Closed
Bug 1355016
Opened 7 years ago
Closed 7 years ago
Add support for IsConstructor on wrapped functions
Categories
(Core :: JavaScript Engine, enhancement)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
mozilla56
People
(Reporter: anba, Assigned: till)
References
Details
Attachments
(1 file)
|
1.75 KB,
patch
|
bholley
:
review+
|
Details | Diff | Splinter Review |
http://searchfox.org/mozilla-central/rev/eace920a0372051a11d8d275bd9b8f14f3024ecd/js/src/proxy/Wrapper.cpp#294-296 This issue is visible when using Reflect.construct: --- var g = newGlobal(); var w = g.eval("() => {}"); Reflect.construct(Array, [], w); --- Expected: Throws TypeError Actual: No TypeError thrown
|
Assignee | |
Comment 1•7 years ago
|
||
I *think* this should be ok: AFAICT checking if the wrapped object is a constructor after doing an unchecked unwrap should have the right behavior. In particular, it should strictly be a more thorough check than we had before. AFAICT it should be enough to do this in the IsConstructor intrinsic as all other code paths that'd lead to constructing things should already be covered. bz, asking you for review because I'm not 100% convinced I have the right understanding of the security implications of this.
|
||
Comment 2•7 years ago
|
||
Comment on attachment 8867168 [details] [diff] [review] Properly check for constructability of wrapped objects in intrinsic_IsConstructor I'm not sure about the security implications either; handing off to bholley. That said, it's weird to have intrinsic_IsConstructor report a different value from IsConstructor... Why should this logic be in intrinsic_IsConstructor and not in IsConstructor?
Attachment #8867168 -
Flags: review?(bzbarsky) → review?(bobbyholley)
|
|
Assignee | |
Comment 3•7 years ago
|
||
(In reply to Boris Zbarsky [:bz] (still a bit busy) (if a patch has no decent message, automatic r-) from comment #2) > That said, it's weird to have intrinsic_IsConstructor report a different > value from IsConstructor... Why should this logic be in > intrinsic_IsConstructor and not in IsConstructor? Not all uses of IsConstructor would usefully do this unwrapping. E.g. the asserts in InternalConstruct want to check if the object in question itself is a constructor. I'll add an IsConstructorUnwrapping and use it in the appropriate places, assuming bholley gives a thumbs up to the general approach.
|
||
Comment 4•7 years ago
|
||
Comment on attachment 8867168 [details] [diff] [review] Properly check for constructability of wrapped objects in intrinsic_IsConstructor Review of attachment 8867168 [details] [diff] [review]: ----------------------------------------------------------------- Yeah this is ok - we allow getConstructor on security wrappers in general: http://searchfox.org/mozilla-central/rev/484d2b7f51b7aed035147bbb4a565061659d9278/js/src/jswrapper.h#318
Attachment #8867168 -
Flags: review?(bobbyholley) → review+
|
||
Updated•7 years ago
|
Flags: needinfo?(till)
Pushed by tschneidereit@gmail.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/e32dc83928e5 Properly check for constructability of wrapped objects in intrinsic_IsConstructor. r=bz,bholley
|
Reporter | |
Comment 7•7 years ago
|
||
There seem to be more places where we need to check for wrapped objects, for example when creating scripted proxies or bound functions:
---
var g = newGlobal();
var w = g.eval("() => {}");
var p = Function.prototype.bind.call(w);
// Also: var p = new Proxy(w, {});
Reflect.construct(Array, [], p);
---
|
||
Comment 8•7 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/e32dc83928e5
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
status-firefox56:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla56
|
||
Comment 9•7 years ago
|
||
This is too late for 55.
You need to log in
before you can comment on or make changes to this bug.
Description
•