bug 311892: Add some (awful, gross) checks. r=brendan

2024-10-11 04:15:43 +00:00 · 2005-10-14 19:05:43 +00:00 · 2005-10-14 19:05:43 +00:00 · 44834d9757
commit 44834d9757
parent 15edb5c281
3 changed files with 37 additions and 1 deletions
--- a/js/src/jsobj.c
+++ b/js/src/jsobj.c
@ -1064,6 +1064,31 @@ CheckEvalAccess(JSContext *cx, JSObject *scopeobj, JSPrincipals *principals)
    return JS_TRUE;
 }

+JSBool
+js_CheckScopeChainValidity(JSContext *cx, JSObject *scopeobj, const char *caller)
+{
+    JSClass *clasp;
+    JSExtendedClass *xclasp;
+
+    /* XXX This is an awful gross hack. */
+    while (scopeobj) {
+        clasp = OBJ_GET_CLASS(cx, scopeobj);
+        if (clasp->flags & JSCLASS_IS_EXTENDED) {
+            xclasp = (JSExtendedClass*)clasp;
+            if (xclasp->innerObject &&
+                xclasp->innerObject(cx, scopeobj) != scopeobj) {
+                JS_ReportErrorNumber(cx, js_GetErrorMessage, NULL,
+                                     JSMSG_BAD_INDIRECT_CALL, caller);
+                return JS_FALSE;
+            }
+        }
+
+        scopeobj = OBJ_GET_PARENT(cx, scopeobj);
+    }
+
+    return JS_TRUE;
+}
+
 static JSBool
 obj_eval(JSContext *cx, JSObject *obj, uintN argc, jsval *argv, jsval *rval)
 {
@ -1157,6 +1182,9 @@ obj_eval(JSContext *cx, JSObject *obj, uintN argc, jsval *argv, jsval *rval)
    if (!scopeobj)
        return JS_FALSE;

+    if (!js_CheckScopeChainValidity(cx, scopeobj, js_eval_str))
+        return JS_FALSE;
+
    str = JSVAL_TO_STRING(argv[0]);
    if (caller) {
        file = caller->script->filename;
--- a/js/src/jsobj.h
+++ b/js/src/jsobj.h
@ -488,6 +488,9 @@ js_GetRequiredSlot(JSContext *cx, JSObject *obj, uint32 slot);
 extern JSBool
 js_SetRequiredSlot(JSContext *cx, JSObject *obj, uint32 slot, jsval v);

+extern JSBool
+js_CheckScopeChainValidity(JSContext *cx, JSObject *scopeobj, const char *caller);
+
 JS_END_EXTERN_C

 #endif /* jsobj_h___ */
--- a/js/src/jsscript.c
+++ b/js/src/jsscript.c
@ -64,6 +64,8 @@

 #if JS_HAS_SCRIPT_OBJECT

+static const char js_script_exec[] = "Script.prototype.exec";
+
 #if JS_HAS_TOSOURCE
 static JSBool
 script_toSource(JSContext *cx, JSObject *obj, uintN argc, jsval *argv,
@ -310,6 +312,9 @@ script_exec(JSContext *cx, JSObject *obj, uintN argc, jsval *argv, jsval *rval)
    if (!scopeobj)
        return JS_FALSE;

+    if (!js_CheckScopeChainValidity(cx, scopeobj, js_script_exec))
+        return JS_FALSE;
+
    /* Belt-and-braces: check that this script object has access to scopeobj. */
    principals = script->principals;
    rt = cx->runtime;
@ -319,7 +324,7 @@ script_exec(JSContext *cx, JSObject *obj, uintN argc, jsval *argv, jsval *rval)
            !principals->subsume(principals, scopePrincipals)) {
            JS_ReportErrorNumber(cx, js_GetErrorMessage, NULL,
                                 JSMSG_BAD_INDIRECT_CALL,
-                                 "Script.prototype.exec");
+                                 js_script_exec);
            return JS_FALSE;
        }
    }