Closed Bug 435151 Opened 16 years ago Closed 14 years ago

XPCSafeJSObjectWrapper breaks evalInSandbox

Categories

(Core :: XPConnect, defect, P2)

Product:
Core
Component:
XPConnect
Platform:
x86
Windows XP
Type:
defect

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: mikeperry.unused, Assigned: mrbkap)

References

(
URL
)

Details

(Keywords: fixed1.9.0.12, fixed1.9.1, regression)

Attachments

(1 file)

Fix for this bug
3.84 KB, patch
jst
: review+
jst
: superreview+
Details | Diff | Splinter Review 
I'm trying to get the Torbutton 1.1.x-alpha extension working with Firefox 3,
but I seem to be running into a bug involving evalInSandbox. 

The extension needs to run some javascript in the context of the content 
window to install wrappers around the screen and Date objects to prevent anonymity set reduction by resolution and timezone.

The script is injected via evalInSanbox with a sandbox of:
s = Cu.Sandbox(contentWindow.wrappedJSObject).
s.window = contentWindow.wrappedJSObject;

The problem is that in Firefox 3.0, I've started getting the
following error from an eval that I also call inside the sandboxed
code:

"EvalError: function eval must be called directly, and not by way of a
function of another name"

The line in question just does a window.eval(string). I suspect
something is going on with the XPCSafeJSObjectWrapper now wrapping my
sandboxed window (and thus the eval call).

In addition, I seem to be unable to call constructors from the wrapped
window object in general. Doing something as simple as:

new window.Object();

I've created a test extension that reproduces these errors for FF3.0rc1 here:
http://fscked.org/transient/firefox/evalInSandbox.xpi

It does not require Tor to run, and will pop up alerts with the above errors on every page loaded while it is enabled.
Flags: wanted1.9.0.x?
Err, missed a line from that description (was a cut and paste). Doing:

new window.Object();

throws a NS_ERROR_XPC_NOT_ENOUGH_ARGS exception. For constructors with arguments, such as a String copy:

new window.String("Copy me")

throws an NS_ERROR_ILLEGAL_VALUE error. So it appears as if constructor calls inside of a sandbox are off by an arg (perhaps some kind of this pointer is not being properly passed and everything is shifted over?)

I should also note that in case this bug is being neglected because the window.eval issue is a hard one to fix: that issue could be worked around if I was able to do something like 'new window.Function(some_script)'. Of course that would be a performance hit, but at least it would work.. If only constructors were handled properly, that is.
Pretty sure this is known/expected. Blake, can you comment?
We're seeing this in Komodo with Moz 1.9, when a secondary dialog window tries
to run code in the main window's context via

parent.opener.eval(stringToEval)

The code is run, but with the warning.  Both windows are chrome URIs.
Assigning to Blake for now so he can comment on this.
Assignee: nobody → mrbkap
Component: Extension Compatibility → XPConnect
Flags: wanted1.9.0.x? → wanted1.9.0.x+
Product: Firefox → Core
QA Contact: extension.compatibility → xpconnect
Version: 3.0 Branch → unspecified
Flags: blocking1.9.1?
Sounds bad. Blake, if you don't think this is a blocker, please say so.
Flags: blocking1.9.1? → blocking1.9.1+
Priority: -- → P2
Attached patch Fix for this bugSplinter Review 
So, this fixes the issue with e.g. (new XPCSafeJSObjectWrapper(window).Number)(5), but not eval. I'll file a new bug on smoothing out the relationship between XPCSafeJSObjectWrapper and evalInSandbox.
Attachment #359878 - Flags: superreview?(jst)
Attachment #359878 - Flags: review?(jst)
Attachment #359878 - Flags: superreview?(jst)
Attachment #359878 - Flags: superreview+
Attachment #359878 - Flags: review?(jst)
Attachment #359878 - Flags: review+
(In reply to comment #7)
> I'll file a new bug on smoothing out the relationship between
> XPCSafeJSObjectWrapper and evalInSandbox.

That blocks bug 460882.
What's left to do here?  Is this ready to land?
Was a new bug filed as mentioned in comment 8? If so would that be a better bug for bug 460882 to depend on? Or (seeing as 460882 is marked fixed) did that aspect just get wrapped up into 460882?
Keywords: regression
Whiteboard: regression → needs landing
http://hg.mozilla.org/mozilla-central/rev/95747b72826b
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Whiteboard: needs landing
Keywords: fixed1.9.0.12
Hey, Mike, can you verify this with a nightly Firefox 3 build from ftp://ftp.mozilla.org/pub/firefox/nightly/latest-mozilla1.9.0/?
Hrmm, the test xpi is still having issues with the window.String() constructor:

String Constructor failed: TypeError: invalid new expression result new String() success!

I'll have to go back and check the real Torbutton code I had, but I'm thinking that the fix is only partial, since you can't build strings using window.String() inside a sandbox still. 

This may mean that any constructor off of window with more than 0 arguments will fail.
Yeah, the behaviour is the same as the test XPI. This is only a partial fix that seems to cover only zero argument constructors.

Once again, the test xpi to demonstrate the issue is at:
http://fscked.org/transient/firefox/evalInSandbox.xpi
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
bug 386635 might have fixed this.
Flags: blocking1.9.0.19?
I'm going to call this fixed by compartments.
Status: REOPENED → RESOLVED
Closed: 16 years ago14 years ago
Resolution: --- → FIXED
Flags: blocking1.9.0.19?
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: