mirror of
https://github.com/mozilla/gecko-dev.git
synced 2024-11-26 14:22:01 +00:00
Do not innerize an object assigned to __proto__ or used as the target of a with statement. Bug 719841, r=mrbkap.
This commit is contained in:
parent
814e3ad8bc
commit
bc4e554f2e
@ -5662,6 +5662,9 @@ JSObject::splicePrototype(JSContext *cx, JSObject *proto)
|
||||
*/
|
||||
JS_ASSERT_IF(cx->typeInferenceEnabled(), hasSingletonType());
|
||||
|
||||
/* Inner objects may not appear on prototype chains. */
|
||||
JS_ASSERT_IF(proto, !proto->getClass()->ext.outerObject);
|
||||
|
||||
/*
|
||||
* Force type instantiation when splicing lazy types. This may fail,
|
||||
* in which case inference will be disabled for the compartment.
|
||||
|
@ -1159,6 +1159,9 @@ inline TypeObject::TypeObject(JSObject *proto, bool function, bool unknown)
|
||||
{
|
||||
PodZero(this);
|
||||
|
||||
/* Inner objects may not appear on prototype chains. */
|
||||
JS_ASSERT_IF(proto, !proto->getClass()->ext.outerObject);
|
||||
|
||||
this->proto = proto;
|
||||
|
||||
if (function)
|
||||
|
@ -994,10 +994,6 @@ EnterWith(JSContext *cx, jsint stackIndex)
|
||||
if (!parent)
|
||||
return JS_FALSE;
|
||||
|
||||
OBJ_TO_INNER_OBJECT(cx, obj);
|
||||
if (!obj)
|
||||
return JS_FALSE;
|
||||
|
||||
JSObject *withobj = WithObject::create(cx, fp, *obj, *parent,
|
||||
sp + stackIndex - fp->base());
|
||||
if (!withobj)
|
||||
|
@ -186,26 +186,15 @@ obj_setProto(JSContext *cx, JSObject *obj, jsid id, JSBool strict, Value *vp)
|
||||
}
|
||||
|
||||
if (!vp->isObjectOrNull())
|
||||
return JS_TRUE;
|
||||
return true;
|
||||
|
||||
JSObject *pobj = vp->toObjectOrNull();
|
||||
if (pobj) {
|
||||
/*
|
||||
* Innerize pobj here to avoid sticking unwanted properties on the
|
||||
* outer object. This ensures that any with statements only grant
|
||||
* access to the inner object.
|
||||
*/
|
||||
OBJ_TO_INNER_OBJECT(cx, pobj);
|
||||
if (!pobj)
|
||||
return JS_FALSE;
|
||||
}
|
||||
|
||||
uintN attrs;
|
||||
id = ATOM_TO_JSID(cx->runtime->atomState.protoAtom);
|
||||
if (!CheckAccess(cx, obj, id, JSAccessMode(JSACC_PROTO|JSACC_WRITE), vp, &attrs))
|
||||
return JS_FALSE;
|
||||
return false;
|
||||
|
||||
return SetProto(cx, obj, pobj, JS_TRUE);
|
||||
return SetProto(cx, obj, pobj, true);
|
||||
}
|
||||
|
||||
#else /* !JS_HAS_OBJ_PROTO_PROP */
|
||||
|
Loading…
Reference in New Issue
Block a user