Fixing bug 377356. Move code around to ensure security checks are always done against the right object. r+sr=bzbarsky@mit.edu

This commit is contained in:
jst@mozilla.org 2007-04-16 16:11:15 -07:00
parent e499c7c3a7
commit 8e554b972d

View File

@ -6543,6 +6543,19 @@ nsEventReceiverSH::AddEventListenerHelper(JSContext *cx, JSObject *obj,
return JS_FALSE;
}
nsCOMPtr<nsIXPConnectWrappedNative> wrapper;
nsresult rv =
sXPConnect->GetWrappedNativeOfJSObject(cx, obj, getter_AddRefs(wrapper));
if (NS_FAILED(rv)) {
nsDOMClassInfo::ThrowJSException(cx, rv);
return JS_FALSE;
}
// Set obj to be the object on which we'll actually register the
// event listener.
wrapper->GetJSObject(&obj);
// Check that the caller has permission to call obj's addEventListener.
if (NS_FAILED(sSecMan->CheckPropertyAccess(cx, obj,
JS_GET_CLASS(cx, obj)->name,
@ -6559,15 +6572,6 @@ nsEventReceiverSH::AddEventListenerHelper(JSContext *cx, JSObject *obj,
return JS_FALSE;
}
nsCOMPtr<nsIXPConnectWrappedNative> wrapper;
nsresult rv =
sXPConnect->GetWrappedNativeOfJSObject(cx, obj, getter_AddRefs(wrapper));
if (NS_FAILED(rv)) {
nsDOMClassInfo::ThrowJSException(cx, rv);
return JS_FALSE;
}
if (JSVAL_IS_PRIMITIVE(argv[1])) {
// The second argument must be a function, or a
// nsIDOMEventListener. Throw an error.