Exposure checks in toJSON implementations aren't quite right

RESOLVED FIXED in Firefox 62

Status

()

RESOLVED FIXED
6 months ago
6 months ago

People

(Reporter: bzbarsky, Assigned: bzbarsky)

Tracking

unspecified
mozilla62
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox62 fixed)

Details

Attachments

(2 attachments, 1 obsolete attachment)

(Assignee)

Description

6 months ago
They pass the "this" value of the toJSON call to Prefable::isEnabled.  That's wrong when that value is a cross-compartment wrapper, especially an Xray.  We should be passing the unwrapped version instead.
(Assignee)

Updated

6 months ago
Assignee: nobody → bzbarsky
(Assignee)

Updated

6 months ago
Flags: needinfo?(bzbarsky)
(Assignee)

Comment 1

6 months ago
I will write a patch for this in a bit.  I need to write a bunch of tests first.
(Assignee)

Comment 2

6 months ago
Created attachment 8982116 [details] [diff] [review]
part 1.  Enforce that the default toJSON can only return 'object'

The spec says:

  The return type of the default toJSON operation must be object.
Attachment #8982116 - Flags: review?(kyle)
(Assignee)

Comment 3

6 months ago
Created attachment 8982117 [details] [diff] [review]
part 2.  Fix the interaction of default toJSON with Func-controlled exposure that examines the object's global
Attachment #8982117 - Flags: review?(kyle)
(Assignee)

Updated

6 months ago
Flags: needinfo?(bzbarsky)

Updated

6 months ago
Blocks: 1464772
(Assignee)

Comment 4

6 months ago
Created attachment 8982214 [details] [diff] [review]
part 2.  Fix the interaction of default toJSON with Func-controlled exposure that examines the object's global
Attachment #8982214 - Flags: review?(kyle)
(Assignee)

Updated

6 months ago
Attachment #8982117 - Attachment is obsolete: true
Attachment #8982117 - Flags: review?(kyle)
(Assignee)

Updated

6 months ago
Component: DOM → DOM: Bindings (WebIDL)

Comment 5

6 months ago
Pushed by bzbarsky@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/916e5914d84a
part 1.  Enforce that the default toJSON can only return 'object'.  r=qdot
https://hg.mozilla.org/integration/mozilla-inbound/rev/7c76daa75842
part 2.  Fix the interaction of default toJSON with Func-controlled exposure that examines the object's global.  r=qdot

Comment 6

6 months ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/916e5914d84a
https://hg.mozilla.org/mozilla-central/rev/7c76daa75842
Status: NEW → RESOLVED
Last Resolved: 6 months ago
status-firefox62: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla62
You need to log in before you can comment on or make changes to this bug.