Do not innerize an object assigned to __proto__ or used as the target of a with statement. Bug 719841, r=mrbkap.

This commit is contained in:
Bobby Holley ext:(%2C%20Jason%20Orendorff%20%3Cjorendorff%40mozilla.com%3E) 2012-01-27 14:16:27 -06:00
parent 814e3ad8bc
commit bc4e554f2e
4 changed files with 9 additions and 18 deletions

View File

@ -5662,6 +5662,9 @@ JSObject::splicePrototype(JSContext *cx, JSObject *proto)
*/
JS_ASSERT_IF(cx->typeInferenceEnabled(), hasSingletonType());
/* Inner objects may not appear on prototype chains. */
JS_ASSERT_IF(proto, !proto->getClass()->ext.outerObject);
/*
* Force type instantiation when splicing lazy types. This may fail,
* in which case inference will be disabled for the compartment.

View File

@ -1159,6 +1159,9 @@ inline TypeObject::TypeObject(JSObject *proto, bool function, bool unknown)
{
PodZero(this);
/* Inner objects may not appear on prototype chains. */
JS_ASSERT_IF(proto, !proto->getClass()->ext.outerObject);
this->proto = proto;
if (function)

View File

@ -994,10 +994,6 @@ EnterWith(JSContext *cx, jsint stackIndex)
if (!parent)
return JS_FALSE;
OBJ_TO_INNER_OBJECT(cx, obj);
if (!obj)
return JS_FALSE;
JSObject *withobj = WithObject::create(cx, fp, *obj, *parent,
sp + stackIndex - fp->base());
if (!withobj)

View File

@ -186,26 +186,15 @@ obj_setProto(JSContext *cx, JSObject *obj, jsid id, JSBool strict, Value *vp)
}
if (!vp->isObjectOrNull())
return JS_TRUE;
return true;
JSObject *pobj = vp->toObjectOrNull();
if (pobj) {
/*
* Innerize pobj here to avoid sticking unwanted properties on the
* outer object. This ensures that any with statements only grant
* access to the inner object.
*/
OBJ_TO_INNER_OBJECT(cx, pobj);
if (!pobj)
return JS_FALSE;
}
uintN attrs;
id = ATOM_TO_JSID(cx->runtime->atomState.protoAtom);
if (!CheckAccess(cx, obj, id, JSAccessMode(JSACC_PROTO|JSACC_WRITE), vp, &attrs))
return JS_FALSE;
return false;
return SetProto(cx, obj, pobj, JS_TRUE);
return SetProto(cx, obj, pobj, true);
}
#else /* !JS_HAS_OBJ_PROTO_PROP */