Bug 813901 - Validate __exposedProps__. r=mrbkap

This also involves modifying test_cows to deep clone in getCOW.

js/xpconnect/tests/chrome/test_cows.xul

@@ -27,6 +27,8 @@ var test_utils = window.QueryInterface(Ci.nsIInterfaceRequestor).
                  getInterface(Ci.nsIDOMWindowUtils);
 
 function getCOW(x) {
+  if (typeof x != 'object' && typeof x != 'function')
+    return x;
   var rval = {};
   if (typeof x == "function")
     rval = eval(uneval(x));
@@ -34,7 +36,7 @@ function getCOW(x) {
     if (x.__lookupGetter__(i))
       rval.__defineGetter__(i, eval(uneval(x.__lookupGetter__(i))))
     else
-      rval[i] = x[i];
+      rval[i] = getCOW(x[i]);
   }
   return rval;
 }

js/xpconnect/wrappers/AccessCheck.cpp

@@ -52,6 +52,12 @@ AccessCheck::subsumes(JSCompartment *a, JSCompartment *b)
     return subsumes;
 }
 
+bool
+AccessCheck::subsumes(JSObject *a, JSObject *b)
+{
+    return subsumes(js::GetObjectCompartment(a), js::GetObjectCompartment(b));
+}
+
 // Same as above, but ignoring document.domain.
 bool
 AccessCheck::subsumesIgnoringDomain(JSCompartment *a, JSCompartment *b)
@@ -382,6 +388,11 @@ ExposedPropertiesOnly::check(JSContext *cx, JSObject *wrapper, jsid id, Wrapper:
 
     JSObject *hallpass = &exposedProps.toObject();
 
+    if (!AccessCheck::subsumes(js::UnwrapObject(hallpass), wrappedObject)) {
+        EnterAndThrow(cx, wrapper, "Invalid __exposedProps__");
+        return false;
+    }
+
     Access access = NO_ACCESS;
 
     JSPropertyDescriptor desc;

js/xpconnect/wrappers/AccessCheck.h

@@ -19,6 +19,7 @@ namespace xpc {
 class AccessCheck {
   public:
     static bool subsumes(JSCompartment *a, JSCompartment *b);
+    static bool subsumes(JSObject *a, JSObject *b);
     static bool wrapperSubsumes(JSObject *wrapper);
     static bool subsumesIgnoringDomain(JSCompartment *a, JSCompartment *b);
     static bool isChrome(JSCompartment *compartment);