Bug 1210570 - Ensure that ToPrimitive(location) is not spoofable. r=bz.

--HG-- extra : commitid : 2rz0SkgNFBy extra : rebase_source : cc7551193fb3a81cb6d7b69535eb152335a6cda4
2024-10-19 08:15:31 +00:00 · 2015-10-06 10:42:17 -05:00 · 2015-10-06 10:42:17 -05:00 · 0fed3b5351
commit 0fed3b5351
parent fbd43ff82a
2 changed files with 13 additions and 3 deletions
--- a/dom/bindings/Codegen.py
+++ b/dom/bindings/Codegen.py
@ -3345,11 +3345,18 @@ def InitUnforgeablePropertiesOnHolder(descriptor, properties, failureCode):
                            "nsContentUtils::ThreadsafeIsCallerChrome()"))

    if descriptor.interface.getExtendedAttribute("Unforgeable"):
-        # We do our undefined toJSON here, not as a regular property
-        # because we don't have a concept of value props anywhere in IDL.
+        # We do our undefined toJSON and toPrimitive here, not as a regular
+        # property because we don't have a concept of value props anywhere in
+        # IDL.
        unforgeables.append(CGGeneric(fill(
            """
-            if (!JS_DefineProperty(aCx, unforgeableHolder, "toJSON", JS::UndefinedHandleValue,
+            JS::RootedId toPrimitive(aCx,
+              SYMBOL_TO_JSID(JS::GetWellKnownSymbol(aCx, JS::SymbolCode::toPrimitive)));
+            if (!JS_DefinePropertyById(aCx, unforgeableHolder, toPrimitive,
+                                       JS::UndefinedHandleValue,
+                                       JSPROP_READONLY | JSPROP_PERMANENT) ||
+                !JS_DefineProperty(aCx, unforgeableHolder, "toJSON",
+                                   JS::UndefinedHandleValue,
                                   JSPROP_READONLY | JSPROP_ENUMERATE | JSPROP_PERMANENT)) {
              $*{failureCode}
            }
--- a/js/xpconnect/tests/mochitest/test_bug793969.html
+++ b/js/xpconnect/tests/mochitest/test_bug793969.html
@ -44,6 +44,9 @@ Object.prototype.valueOf = function() { return 'hah'; };
 is(({}).valueOf(), 'hah', "Shadowing on Object.prototype works for vanilla objects");
 is(location.valueOf(), location, "Shadowing on Object.prototype and Location.prototype doesn't for location objects");

+location[Symbol.toPrimitive] = function() { return 'hah'; }
+is(location + "", location.toString(), "Should't be able to shadow with toPrimitive");
+
 </script>
 </pre>
 </body>