Closed Bug 321522 Opened 19 years ago Closed 19 years ago

The sandbox object's prototype comes from the calling code

Categories

(Core :: XPConnect, defect, P2)

Product:
Core
Component:
XPConnect
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.9alpha1

People

(Reporter: mrbkap, Assigned: mrbkap)

References

Details

(Keywords: verified1.8.0.2, verified1.8.1, Whiteboard: [sg:critical?][rft-dl])

Attachments

(2 files, 1 obsolete file)

With that addressed
3.29 KB, patch
shaver
: review+
brendan
: superreview+
brendan
: approval-branch-1.8.1+
brendan
: approval1.8.0.2+
Details | Diff | Splinter Review
Patch for the branch
3.23 KB, patch
Details | Diff | Splinter Review
moz_bug_r_a4 pointed out in bug 321101, comment 16 that the sandbox object's prototype comes from the creator's context. By definition (since Components.utils can only be accessed from chrome) this means that it's possible to access the protected global object.
Assignee: dbradley → mrbkap
Priority: -- → P2
Status: NEW → ASSIGNED
Attached patch Untested potential fix (obsolete) — Splinter Review
I need to test to make sure this actually works. I wonder if we shouldn't store the sandbox's context in the sandbox object to avoid recreating it on the sandbox creation and then on each subsequent evalInSandbox.
Comment on attachment 206835 [details] [diff] [review] Untested potential fix This seems to work and not break things.
Attachment #206835 - Flags: superreview?(brendan)
Attachment #206835 - Flags: review?(shaver)
Comment on attachment 206835 [details] [diff] [review] Untested potential fix >- JSObject *sandbox = JS_NewObject(cx, &SandboxClass, nsnull, nsnull); >- if (!sandbox) >+ JSContext *tempcx = JS_NewContext(JS_GetRuntime(cx), 1024); >+ if(!tempcx) >+ return ThrowAndFail(NS_ERROR_OUT_OF_MEMORY, cx, _retval); >+ >+ JSObject *sandbox = JS_NewObject(tempcx, &SandboxClass, nsnull, nsnull); >+ if(!sandbox) { >+ JS_DestroyContextNoGC(tempcx); > return ThrowAndFail(NS_ERROR_XPC_UNEXPECTED, cx, _retval); >+ } Seems like a hazardous pattern for C++, given NS_ENSURE_* and other return-hiding macros that might crop up. Isn't there an auto-storage-class helper for managing a local JSContext? If not, make one, or do the context-conservation-via-private-data thing -- but beware making an uncollectable GC cycle! /be
Whiteboard: [sg:critical?]
Attachment #206835 - Attachment is obsolete: true
Attachment #206937 - Flags: superreview?(brendan)
Attachment #206937 - Flags: review?(shaver)
Attachment #206835 - Flags: superreview?(brendan)
Attachment #206835 - Flags: review?(shaver)
incomplete patch? /be
Comment on attachment 206937 [details] [diff] [review] With that addressed >+ if (mGCOnFinalization) >+ JS_DestroyContext(mContext); >+ else >+ JS_DestroyContextNoGC(mContext); >+ } Literal-minded me would prefer mGCOnDestroy, since Finalization denotes a phase of the JS GC, and you can't GC from within a running GC. >+ operator JSContext * () >+ {return mContext;} I'm a style nut: why is this better than all on one line? Just askin'! >- JSObject *sandbox = JS_NewObject(cx, &SandboxClass, nsnull, nsnull); >+ XPCAutoJSContext tempcx(JS_NewContext(JS_GetRuntime(cx), 1024), PR_FALSE); >+ if (!tempcx) >+ return ThrowAndFail(NS_ERROR_OUT_OF_MEMORY, cx, _retval); >+ >+ JSObject *sandbox = JS_NewObject(tempcx, &SandboxClass, nsnull, nsnull); > if (!sandbox) > return ThrowAndFail(NS_ERROR_XPC_UNEXPECTED, cx, _retval); Nice and small, thanks to one of C++'s few fully-righteous features (auto-storage-class class ctors and dtors ;-P). /be
Attachment #206937 - Flags: superreview?(brendan) → superreview+
(In reply to comment #6) > I'm a style nut: why is this better than all on one line? Just askin'! I think that's what the style of the surrounding code is (xpconnect's style is kind of weird to me).
Comment on attachment 206937 [details] [diff] [review] With that addressed r=shaver
Attachment #206937 - Flags: review?(shaver) → review+
Fix checked into trunk. I don't know what release to nominate this for, trying the obvious ones, though. This doesn't really do anything without a full patch for bug 321101, so 1.8.0.1 might be a bit optitmistic.
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Flags: blocking1.8.1?
Flags: blocking1.8.0.1?
Resolution: --- → FIXED
1.8.0.2 per comment 9
Flags: blocking1.8.0.2+
Flags: blocking1.8.0.1?
Flags: blocking1.8.0.1-
note to self: this test will fail until bug 321101 is fixed.
Flags: testcase+
Comment on attachment 206937 [details] [diff] [review] With that addressed I need this no-risk patch on the branch for bug 265740 and co.
Attachment #206937 - Flags: approval1.8.0.2?
Comment on attachment 206937 [details] [diff] [review] With that addressed a=me, for the right patch. /be
Attachment #206937 - Flags: approval1.8.0.2?
Attachment #206937 - Flags: approval1.8.0.2+
Attachment #206937 - Flags: approval-branch-1.8.1+
This is the same patch as above, except that it isn't malformed.
Fix checked into the 1.8 branches.
Keywords: fixed1.8.0.2, fixed1.8.1
Whiteboard: [sg:critical?] → [sg:critical?][rft-dl]
can not verify on 1.8.0.2 due to bug 328932
verified fixed firefox 1.5.0.2/20060308 using domi on winxp/macosx
Keywords: fixed1.8.0.2verified1.8.0.2
Flags: blocking1.7.14?
Flags: blocking-aviary1.0.9?
ff2b2 verified fixed 1.8 windows/linux
Keywords: fixed1.8.1verified1.8.1
Flags: in-testsuite+ → in-testsuite?
Group: security
Flags: blocking1.8.1?
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: