mirror of
https://github.com/mozilla/gecko-dev.git
synced 2024-10-17 23:35:34 +00:00
Bug 860494 - Check for native properties before checking named children on XOWs. r=bz
This commit is contained in:
parent
820adfebdf
commit
416b2c4c8c
@ -209,7 +209,7 @@ IsWindow(const char *name)
|
||||
}
|
||||
|
||||
bool
|
||||
AccessCheck::isCrossOriginAccessPermitted(JSContext *cx, JSObject *wrapper, jsid id,
|
||||
AccessCheck::isCrossOriginAccessPermitted(JSContext *cx, JSObject *wrapperArg, jsid idArg,
|
||||
Wrapper::Action act)
|
||||
{
|
||||
if (!XPCWrapper::GetSecurityManager())
|
||||
@ -218,7 +218,9 @@ AccessCheck::isCrossOriginAccessPermitted(JSContext *cx, JSObject *wrapper, jsid
|
||||
if (act == Wrapper::CALL)
|
||||
return true;
|
||||
|
||||
JSObject *obj = Wrapper::wrappedObject(wrapper);
|
||||
RootedId id(cx, idArg);
|
||||
RootedObject wrapper(cx, wrapperArg);
|
||||
RootedObject obj(cx, Wrapper::wrappedObject(wrapper));
|
||||
|
||||
const char *name;
|
||||
js::Class *clasp = js::GetObjectClass(obj);
|
||||
@ -233,7 +235,20 @@ AccessCheck::isCrossOriginAccessPermitted(JSContext *cx, JSObject *wrapper, jsid
|
||||
return true;
|
||||
}
|
||||
|
||||
return IsWindow(name) && IsFrameId(cx, obj, id);
|
||||
// Check for frame IDs. If we're resolving named frames, make sure to only
|
||||
// resolve ones that don't shadow native properties. See bug 860494.
|
||||
if (IsWindow(name)) {
|
||||
if (JSID_IS_STRING(id) && !XrayUtils::IsXrayResolving(cx, wrapper, id)) {
|
||||
bool wouldShadow = false;
|
||||
if (!XrayUtils::HasNativeProperty(cx, wrapper, id, &wouldShadow) ||
|
||||
wouldShadow)
|
||||
{
|
||||
return false;
|
||||
}
|
||||
}
|
||||
return IsFrameId(cx, obj, id);
|
||||
}
|
||||
return false;
|
||||
}
|
||||
|
||||
bool
|
||||
|
@ -27,6 +27,7 @@
|
||||
|
||||
using namespace mozilla::dom;
|
||||
using namespace JS;
|
||||
using namespace mozilla;
|
||||
|
||||
using js::PropertyDescriptor;
|
||||
using js::Wrapper;
|
||||
@ -1350,6 +1351,45 @@ IsXrayResolving(JSContext *cx, HandleObject wrapper, HandleId id)
|
||||
return XPCWrappedNativeXrayTraits::isResolving(cx, holder, id);
|
||||
}
|
||||
|
||||
bool
|
||||
HasNativeProperty(JSContext *cx, HandleObject wrapper, HandleId id, bool *hasProp)
|
||||
{
|
||||
MOZ_ASSERT(WrapperFactory::IsXrayWrapper(wrapper));
|
||||
XrayTraits *traits = GetXrayTraits(wrapper);
|
||||
MOZ_ASSERT(traits);
|
||||
RootedObject holder(cx, traits->ensureHolder(cx, wrapper));
|
||||
NS_ENSURE_TRUE(holder, false);
|
||||
*hasProp = false;
|
||||
JSPropertyDescriptor desc;
|
||||
Wrapper *handler = Wrapper::wrapperHandler(wrapper);
|
||||
|
||||
// Try resolveOwnProperty.
|
||||
Maybe<ResolvingId> resolvingId;
|
||||
if (traits == &XPCWrappedNativeXrayTraits::singleton)
|
||||
resolvingId.construct(wrapper, id);
|
||||
if (!traits->resolveOwnProperty(cx, *handler, wrapper, holder, id, &desc, 0))
|
||||
return false;
|
||||
if (desc.obj) {
|
||||
*hasProp = true;
|
||||
return true;
|
||||
}
|
||||
|
||||
// Try the holder.
|
||||
JSBool found = false;
|
||||
if (!JS_AlreadyHasOwnPropertyById(cx, holder, id, &found))
|
||||
return false;
|
||||
if (found) {
|
||||
*hasProp = true;
|
||||
return true;
|
||||
}
|
||||
|
||||
// Try resolveNativeProperty.
|
||||
if (!traits->resolveNativeProperty(cx, wrapper, holder, id, &desc, 0))
|
||||
return false;
|
||||
*hasProp = !!desc.obj;
|
||||
return true;
|
||||
}
|
||||
|
||||
} // namespace XrayUtils
|
||||
|
||||
static JSBool
|
||||
|
@ -41,6 +41,9 @@ GetNativePropertiesObject(JSContext *cx, JSObject *wrapper);
|
||||
bool
|
||||
IsXrayResolving(JSContext *cx, JSHandleObject wrapper, JSHandleId id);
|
||||
|
||||
bool
|
||||
HasNativeProperty(JSContext *cx, JSHandleObject wrapper, JSHandleId id,
|
||||
bool *hasProp);
|
||||
}
|
||||
|
||||
class XrayTraits;
|
||||
|
Loading…
Reference in New Issue
Block a user