1489455 - Replace evalInSandbox from httpd.js

Status: RESOLVED FIXED

(Testing :: General, enhancement, P2)

Description

[Vinothkumar Nagasayanan [:vinoth]]

As part of Bug 1473549, we are in the process of adding an assertion to make sure that eval() is not executed with system principal.

evalInSandbox is used in httpd.js (https://dxr.mozilla.org/mozilla-central/rev/c2e3be6a1dd352b969a45f0b85e87674e24ad284/netwerk/test/httpserver/httpd.js#2804).

We need to replace it with alternatives.

Comment 1

[Vinothkumar Nagasayanan [:vinoth]]

Attachment: Bug 1489455 - Replace evalInSandbox from httpd.js

Comment 2

[Vinothkumar Nagasayanan [:vinoth]]

Comment on attachment 9007178 [details]
Bug 1489455 - Replace evalInSandbox from httpd.js

Please kindly review the patch and let me know if changes are needed.

Comment 3

[Christoph Kerschbaumer [:ckerschb]]

Comment on attachment 9007178 [details]
Bug 1489455 - Replace evalInSandbox from httpd.js

Hey Valentin, we are in the process of adding an assetion that we never call eval() in system privileged context. We identified a few places within our codebase where we do this, one is within this patch. So before we can add the assertion to make sure we don't ever call eval() in system land, we need to rewrite those parts in the code that currently do.

Would you be willing to accept that change?

Comment 4

[Valentin Gosu [:valentin] (he/him)]

Comment on attachment 9007178 [details]
Bug 1489455 - Replace evalInSandbox from httpd.js

Valentin Gosu [:valentin] has approved the revision.

Comment 5

[Christoph Kerschbaumer [:ckerschb]]

Comment on attachment 9007178 [details]
Bug 1489455 - Replace evalInSandbox from httpd.js

Christoph Kerschbaumer [:ckerschb] has been removed from the revision.

Comment 6

[Pulsebot]

Pushed by rvandermeulen@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/f2b03dfdb75b
Replace evalInSandbox from httpd.js r=valentin

Comment 7

[Daniel Varga [:dvarga]]

https://hg.mozilla.org/mozilla-central/rev/f2b03dfdb75b