diff --git a/lib/libmocha/lm.h b/lib/libmocha/lm.h index 0f0a4f7d4dd7..c36054804821 100644 --- a/lib/libmocha/lm.h +++ b/lib/libmocha/lm.h @@ -673,7 +673,7 @@ lm_SetExternalCapture(JSContext *cx, JSPrincipals *principals, JSBool b); extern JSBool -lm_AddSetParentSecurityCheck(JSContext *cx, JSObject *obj); +lm_CheckSetParentSlot(JSContext *cx, JSObject *obj, jsval id, jsval *vp); extern JSBool lm_SetDocumentDomain(JSContext *cx, JSPrincipals *principals, diff --git a/lib/libmocha/lm_layer.c b/lib/libmocha/lm_layer.c index c0b10a9d8ea8..29d6a0a5c240 100644 --- a/lib/libmocha/lm_layer.c +++ b/lib/libmocha/lm_layer.c @@ -1033,10 +1033,20 @@ layer_finalize(JSContext *cx, JSObject *obj) JS_free(cx, js_layer); } +JSBool layer_check_access(JSContext *cx, JSObject *obj, jsval id, + JSAccessMode mode, jsval *vp) +{ + if(mode == JSACC_PARENT) { + return lm_CheckSetParentSlot(cx, obj, id, vp); + } + return JS_TRUE; +} + JSClass lm_layer_class = { "Layer", JSCLASS_HAS_PRIVATE, JS_PropertyStub, JS_PropertyStub, layer_getProperty, layer_setProperty, - JS_EnumerateStub, layer_resolve_name, JS_ConvertStub, layer_finalize + JS_EnumerateStub, layer_resolve_name, JS_ConvertStub, layer_finalize, + NULL, layer_check_access }; /* JS native method: diff --git a/lib/libmocha/lm_taint.c b/lib/libmocha/lm_taint.c index e4c6df8cd903..605a302af441 100644 --- a/lib/libmocha/lm_taint.c +++ b/lib/libmocha/lm_taint.c @@ -916,10 +916,7 @@ lm_GetInnermostPrincipals(JSContext *cx, JSObject *container, return (JSPrincipals *) &unknownPrincipals; } -static JSPropertyOp oldParentSlotSetter = NULL; - -PR_STATIC_CALLBACK(JSBool) -setParentSlot(JSContext *cx, JSObject *obj, jsval id, jsval *vp) +JSBool lm_CheckSetParentSlot(JSContext *cx, JSObject *obj, jsval id, jsval *vp) { JSObject *newParent; @@ -945,44 +942,9 @@ setParentSlot(JSContext *cx, JSObject *obj, jsval id, jsval *vp) lm_SetContainerPrincipals(cx, obj, principals); } } - return (*oldParentSlotSetter)(cx, obj, id, vp); -} - -JSBool -lm_AddSetParentSecurityCheck(JSContext *cx, JSObject *obj) -{ - JSAtom *atom; - JSObject *proto; - static char parentName[] = "__parent__"; - JSProperty *prop; - JSBool ok; - - /* - * Set up to intercept attempts to set __parent__. We need to check - * that an evil script is not changing the parent links so that it - * gains access to restricted information. - */ - proto = obj; - for(;;) { - JSObject *next = JS_GetPrototype(cx, proto); - if (next == NULL) - break; - proto = next; - } - atom = js_Atomize(cx, parentName, sizeof(parentName)-1, 0); - if (atom == NULL) - return JS_FALSE; - ok = js_LookupProperty(cx, proto, (jsval)atom, NULL, &prop); - js_DropAtom(cx, atom); - if (!ok || prop == NULL) - return JS_FALSE; - if (oldParentSlotSetter == NULL) - oldParentSlotSetter = prop->setter; - prop->setter = setParentSlot; return JS_TRUE; } - static JSBool canExtendTrust(JSContext *cx, void *from, void *to) { @@ -1022,9 +984,12 @@ lm_CheckContainerAccess(JSContext *cx, JSObject *obj, MochaDecoder *decoder, JSPrincipalsList *list; const char *fn; - principals = decoder->principals - ? lm_GetInnermostPrincipals(decoder->js_context, obj, NULL) - : NULL; + if(decoder->principals) { + principals = lm_GetInnermostPrincipals(decoder->js_context, obj, NULL); + } else { + principals = NULL; + } + if (principals == NULL) { /* * Attempt to access container before container has any scripts. diff --git a/lib/libmocha/lm_win.c b/lib/libmocha/lm_win.c index aa0ffa6bf320..b8708ddcbe20 100644 --- a/lib/libmocha/lm_win.c +++ b/lib/libmocha/lm_win.c @@ -739,10 +739,20 @@ win_finalize(JSContext *cx, JSObject *obj) DROP_BACK_COUNT(decoder); } +JSBool win_check_access(JSContext *cx, JSObject *obj, jsval id, + JSAccessMode mode, jsval *vp) +{ + if(mode == JSACC_PARENT) { + return lm_CheckSetParentSlot(cx, obj, id, vp); + } + return JS_TRUE; +} + JSClass lm_window_class = { "Window", JSCLASS_HAS_PRIVATE, JS_PropertyStub, JS_PropertyStub, win_getProperty, win_setProperty, - win_list_properties, win_resolve_name, JS_ConvertStub, win_finalize + win_list_properties, win_resolve_name, JS_ConvertStub, win_finalize, + NULL, win_check_access }; /* @@ -3279,9 +3289,6 @@ lm_InitWindowContent(MochaDecoder *decoder) if (!JS_InitStandardClasses(cx, obj)) return JS_FALSE; - if (!lm_AddSetParentSecurityCheck(cx, obj)) - return JS_FALSE; - #ifdef JAVA if (JSJ_IsEnabled() && !JSJ_InitContext(cx, obj)) return JS_FALSE;