Fixing bug 86147. Adding code that does security checks on access to getter and setter functions for properties of DOM objects in JS. Also fixing a JS engine bug that caused problems with the real fix for this bug, the JS engine bug was that a jsid was passed as a jsval to the checkAccess() class hook. r=mstolts@netscape.com, sr=brendan@mozilla.org

2025-02-28 05:10:49 +00:00 · 2001-07-04 09:44:57 +00:00 · 2001-07-04 09:44:57 +00:00 · 030da7b1b9
commit 030da7b1b9
parent 2009a34b03
2 changed files with 32 additions and 5 deletions
--- a/dom/src/base/nsDOMClassInfo.cpp
+++ b/dom/src/base/nsDOMClassInfo.cpp
@ -131,7 +131,8 @@ static NS_DEFINE_IID(kCPluginManagerCID, NS_PLUGINMANAGER_CID);
  nsIXPCScriptable::ALLOW_PROP_MODS_DURING_RESOLVE |                          \
  nsIXPCScriptable::ALLOW_PROP_MODS_TO_PROTOTYPE |                            \
  nsIXPCScriptable::DONT_ASK_INSTANCE_FOR_SCRIPTABLE |                        \
-  nsIXPCScriptable::DONT_REFLECT_INTERFACE_NAMES
+  nsIXPCScriptable::DONT_REFLECT_INTERFACE_NAMES |                            \
+  nsIXPCScriptable::WANT_CHECKACCESS

 #define DOM_DEFAULT_SCRIPTABLE_FLAGS                                          \
  DEFAULT_SCRIPTABLE_FLAGS |                                                  \
@ -946,9 +947,35 @@ nsDOMClassInfo::CheckAccess(nsIXPConnectWrappedNative *wrapper, JSContext *cx,
                            JSObject *obj, jsval id, PRUint32 mode,
                            jsval *vp, PRBool *_retval)
 {
-  NS_ERROR("Don't call me!");
+  if (mode == JSACC_WATCH) {
+    JSString *str = ::JS_ValueToString(cx, id);

-  return NS_ERROR_UNEXPECTED;
+    if (!str)
+      return NS_ERROR_UNEXPECTED;
+
+    jsval dummy;
+
+    if (!::JS_GetUCProperty(cx, obj, ::JS_GetStringChars(str),
+                            ::JS_GetStringLength(str), &dummy)) {
+      // We were unable to access the property, this most likely means
+      // that the security manager denied access to the property that
+      // the user tried to access (i.e. set a getter or setter on)
+      nsCOMPtr<nsIXPCNativeCallContext> cnccx;
+
+      sXPConnect->GetCurrentNativeCallContext(getter_AddRefs(cnccx));
+
+      if (cnccx) {
+        // Tell XPConnect that an exception was already thrown
+
+        cnccx->SetExceptionWasThrown(PR_TRUE);
+      }
+
+      // Let XPConnect know that the access was not granted.
+      *_retval = PR_FALSE;
+    }
+  }
+
+  return NS_OK;
 }

 NS_IMETHODIMP
--- a/js/src/jsobj.c
+++ b/js/src/jsobj.c
@ -3079,7 +3079,7 @@ js_CheckAccess(JSContext *cx, JSObject *obj, jsid id, JSAccessMode mode,
        *attrsp = 0;
        clasp = OBJ_GET_CLASS(cx, obj);
        return !clasp->checkAccess ||
-               clasp->checkAccess(cx, obj, id, mode, vp);
+               clasp->checkAccess(cx, obj, js_IdToValue(id), mode, vp);
    }
    if (!OBJ_IS_NATIVE(pobj)) {
        OBJ_DROP_PROPERTY(cx, pobj, prop);
@ -3093,7 +3093,7 @@ js_CheckAccess(JSContext *cx, JSObject *obj, jsid id, JSAccessMode mode,
    clasp = LOCKED_OBJ_GET_CLASS(obj);
    if (clasp->checkAccess) {
        JS_UNLOCK_OBJ(cx, pobj);
-        ok = clasp->checkAccess(cx, obj, id, mode, vp);
+        ok = clasp->checkAccess(cx, obj, js_IdToValue(id), mode, vp);
        JS_LOCK_OBJ(cx, pobj);
    } else {
        ok = JS_TRUE;