Closed
Bug 435151
Opened 16 years ago
Closed 14 years ago
XPCSafeJSObjectWrapper breaks evalInSandbox
Categories
(Core :: XPConnect, defect, P2)
Tracking
()
RESOLVED
FIXED
People
(Reporter: mikeperry.unused, Assigned: mrbkap)
References
()
Details
(Keywords: fixed1.9.0.12, fixed1.9.1, regression)
Attachments
(1 file)
3.84 KB,
patch
|
jst
:
review+
jst
:
superreview+
|
Details | Diff | Splinter Review |
I'm trying to get the Torbutton 1.1.x-alpha extension working with Firefox 3, but I seem to be running into a bug involving evalInSandbox. The extension needs to run some javascript in the context of the content window to install wrappers around the screen and Date objects to prevent anonymity set reduction by resolution and timezone. The script is injected via evalInSanbox with a sandbox of: s = Cu.Sandbox(contentWindow.wrappedJSObject). s.window = contentWindow.wrappedJSObject; The problem is that in Firefox 3.0, I've started getting the following error from an eval that I also call inside the sandboxed code: "EvalError: function eval must be called directly, and not by way of a function of another name" The line in question just does a window.eval(string). I suspect something is going on with the XPCSafeJSObjectWrapper now wrapping my sandboxed window (and thus the eval call). In addition, I seem to be unable to call constructors from the wrapped window object in general. Doing something as simple as: new window.Object(); I've created a test extension that reproduces these errors for FF3.0rc1 here: http://fscked.org/transient/firefox/evalInSandbox.xpi It does not require Tor to run, and will pop up alerts with the above errors on every page loaded while it is enabled.
Flags: wanted1.9.0.x?
Reporter | ||
Comment 1•16 years ago
|
||
Err, missed a line from that description (was a cut and paste). Doing: new window.Object(); throws a NS_ERROR_XPC_NOT_ENOUGH_ARGS exception. For constructors with arguments, such as a String copy: new window.String("Copy me") throws an NS_ERROR_ILLEGAL_VALUE error. So it appears as if constructor calls inside of a sandbox are off by an arg (perhaps some kind of this pointer is not being properly passed and everything is shifted over?)
Reporter | ||
Comment 2•16 years ago
|
||
I should also note that in case this bug is being neglected because the window.eval issue is a hard one to fix: that issue could be worked around if I was able to do something like 'new window.Function(some_script)'. Of course that would be a performance hit, but at least it would work.. If only constructors were handled properly, that is.
Comment 3•16 years ago
|
||
Pretty sure this is known/expected. Blake, can you comment?
Comment 4•16 years ago
|
||
We're seeing this in Komodo with Moz 1.9, when a secondary dialog window tries to run code in the main window's context via parent.opener.eval(stringToEval) The code is run, but with the warning. Both windows are chrome URIs.
Comment 5•16 years ago
|
||
Assigning to Blake for now so he can comment on this.
Assignee: nobody → mrbkap
Updated•16 years ago
|
Component: Extension Compatibility → XPConnect
Flags: wanted1.9.0.x? → wanted1.9.0.x+
Product: Firefox → Core
QA Contact: extension.compatibility → xpconnect
Version: 3.0 Branch → unspecified
Updated•16 years ago
|
Flags: blocking1.9.1?
Comment 6•16 years ago
|
||
Sounds bad. Blake, if you don't think this is a blocker, please say so.
Flags: blocking1.9.1? → blocking1.9.1+
Updated•16 years ago
|
Priority: -- → P2
Whiteboard: regression
Assignee | ||
Comment 7•16 years ago
|
||
So, this fixes the issue with e.g. (new XPCSafeJSObjectWrapper(window).Number)(5), but not eval. I'll file a new bug on smoothing out the relationship between XPCSafeJSObjectWrapper and evalInSandbox.
Attachment #359878 -
Flags: superreview?(jst)
Attachment #359878 -
Flags: review?(jst)
Updated•16 years ago
|
Attachment #359878 -
Flags: superreview?(jst)
Attachment #359878 -
Flags: superreview+
Attachment #359878 -
Flags: review?(jst)
Attachment #359878 -
Flags: review+
(In reply to comment #7) > I'll file a new bug on smoothing out the relationship between > XPCSafeJSObjectWrapper and evalInSandbox. That blocks bug 460882.
Comment 9•16 years ago
|
||
What's left to do here? Is this ready to land?
Comment 10•16 years ago
|
||
Was a new bug filed as mentioned in comment 8? If so would that be a better bug for bug 460882 to depend on? Or (seeing as 460882 is marked fixed) did that aspect just get wrapped up into 460882?
Updated•16 years ago
|
Keywords: regression
Whiteboard: regression → needs landing
Assignee | ||
Comment 11•16 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/95747b72826b
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Assignee | ||
Updated•16 years ago
|
Whiteboard: needs landing
Assignee | ||
Comment 12•16 years ago
|
||
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/92a2f4d59609
Keywords: fixed1.9.1
Assignee | ||
Updated•15 years ago
|
Keywords: fixed1.9.0.12
Comment 13•15 years ago
|
||
Hey, Mike, can you verify this with a nightly Firefox 3 build from ftp://ftp.mozilla.org/pub/firefox/nightly/latest-mozilla1.9.0/?
Reporter | ||
Comment 14•15 years ago
|
||
Hrmm, the test xpi is still having issues with the window.String() constructor: String Constructor failed: TypeError: invalid new expression result new String() success! I'll have to go back and check the real Torbutton code I had, but I'm thinking that the fix is only partial, since you can't build strings using window.String() inside a sandbox still. This may mean that any constructor off of window with more than 0 arguments will fail.
Reporter | ||
Comment 15•15 years ago
|
||
Yeah, the behaviour is the same as the test XPI. This is only a partial fix that seems to cover only zero argument constructors. Once again, the test xpi to demonstrate the issue is at: http://fscked.org/transient/firefox/evalInSandbox.xpi
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Assignee | ||
Comment 16•14 years ago
|
||
bug 386635 might have fixed this.
Updated•14 years ago
|
Flags: blocking1.9.0.19?
Assignee | ||
Comment 17•14 years ago
|
||
I'm going to call this fixed by compartments.
Status: REOPENED → RESOLVED
Closed: 16 years ago → 14 years ago
Resolution: --- → FIXED
Updated•14 years ago
|
Flags: blocking1.9.0.19?
You need to log in
before you can comment on or make changes to this bug.
Description
•