Closed Bug 326256 Opened 20 years ago Closed 8 years ago

nsScriptSecurityManager::CheckPropertyAccessImpl doesn't report an error if GetSubjectPrincipal fails

Categories

(Core :: Security: CAPS, defect)

Product:
Core
Component:
Security: CAPS
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INCOMPLETE

People

(Reporter: timeless, Assigned: dveditz)

Details

(Keywords: helpwanted)

# 00 caps!nsScriptSecurityManager::CheckPropertyAccessImpl(unsigned int aAction = 1, class nsIXPCNativeCallContext * aCallContext = 0x00000000, struct JSContext * cx = 0x00c76298, struct JSObject * aJSObject = 0x0196c978, class nsISupports * aObj = 0x00000000, class nsIURI * aTargetURI = 0x00000000, class nsIClassInfo * aClassInfo = 0x00000000, char * aClassName = 0x100de0b8 "RegExp", long aProperty = 12428564, void ** aCachedClassPolicy = 0x00000000)+0x2d (FPO: [Non-Fpo]) (CONV: thiscall) [r:\mozilla\caps\src\nsscriptsecuritymanager.cpp @ 628] 01 caps!nsScriptSecurityManager::CheckObjectAccess(struct JSContext * cx = 0x00c76298, struct JSObject * obj = 0x0196c970, long id = 12428564, JSAccessMode mode = JSACC_READ (4), long * vp = 0x0012d51c)+0xf8 (FPO: [Non-Fpo]) (CONV: cdecl) [r:\mozilla\caps\src\nsscriptsecuritymanager.cpp @ 486] 02 js3250!js_CheckAccess(struct JSContext * cx = 0x00c76298, struct JSObject * obj = 0x0196c970, long id = 12221048, JSAccessMode mode = JSACC_READ (4), long * vp = 0x0012d51c, unsigned int * attrsp = 0x0012d43c)+0x488 (FPO: [Non-Fpo]) (CONV: cdecl) [r:\mozilla\js\src\jsobj.c @ 3643] 03 js3250!CheckCtorGetAccess(struct JSContext * cx = 0x00c76298, struct JSObject * obj = 0x0196c970, long id = 12428564, long * vp = 0x0012d51c)+0x5a (FPO: [Non-Fpo]) (CONV: cdecl) [r:\mozilla\js\src\jsobj.c @ 3916] 04 js3250!js_GetProperty(struct JSContext * cx = 0x00c76298, struct JSObject * obj = 0x0196c970, long id = 12221048, long * vp = 0x0012d51c)+0x5f0 (FPO: [Non-Fpo]) (CONV: cdecl) [r:\mozilla\js\src\jsobj.c @ 2983] 05 js3250!JS_GetConstructor(struct JSContext * cx = 0x00c76298, struct JSObject * proto = 0x0196c970)+0x4f (FPO: [Non-Fpo]) (CONV: cdecl) [r:\mozilla\js\src\jsapi.c @ 2234] 06 js3250!js_InitRegExpClass(struct JSContext * cx = 0x00c76298, struct JSObject * obj = 0x01463ae8)+0x4b (FPO: [Non-Fpo]) (CONV: cdecl) [r:\mozilla\js\src\jsregexp.c @ 4090] 07 js3250!JS_ResolveStandardClass(struct JSContext * cx = 0x00c76298, struct JSObject * obj = 0x01463ae8, long id = 12428476, int * resolved = 0x0012d584)+0x2f2 (FPO: [Non-Fpo]) (CONV: cdecl) [r:\mozilla\js\src\jsapi.c @ 1430] 08 xpc3250!BackstagePass::NewResolve(class nsIXPConnectWrappedNative * wrapper = 0x013f5128, struct JSContext * cx = 0x00c76298, struct JSObject * obj = 0x01463ae8, long id = 12428476, unsigned int flags = 0x10, struct JSObject ** objp = 0x0012d690, int * _retval = 0x0012d614)+0x1a (FPO: [Non-Fpo]) (CONV: stdcall) [r:\mozilla\js\src\xpconnect\src\xpcruntimesvc.cpp @ 77] 09 xpc3250!XPC_WN_Helper_NewResolve(struct JSContext * cx = 0x00c76298, struct JSObject * obj = 0x01463ae8, long idval = 12428476, unsigned int flags = 0x10, struct JSObject ** objp = 0x0012d710)+0x2a3 (FPO: [Non-Fpo]) (CONV: cdecl) [r:\mozilla\js\src\xpconnect\src\xpcwrappednativejsops.cpp @ 1088] 0a js3250!js_LookupPropertyWithFlags(struct JSContext * cx = 0x00c76298, struct JSObject * obj = 0x01463ae8, long id = 12219216, unsigned int flags = 0x10, struct JSObject ** objp = 0x0012d764, struct JSProperty ** propp = 0x0012d758)+0x369 (FPO: [Non-Fpo]) (CONV: cdecl) [r:\mozilla\js\src\jsobj.c @ 2712] 0b js3250!js_FindConstructor(struct JSContext * cx = 0x00c76298, struct JSObject * start = 0x00000000, char * name = 0x100de0b8 "RegExp", long * vp = 0x0012d794)+0x1e1 (FPO: [Non-Fpo]) (CONV: cdecl) [r:\mozilla\js\src\jsobj.c @ 2090] 0c js3250!GetClassPrototype(struct JSContext * cx = 0x00c76298, struct JSObject * scope = 0x00000000, char * name = 0x100de0b8 "RegExp", struct JSObject ** protop = 0x0012d7f8)+0x1b (FPO: [Non-Fpo]) (CONV: cdecl) [r:\mozilla\js\src\jsobj.c @ 3865] 0d js3250!js_NewObject(struct JSContext * cx = 0x00c76298, struct JSClass * clasp = 0x101137b0, struct JSObject * proto = 0x00000000, struct JSObject * parent = 0x00000000)+0x23 (FPO: [Non-Fpo]) (CONV: cdecl) [r:\mozilla\js\src\jsobj.c @ 1970] 0e js3250!js_NewRegExpObject(struct JSContext * cx = 0x00c76298, struct JSTokenStream * ts = 0x01905780, unsigned short * chars = 0x01905a80 "ERROR_MODULE", unsigned int length = 0xc, unsigned int flags = 0)+0x65 (FPO: [Non-Fpo]) (CONV: cdecl) [r:\mozilla\js\src\jsregexp.c @ 4125] 0f js3250!js_GetToken(struct JSContext * cx = 0x00c76298, struct JSTokenStream * ts = 0x01905780)+0x246d (FPO: [Non-Fpo]) (CONV: cdecl) [r:\mozilla\js\src\jsscan.c @ 1915] 10 js3250!UnaryExpr(struct JSContext * cx = 0x00c76298, struct JSTokenStream * ts = 0x01905780, struct JSTreeContext * tc = 0x0012e104)+0x4c (FPO: [Non-Fpo]) (CONV: cdecl) [r:\mozilla\js\src\jsparse.c @ 2782] 11 js3250!MulExpr(struct JSContext * cx = 0x00c76298, struct JSTokenStream * ts = 0x01905780, struct JSTreeContext * tc = 0x0012e104)+0x17 (FPO: [Non-Fpo]) (CONV: cdecl) [r:\mozilla\js\src\jsparse.c @ 2684] 12 js3250!AddExpr(struct JSContext * cx = 0x00c76298, struct JSTokenStream * ts = 0x01905780, struct JSTreeContext * tc = 0x0012e104)+0x17 (FPO: [Non-Fpo]) (CONV: cdecl) [r:\mozilla\js\src\jsparse.c @ 2666] 13 js3250!ShiftExpr(struct JSContext * cx = 0x00c76298, struct JSTokenStream * ts = 0x01905780, struct JSTreeContext * tc = 0x0012e104)+0x17 (FPO: [Non-Fpo]) (CONV: cdecl) [r:\mozilla\js\src\jsparse.c @ 2651] 14 js3250!RelExpr(struct JSContext * cx = 0x00c76298, struct JSTokenStream * ts = 0x01905780, struct JSTreeContext * tc = 0x0012e104)+0x32 (FPO: [Non-Fpo]) (CONV: cdecl) [r:\mozilla\js\src\jsparse.c @ 2619] 15 js3250!EqExpr(struct JSContext * cx = 0x00c76298, struct JSTokenStream * ts = 0x01905780, struct JSTreeContext * tc = 0x0012e104)+0x17 (FPO: [Non-Fpo]) (CONV: cdecl) [r:\mozilla\js\src\jsparse.c @ 2595] 16 js3250!BitAndExpr(struct JSContext * cx = 0x00c76298, struct JSTokenStream * ts = 0x01905780, struct JSTreeContext * tc = 0x0012e104)+0x15 (FPO: [Non-Fpo]) (CONV: cdecl) [r:\mozilla\js\src\jsparse.c @ 2583] 17 js3250!BitXorExpr(struct JSContext * cx = 0x00c76298, struct JSTokenStream * ts = 0x01905780, struct JSTreeContext * tc = 0x0012e104)+0x15 (FPO: [Non-Fpo]) (CONV: cdecl) [r:\mozilla\js\src\jsparse.c @ 2570] 18 js3250!BitOrExpr(struct JSContext * cx = 0x00c76298, struct JSTokenStream * ts = 0x01905780, struct JSTreeContext * tc = 0x0012e104)+0x15 (FPO: [Non-Fpo]) (CONV: cdecl) [r:\mozilla\js\src\jsparse.c @ 2557] 19 js3250!AndExpr(struct JSContext * cx = 0x00c76298, struct JSTokenStream * ts = 0x01905780, struct JSTreeContext * tc = 0x0012e104)+0x15 (FPO: [Non-Fpo]) (CONV: cdecl) [r:\mozilla\js\src\jsparse.c @ 2546] 1a js3250!OrExpr(struct JSContext * cx = 0x00c76298, struct JSTokenStream * ts = 0x01905780, struct JSTreeContext * tc = 0x0012e104)+0x15 (FPO: [Non-Fpo]) (CONV: cdecl) [r:\mozilla\js\src\jsparse.c @ 2535] 1b js3250!CondExpr(struct JSContext * cx = 0x00c76298, struct JSTokenStream * ts = 0x01905780, struct JSTreeContext * tc = 0x0012e104)+0x17 (FPO: [Non-Fpo]) (CONV: cdecl) [r:\mozilla\js\src\jsparse.c @ 2495] 1c js3250!AssignExpr(struct JSContext * cx = 0x00c76298, struct JSTokenStream * ts = 0x01905780, struct JSTreeContext * tc = 0x0012e104)+0x41 (FPO: [Non-Fpo]) (CONV: cdecl) [r:\mozilla\js\src\jsparse.c @ 2429] 1d js3250!Expr(struct JSContext * cx = 0x00c76298, struct JSTokenStream * ts = 0x01905780, struct JSTreeContext * tc = 0x0012e104)+0x17 (FPO: [Non-Fpo]) (CONV: cdecl) [r:\mozilla\js\src\jsparse.c @ 2401] 1e js3250!Condition(struct JSContext * cx = 0x00c76298, struct JSTokenStream * ts = 0x01905780, struct JSTreeContext * tc = 0x0012e104)+0x4b (FPO: [Non-Fpo]) (CONV: cdecl) [r:\mozilla\js\src\jsparse.c @ 1119] 1f js3250!Statement(struct JSContext * cx = 0x00c76298, struct JSTokenStream * ts = 0x01905780, struct JSTreeContext * tc = 0x0012e104)+0x3b7 (FPO: [Non-Fpo]) (CONV: cdecl) [r:\mozilla\js\src\jsparse.c @ 1349] 20 js3250!Statement(struct JSContext * cx = 0x00c76298, struct JSTokenStream * ts = 0x01905780, struct JSTreeContext * tc = 0x0012e104)+0x100b (FPO: [Non-Fpo]) (CONV: cdecl) [r:\mozilla\js\src\jsparse.c @ 1690] 21 js3250!Statements(struct JSContext * cx = 0x00c76298, struct JSTokenStream * ts = 0x01905780, struct JSTreeContext * tc = 0x0012e104)+0xda (FPO: [Non-Fpo]) (CONV: cdecl) [r:\mozilla\js\src\jsparse.c @ 1064] 22 js3250!js_CompileTokenStream(struct JSContext * cx = 0x00c76298, struct JSObject * chain = 0x01463ae8, struct JSTokenStream * ts = 0x01905780, struct JSCodeGenerator * cg = 0x0012e104)+0xef (FPO: [Non-Fpo]) (CONV: cdecl) [r:\mozilla\js\src\jsparse.c @ 469] 23 js3250!CompileTokenStream(struct JSContext * cx = 0x00c76298, struct JSObject * obj = 0x01463ae8, struct JSTokenStream * ts = 0x01905780, void * tempMark = 0x00c762e8, int * eofp = 0x00000000)+0xd2 (FPO: [Non-Fpo]) (CONV: cdecl) [r:\mozilla\js\src\jsapi.c @ 3605] 24 js3250!JS_CompileFileHandleForPrincipals(struct JSContext * cx = 0x00c76298, struct JSObject * obj = 0x01463ae8, char * filename = 0x013ec0f0 "r:\nsError.js", struct _iobuf * file = 0x1027c898, struct JSPrincipals * principals = 0x00000000)+0xb0 (FPO: [Non-Fpo]) (CONV: cdecl) [r:\mozilla\js\src\jsapi.c @ 3799] 25 xpcshell!Load(struct JSContext * cx = 0x00c76298, struct JSObject * obj = 0x01463ae8, unsigned int argc = 1, long * argv = 0x0146c944, long * rval = 0x0012e2e8)+0x9c (FPO: [Non-Fpo]) (CONV: cdecl) [r:\mozilla\js\src\xpconnect\shell\xpcshell.cpp @ 244] 26 js3250!js_Invoke(struct JSContext * cx = 0x00c76298, unsigned int argc = 1, unsigned int flags = 0)+0xd5d (FPO: [Non-Fpo]) (CONV: cdecl) [r:\mozilla\js\src\jsinterp.c @ 1230] 27 js3250!js_Interpret(struct JSContext * cx = 0x00c76298, unsigned char * pc = 0x0130fd39 ":", long * result = 0x0012ed04)+0xdee8 (FPO: [Non-Fpo]) (CONV: cdecl) [r:\mozilla\js\src\jsinterp.c @ 3794] 28 js3250!js_Execute(struct JSContext * cx = 0x00c76298, struct JSObject * chain = 0x01463ae8, struct JSScript * script = 0x0130fb60, struct JSStackFrame * down = 0x00000000, unsigned int flags = 0, long * result = 0x0012fdb8)+0x334 (FPO: [Non-Fpo]) (CONV: cdecl) [r:\mozilla\js\src\jsinterp.c @ 1480] 29 js3250!JS_ExecuteScript(struct JSContext * cx = 0x00c76298, struct JSObject * obj = 0x01463ae8, struct JSScript * script = 0x0130fb60, long * rval = 0x0012fdb8)+0x42 (FPO: [Non-Fpo]) (CONV: cdecl) [r:\mozilla\js\src\jsapi.c @ 4050] 2a xpcshell!ProcessFile(struct JSContext * cx = 0x00c76298, struct JSObject * obj = 0x01463ae8, char * filename = 0x0037768f "326225.js", struct _iobuf * file = 0x1027c898, int forceTTY = 0)+0xf6 (FPO: [Non-Fpo]) (CONV: cdecl) [r:\mozilla\js\src\xpconnect\shell\xpcshell.cpp @ 614] 2b xpcshell!Process(struct JSContext * cx = 0x00c76298, struct JSObject * obj = 0x01463ae8, char * filename = 0x0037768f "326225.js", int forceTTY = 0)+0x9d (FPO: [Non-Fpo]) (CONV: cdecl) [r:\mozilla\js\src\xpconnect\shell\xpcshell.cpp @ 705] 2c xpcshell!ProcessArgs(struct JSContext * cx = 0x00c76298, struct JSObject * obj = 0x01463ae8, char ** argv = 0x0037764c, int argc = 2)+0x418 (FPO: [Non-Fpo]) (CONV: cdecl) [r:\mozilla\js\src\xpconnect\shell\xpcshell.cpp @ 833] 2d xpcshell!main(int argc = 2, char ** argv = 0x0037764c, char ** envp = 0x00372ca0)+0x95d (FPO: [Non-Fpo]) (CONV: cdecl) [r:\mozilla\js\src\xpconnect\shell\xpcshell.cpp @ 1645] 2e xpcshell!mainCRTStartup(void)+0x12c (FPO: [Non-Fpo]) (CONV: cdecl) [f:\vs70builds\3077\vc\crtbld\crt\src\crtexe.c @ 398] 2f kernel32!BaseProcessStart+0x23 (FPO: [Non-Fpo]) nsScriptSecurityManager::CheckPropertyAccessImpl(PRUint32 aAction, nsIXPCNativeCallContext* aCallContext, JSContext* cx, JSObject* aJSObject, nsISupports* aObj, nsIURI* aTargetURI, nsIClassInfo* aClassInfo, const char* aClassName, jsval aProperty, void** aCachedClassPolicy) { nsresult rv; nsIPrincipal* subjectPrincipal = GetSubjectPrincipal(cx, &rv); if (NS_FAILED(rv)) return rv; we are here ^^ next frame has: rv = ssm->CheckPropertyAccessImpl((mode & JSACC_WRITE) ? nsIXPCSecurityManager::ACCESS_SET_PROPERTY : nsIXPCSecurityManager::ACCESS_GET_PROPERTY, nsnull, cx, target, native, nsnull, nsnull, JS_GET_CLASS(cx, obj)->name, id, nsnull); if (NS_FAILED(rv)) return JS_FALSE; // Security check failed (XXX was an error reported?) XXX no error was reported. this sucks. for some very special reason my xpcshell doesn't actually have good principals, so i get hosed by this stuff if i'm foolish enough *not* to use regexps before i call load. but the point is that you're always supposed to report an error to jsengine, that's the rule. 0:000> dv this = 0x00c01f08 aAction = 1 aCallContext = 0x00000000 cx = 0x00c76298 aJSObject = 0x0196c978 aObj = 0x00000000 aTargetURI = 0x00000000 aClassInfo = 0x00000000 aClassName = 0x100de0b8 "RegExp" aProperty = 12428564 aCachedClassPolicy = 0x00000000 rv = 0x80004005 subjectPrincipal = 0x00000000 classInfoData = class ClassInfoData propertyName = class nsCAutoString
Keywords: helpwanted
QA Contact: caps
CheckPropertyAccessImpl doesn't exist any more.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.