; }});
--- a/js/xpconnect/wrappers/AccessCheck.cpp
+++ b/js/xpconnect/wrappers/AccessCheck.cpp
@ -343,6 +343,16 @@ ExposedPropertiesOnly::check(JSContext *cx, HandleObject wrapper, HandleId id, W
        return false;
    }

+    // Inspect the property on the underlying object to check for red flags.
+    if (!JS_GetPropertyDescriptorById(cx, wrappedObject, id, &desc))
+        return false;
+
+    // Reject accessor properties.
+    if (desc.hasGetterOrSetter()) {
+        EnterAndThrow(cx, wrapper, "Exposing privileged accessor properties is prohibited");
+        return false;
+    }
+
    return true;
 }