mirror of
https://github.com/mozilla/gecko-dev.git
synced 2024-10-08 19:04:45 +00:00
Bug 957688 - Remove checkObjectAccess security callback. r=mrbkap
There's no need for the JS shell stuff either, since vm/Runtime.cpp already sets up NullSecurityCallbacks by default.
This commit is contained in:
parent
db1edc2054
commit
af7880d72a
@ -113,11 +113,6 @@ private:
|
||||
|
||||
bool SubjectIsPrivileged();
|
||||
|
||||
static bool
|
||||
CheckObjectAccess(JSContext *cx, JS::Handle<JSObject*> obj,
|
||||
JS::Handle<jsid> id, JSAccessMode mode,
|
||||
JS::MutableHandle<JS::Value> vp);
|
||||
|
||||
// Decides, based on CSP, whether or not eval() and stuff can be executed.
|
||||
static bool
|
||||
ContentSecurityPolicyPermitsJSAction(JSContext *cx);
|
||||
|
@ -412,43 +412,6 @@ nsScriptSecurityManager::ContentSecurityPolicyPermitsJSAction(JSContext *cx)
|
||||
return evalOK;
|
||||
}
|
||||
|
||||
bool
|
||||
nsScriptSecurityManager::CheckObjectAccess(JSContext *cx, JS::Handle<JSObject*> obj,
|
||||
JS::Handle<jsid> id, JSAccessMode mode,
|
||||
JS::MutableHandle<JS::Value> vp)
|
||||
{
|
||||
// Get the security manager
|
||||
nsScriptSecurityManager *ssm =
|
||||
nsScriptSecurityManager::GetScriptSecurityManager();
|
||||
|
||||
NS_WARN_IF_FALSE(ssm, "Failed to get security manager service");
|
||||
if (!ssm)
|
||||
return false;
|
||||
|
||||
// Get the object being accessed. We protect these cases:
|
||||
// 1. The Function.prototype.caller property's value, which might lead
|
||||
// an attacker up a call-stack to a function or another object from
|
||||
// a different trust domain.
|
||||
// 2. A user-defined getter or setter function accessible on another
|
||||
// trust domain's window or document object.
|
||||
// vp can be a primitive, in that case, we use obj as the target
|
||||
// object.
|
||||
JSObject* target = JSVAL_IS_PRIMITIVE(vp) ? obj : JSVAL_TO_OBJECT(vp);
|
||||
|
||||
// Do the same-origin check -- this sets a JS exception if the check fails.
|
||||
// Pass the parent object's class name, as we have no class-info for it.
|
||||
nsresult rv =
|
||||
ssm->CheckPropertyAccess(cx, target, js::GetObjectClass(obj)->name, id,
|
||||
(mode & JSACC_WRITE) ?
|
||||
(int32_t)nsIXPCSecurityManager::ACCESS_SET_PROPERTY :
|
||||
(int32_t)nsIXPCSecurityManager::ACCESS_GET_PROPERTY);
|
||||
|
||||
if (NS_FAILED(rv))
|
||||
return false; // Security check failed (XXX was an error reported?)
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
// static
|
||||
bool
|
||||
nsScriptSecurityManager::JSPrincipalsSubsume(JSPrincipals *first,
|
||||
@ -1688,7 +1651,6 @@ nsresult nsScriptSecurityManager::Init()
|
||||
NS_ENSURE_SUCCESS(rv, rv);
|
||||
|
||||
static const JSSecurityCallbacks securityCallbacks = {
|
||||
CheckObjectAccess,
|
||||
ContentSecurityPolicyPermitsJSAction,
|
||||
JSPrincipalsSubsume,
|
||||
};
|
||||
|
@ -767,7 +767,6 @@ CreateJSContextForWorker(WorkerPrivate* aWorkerPrivate, JSRuntime* aRuntime)
|
||||
|
||||
// Security policy:
|
||||
static JSSecurityCallbacks securityCallbacks = {
|
||||
nullptr,
|
||||
ContentSecurityPolicyAllows
|
||||
};
|
||||
JS_SetSecurityCallbacks(aRuntime, &securityCallbacks);
|
||||
|
@ -3241,7 +3241,6 @@ extern JS_PUBLIC_API(void)
|
||||
JS_DropPrincipals(JSRuntime *rt, JSPrincipals *principals);
|
||||
|
||||
struct JSSecurityCallbacks {
|
||||
JSCheckAccessOp checkObjectAccess;
|
||||
JSCSPEvalChecker contentSecurityPolicyAllows;
|
||||
JSSubsumesOp subsumes;
|
||||
};
|
||||
|
@ -5424,83 +5424,6 @@ JS_EnumerateState(JSContext *cx, HandleObject obj, JSIterateOp enum_op,
|
||||
return true;
|
||||
}
|
||||
|
||||
bool
|
||||
js::CheckAccess(JSContext *cx, JSObject *obj_, HandleId id, JSAccessMode mode,
|
||||
MutableHandleValue vp, unsigned *attrsp)
|
||||
{
|
||||
bool writing;
|
||||
RootedObject obj(cx, obj_), pobj(cx);
|
||||
|
||||
while (JS_UNLIKELY(obj->is<WithObject>()))
|
||||
obj = obj->getProto();
|
||||
|
||||
writing = (mode & JSACC_WRITE) != 0;
|
||||
switch (mode & JSACC_TYPEMASK) {
|
||||
case JSACC_PROTO:
|
||||
pobj = obj;
|
||||
if (!writing) {
|
||||
RootedObject proto(cx);
|
||||
if (!JSObject::getProto(cx, obj, &proto))
|
||||
return false;
|
||||
vp.setObjectOrNull(proto);
|
||||
}
|
||||
*attrsp = JSPROP_PERMANENT;
|
||||
break;
|
||||
|
||||
default:
|
||||
RootedShape shape(cx);
|
||||
if (!JSObject::lookupGeneric(cx, obj, id, &pobj, &shape))
|
||||
return false;
|
||||
if (!shape) {
|
||||
if (!writing)
|
||||
vp.setUndefined();
|
||||
*attrsp = 0;
|
||||
pobj = obj;
|
||||
break;
|
||||
}
|
||||
|
||||
if (!pobj->isNative()) {
|
||||
if (!writing) {
|
||||
vp.setUndefined();
|
||||
*attrsp = 0;
|
||||
}
|
||||
break;
|
||||
}
|
||||
|
||||
*attrsp = GetShapeAttributes(shape);
|
||||
|
||||
if (!writing) {
|
||||
if (IsImplicitDenseElement(shape)) {
|
||||
vp.set(pobj->getDenseElement(JSID_TO_INT(id)));
|
||||
} else {
|
||||
if (shape->hasSlot())
|
||||
vp.set(pobj->nativeGetSlot(shape->slot()));
|
||||
else
|
||||
vp.setUndefined();
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
JS_ASSERT_IF(*attrsp & JSPROP_READONLY, !(*attrsp & (JSPROP_GETTER | JSPROP_SETTER)));
|
||||
|
||||
/*
|
||||
* If obj's class has a stub (null) checkAccess hook, use the per-runtime
|
||||
* checkObjectAccess callback, if configured.
|
||||
*
|
||||
* We don't want to require all classes to supply a checkAccess hook; we
|
||||
* need that hook only for certain classes used when precompiling scripts
|
||||
* and functions ("brutal sharing"). But for general safety of built-in
|
||||
* magic properties like __proto__, we route all access checks, even for
|
||||
* classes that stub out checkAccess, through the global checkObjectAccess
|
||||
* hook. This covers precompilation-based sharing and (possibly
|
||||
* unintended) runtime sharing across trust boundaries.
|
||||
*/
|
||||
JSCheckAccessOp check = pobj->getClass()->checkAccess;
|
||||
if (!check)
|
||||
check = cx->runtime()->securityCallbacks->checkObjectAccess;
|
||||
return !check || check(cx, pobj, id, mode, vp);
|
||||
}
|
||||
|
||||
bool
|
||||
js::IsDelegate(JSContext *cx, HandleObject obj, const js::Value &v, bool *result)
|
||||
{
|
||||
|
@ -1533,10 +1533,6 @@ HasDataProperty(JSContext *cx, JSObject *obj, PropertyName *name, Value *vp)
|
||||
return HasDataProperty(cx, obj, NameToId(name), vp);
|
||||
}
|
||||
|
||||
extern bool
|
||||
CheckAccess(JSContext *cx, JSObject *obj, HandleId id, JSAccessMode mode,
|
||||
MutableHandleValue v, unsigned *attrsp);
|
||||
|
||||
extern bool
|
||||
IsDelegate(JSContext *cx, HandleObject obj, const Value &v, bool *result);
|
||||
|
||||
|
@ -5729,18 +5729,6 @@ MaybeOverrideOutFileFromEnv(const char* const envVar,
|
||||
}
|
||||
}
|
||||
|
||||
static bool
|
||||
CheckObjectAccess(JSContext *cx, HandleObject obj, HandleId id, JSAccessMode mode,
|
||||
MutableHandleValue vp)
|
||||
{
|
||||
return true;
|
||||
}
|
||||
|
||||
static const JSSecurityCallbacks securityCallbacks = {
|
||||
CheckObjectAccess,
|
||||
nullptr
|
||||
};
|
||||
|
||||
/* Pretend we can always preserve wrappers for dummy DOM objects. */
|
||||
static bool
|
||||
DummyPreserveWrapperCallback(JSContext *cx, JSObject *obj)
|
||||
@ -5967,7 +5955,6 @@ main(int argc, char **argv, char **envp)
|
||||
shellTrustedPrincipals.refcount = 1;
|
||||
|
||||
JS_SetTrustedPrincipals(rt, &shellTrustedPrincipals);
|
||||
JS_SetSecurityCallbacks(rt, &securityCallbacks);
|
||||
JS_SetOperationCallback(rt, ShellOperationCallback);
|
||||
JS::SetAsmJSCacheOps(rt, &asmJSCacheOps);
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user