Closed Bug 1549326 Opened 1 year ago Closed 1 year ago

Remove simpletest.js from eval()-whitelist

Categories

(Core :: DOM: Security, enhancement, P3)

enhancement

Tracking

()

RESOLVED FIXED
mozilla68
Tracking Status
firefox68 --- fixed

People

(Reporter: jallmann, Assigned: jallmann)

References

(Blocks 1 open bug)

Details

(Whiteboard: [domsecurity-backlog1])

Attachments

(1 file)

Simpletest.js triggers the eval-assertion from Bug 1473549 in some tests.
The file itself does not contain eval() or new Function. Some occurences of setTimeout() might end up being called with string literals, but this doesn't seem to be the case either.

In all cases examined so far, test files call functions from simpletest.js through setTimeout() with string literals, causing the assertion to be triggered with simpletest.js showing up as the cause.

These test files have to be found and refactored to avoid using setTimeout() with string literals.

Amend several test files for triggering eval() assertion through simpletest.js

Keywords: checkin-needed

Received the following while trying to land this:
We're sorry, Autoland could not rebase your commits for you automatically. Please manually rebase your commits and try again. (255, 'applying /tmp/tmps9UlqT\npatching file modules/libpref/init/all.js\nHunk #1 FAILED at 2660\n1 out of 1 hunks FAILED -- saving rejects to file modules/libpref/init/all.js.rej\nabort: patch failed to apply', '')

Flags: needinfo?(jallmann)

Rebased patch.

Flags: needinfo?(jallmann)

Pushed by nerli@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/e925cef1cadf
Remove simpletest.js from eval()-whitelist, r=ckerschb

Keywords: checkin-needed
Flags: needinfo?(jallmann)
Keywords: checkin-needed

Pushed by ncsoregi@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/39446af6b4ad
Remove simpletest.js from eval()-whitelist, r=ckerschb

Keywords: checkin-needed
Status: ASSIGNED → RESOLVED
Closed: 1 year ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla68
You need to log in before you can comment on or make changes to this bug.