Bug 809652 - Deny nativeCall for SecurityWrapper except under specific circumstances. r=jorendorff

This commit is contained in:
Bobby Holley 2012-12-20 22:33:26 -08:00
parent 4c226c845b
commit f681aaffe9
6 changed files with 41 additions and 5 deletions

View File

@ -795,11 +795,8 @@ SecurityWrapper<Base>::enter(JSContext *cx, JSObject *wrapper, jsid id,
SecurityWrapper<Base>::nativeCall(JSContext *cx, IsAcceptableThis test, NativeImpl impl,
CallArgs args)
{
/*
* Let this through until compartment-per-global lets us have stronger
* invariants wrt document.domain (bug 714547).
*/
return Base::nativeCall(cx, test, impl, args);
JS_ReportErrorNumber(cx, js_GetErrorMessage, NULL, JSMSG_UNWRAP_DENIED);
return false;
}
template <class Base>

View File

@ -187,6 +187,13 @@ class JS_FRIEND_API(SecurityWrapper) : public Base
CallArgs args) MOZ_OVERRIDE;
virtual bool objectClassIs(JSObject *obj, ESClassValue classValue, JSContext *cx) MOZ_OVERRIDE;
virtual bool regexp_toShared(JSContext *cx, JSObject *proxy, RegExpGuard *g) MOZ_OVERRIDE;
/*
* Allow our subclasses to select the superclass behavior they want without
* needing to specify an exact superclass.
*/
typedef Base Permissive;
typedef SecurityWrapper<Base> Restrictive;
};
typedef SecurityWrapper<Wrapper> SameCompartmentSecurityWrapper;

View File

@ -446,6 +446,13 @@ ExposedPropertiesOnly::check(JSContext *cx, JSObject *wrapper, jsid id, Wrapper:
return true;
}
bool
ExposedPropertiesOnly::allowNativeCall(JSContext *cx, JS::IsAcceptableThis test,
JS::NativeImpl impl)
{
return js::IsReadOnlyDateMethod(test, impl) || js::IsTypedArrayThisCheck(test);
}
bool
ComponentsObjectPolicy::check(JSContext *cx, JSObject *wrapper, jsid id, Wrapper::Action act)
{

View File

@ -51,6 +51,11 @@ struct OnlyIfSubjectIsSystem : public Policy {
AccessCheck::deny(cx, id);
return false;
}
static bool allowNativeCall(JSContext *cx, JS::IsAcceptableThis test, JS::NativeImpl impl)
{
return AccessCheck::isSystemOnlyAccessPermitted(cx);
}
};
// This policy only permits access to properties that are safe to be used
@ -63,6 +68,10 @@ struct CrossOriginAccessiblePropertiesOnly : public Policy {
AccessCheck::deny(cx, id);
return false;
}
static bool allowNativeCall(JSContext *cx, JS::IsAcceptableThis test, JS::NativeImpl impl)
{
return false;
}
};
// This policy only permits access to properties if they appear in the
@ -78,6 +87,7 @@ struct ExposedPropertiesOnly : public Policy {
AccessCheck::deny(cx, id);
return false;
}
static bool allowNativeCall(JSContext *cx, JS::IsAcceptableThis test, JS::NativeImpl impl);
};
// Components specific policy
@ -88,6 +98,9 @@ struct ComponentsObjectPolicy : public Policy {
AccessCheck::deny(cx, id);
return false;
}
static bool allowNativeCall(JSContext *cx, JS::IsAcceptableThis test, JS::NativeImpl impl) {
return false;
}
};
}

View File

@ -113,6 +113,16 @@ FilteringWrapper<Base, Policy>::iterate(JSContext *cx, JSObject *wrapper, unsign
return js::BaseProxyHandler::iterate(cx, wrapper, flags, vp);
}
template <typename Base, typename Policy>
bool
FilteringWrapper<Base, Policy>::nativeCall(JSContext *cx, JS::IsAcceptableThis test,
JS::NativeImpl impl, JS::CallArgs args)
{
if (Policy::allowNativeCall(cx, test, impl))
return Base::Permissive::nativeCall(cx, test, impl, args);
return Base::Restrictive::nativeCall(cx, test, impl, args);
}
template <typename Base, typename Policy>
bool
FilteringWrapper<Base, Policy>::enter(JSContext *cx, JSObject *wrapper, jsid id,

View File

@ -25,6 +25,8 @@ class FilteringWrapper : public Base {
virtual bool enumerate(JSContext *cx, JSObject *wrapper, js::AutoIdVector &props) MOZ_OVERRIDE;
virtual bool keys(JSContext *cx, JSObject *wrapper, js::AutoIdVector &props) MOZ_OVERRIDE;
virtual bool iterate(JSContext *cx, JSObject *proxy, unsigned flags, js::Value *vp) MOZ_OVERRIDE;
virtual bool nativeCall(JSContext *cx, JS::IsAcceptableThis test, JS::NativeImpl impl,
JS::CallArgs args) MOZ_OVERRIDE;
virtual bool enter(JSContext *cx, JSObject *wrapper, jsid id, js::Wrapper::Action act, bool *bp) MOZ_OVERRIDE;