Closed
Bug 1260917
Opened 9 years ago
Closed 9 years ago
Sandbox needs to handle userContextId correctly
Categories
(Core :: DOM: Security, defect, P1)
Core
DOM: Security
Tracking
()
RESOLVED
FIXED
mozilla49
| Tracking | Status | |
|---|---|---|
| firefox49 | --- | fixed |
People
(Reporter: huseby, Assigned: timhuang)
References
(Blocks 1 open bug)
Details
(Whiteboard: [userContextId][OA][domsecurity-active])
Attachments
(1 file, 3 obsolete files)
|
9.76 KB,
patch
|
timhuang
:
review+
|
Details | Diff | Splinter Review |
In the file Sandbox.cpp there is a call to CreateCodebasePrincipal here:
https://mxr.mozilla.org/mozilla-central/source/js/xpconnect/src/Sandbox.cpp#1240
The comments suggest that creating a sandbox from a string is deprecated. I think we need to force this issue. We need to either fix this function to properly pass origin attributes or we need to remove it from the code.
|
Reporter | |
Updated•9 years ago
|
Component: DOM → DOM: Security
|
Assignee | |
Updated•9 years ago
|
Assignee: nobody → tihuang
|
|
Assignee | |
Updated•9 years ago
|
Status: NEW → ASSIGNED
|
|
Reporter | |
Updated•9 years ago
|
Whiteboard: [userContextId] → [userContextId][OA]
|
||
Updated•9 years ago
|
Whiteboard: [userContextId][OA] → [userContextId][OA][domsecurity-active]
|
|
Assignee | |
Comment 1•9 years ago
|
||
The code here is used exclusively for creating sandbox with string URI, so I think there are two approaches to make this right depending on whether should we allow the origin suffix here. For one thing, if we do not allow the origin suffix been used when creating a sandbox, then we ought to use default contextual Id here, and it appears that the code here is correct. For another, if the origin suffix is allowed here, then we should use the populateFromOrigin to populate origin attributes from the URI.
However, I am not sure which behavior is proper here. What do you think, Dave?
Flags: needinfo?(huseby)
|
|
Reporter | |
Comment 2•9 years ago
|
||
I think the right thing to do here is to remove this function. The comments say that it is deprecated. In comment 1 I said that we need to force the issue. ni? bobby and/or bz and see if we can remove this.
Flags: needinfo?(huseby)
|
|
Assignee | |
Comment 3•9 years ago
|
||
Could we remove the function of creating a sandbox from string URL?
Flags: needinfo?(bzbarsky)
Flags: needinfo?(bobbyholley)
|
||
Comment 4•9 years ago
|
||
I suspect not without breaking lots of addons, but you should query the addons mxr to see how often it's used.
Flags: needinfo?(bzbarsky)
|
|
Assignee | |
Comment 5•9 years ago
|
||
|
|
Assignee | |
Comment 6•9 years ago
|
||
It looks like many addons use this feature, but most of them use this feature to open 'about:blank' [1]. And not only addons, but also many of our test codes utilize string URLs to create sandboxes. It could break lots of things if we simply remove this function.
[1] https://mxr.mozilla.org/addons/search?string=.sandbox
|
|
||
Comment 7•9 years ago
|
||
We can fix our test code, obviously. The addons situation is a bigger problem.
|
||
Comment 8•9 years ago
|
||
Creating sandboxes from strings is one of the most common things ever, so I don't think we should deprecate it.
We should obviously allow people to pass in a userContextId in the sandbox options. But aside from that I think that creating a sandbox is a kind of primitive operation (like creating a principal) where we need the caller to tell us the right thing to do.
Flags: needinfo?(bobbyholley)
|
|
Assignee | |
Comment 9•9 years ago
|
||
Attachment #8748100 -
Flags: review?(bobbyholley)
|
|
Assignee | |
Updated•9 years ago
|
Attachment #8748042 -
Attachment is obsolete: true
|
|
||
Comment 10•9 years ago
|
||
Comment on attachment 8748100 [details] [diff] [review]
Add a 'userContextId' in the sandbox options, and sandbox will reference this when creating from string url.
Review of attachment 8748100 [details] [diff] [review]:
-----------------------------------------------------------------
::: js/xpconnect/src/Sandbox.cpp
@@ +1235,5 @@
> * we use the related Codebase Principal for the sandbox.
> */
> bool
> +ParsePrincipal(JSContext* cx, HandleString codebase, nsIPrincipal** principal,
> + SandboxOptions& options)
Make this arg const, and put it before the nsIPrincipal** outparam.
@@ +1572,5 @@
> ParseJSString("addonId", &addonId) &&
> ParseBoolean("writeToGlobalPrototype", &writeToGlobalPrototype) &&
> ParseGlobalProperties() &&
> + ParseValue("metadata", &metadata) &&
> + ParseValue("userContextId", &userContextId);
This will need to be a newly-added ParseUInt32.
@@ +1655,5 @@
> bool isArray;
> if (!JS_IsArrayObject(cx, obj, &isArray)) {
> ok = false;
> } else if (isArray) {
> + ok = GetExpandedPrincipal(cx, obj, getter_AddRefs(expanded), options);
I don't think we should support nsEP construction with a userContextId. Let's just throw in this branch if options.userContextId != 0.
::: js/xpconnect/src/xpcprivate.h
@@ +3448,5 @@
> bool invisibleToDebugger;
> bool discardSource;
> GlobalProperties globalProperties;
> JS::RootedValue metadata;
> + JS::RootedValue userContextId;
Let's parse this directly to a unit32_t.
Attachment #8748100 -
Flags: review?(bobbyholley) → review-
|
|
Assignee | |
Comment 11•9 years ago
|
||
Attachment #8748451 -
Flags: review?(bobbyholley)
|
|
Assignee | |
Updated•9 years ago
|
Attachment #8748100 -
Attachment is obsolete: true
|
|
||
Comment 12•9 years ago
|
||
Comment on attachment 8748451 [details] [diff] [review]
patch-1260917-v2
Review of attachment 8748451 [details] [diff] [review]:
-----------------------------------------------------------------
r=me with those fixes.
::: js/xpconnect/src/Sandbox.cpp
@@ +1235,5 @@
> * we use the related Codebase Principal for the sandbox.
> */
> bool
> +ParsePrincipal(JSContext* cx, HandleString codebase, const SandboxOptions& options,
> + nsIPrincipal** principal)
Instead of passing the SandboxOptions, we should pass a const PrincipalOriginAttributes& aAttrs, and set them appropriately in the caller.
@@ +1659,5 @@
> + : nullptr);
> +
> + SandboxOptions options(cx, optionsObject);
> + if (calledWithOptions && !options.Parse())
> + return ThrowAndFail(NS_ERROR_INVALID_ARG, cx, _retval);
We can then declare the PrincipalOriginAttributes here, assign over the userContextId, and pass it to ParsePrincipal below.
@@ +1679,5 @@
> } else if (isArray) {
> + if (options.userContextId == 0) {
> + ok = GetExpandedPrincipal(cx, obj, getter_AddRefs(expanded));
> + prinOrSop = expanded;
> + }
Instead of doing it like this, do:
if (options.userContextId != 0) {
// We don't support passing a userContextId with an array.
ok = false;
} else {
ok = GetExpandedPrincipal(cx, obj, getter_AddRefs(expanded));
prinOrSop = expanded;
}
Attachment #8748451 -
Flags: review?(bobbyholley) → review+
|
|
Assignee | |
Comment 13•9 years ago
|
||
Fix comments from comment 12. And r=me because bholley already r+ed.
Attachment #8748990 -
Flags: review+
|
|
Assignee | |
Updated•9 years ago
|
Attachment #8748451 -
Attachment is obsolete: true
|
|
Assignee | |
Comment 14•9 years ago
|
||
|
||
Comment 16•9 years ago
|
||
Keywords: checkin-needed
|
||
Comment 17•9 years ago
|
||
| bugherder | ||
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
status-firefox49:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla49
|
||
Updated•9 years ago
|
Priority: -- → P1
|
|
||
Comment 18•9 years ago
|
||
Tim and Bobby, thanks for fixing this bug! Cheers!
You need to log in
before you can comment on or make changes to this bug.
Description
•