568886 - Instead of severing the stack in SJOW, function.caller should refuse to return an object from a different compartment

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Jason Orendorff [:jorendorff]]

Currently we have a hack in SJOW to sever the stack. This is specifically to prevent an attack where arguments.callee.caller.caller eventually reaches a more-privileged object.

In the case of content reaching up to Greasemonkey scripts, .caller.caller eventually reaches an object which has the same principals, but from which too-powerful Greasemonkey APIs are reachable. So a principals check in function.caller would be insufficient.

Instead, we should put Greasemonkey in a separate compartment (bug 568885) and make .caller return null rather than return a function object from another compartment.

Comment 1

[Brendan Eich [:brendan]]

Abso-freaking-lutely -- how did we live with this for so long? f.caller was censored in the old days of Netscape 4 signed scripts/applets.

Great to see this getting fixed.

/be

Comment 2

[Jason Orendorff [:jorendorff]]

Attachment: v1

Like so. But since Gecko does not actually put objects with different principals in different compartments yet, this patch is not yet safe to land.

Comment 3

[Jason Orendorff [:jorendorff]]

Comment on attachment 453889 [details] [diff] [review]
v1

Actually, um -- can we land this now? I think the security check has been redundant for some time. The stack-severing code in SJOW is sufficient for now, and the new check added here will be sufficient when Gecko is properly compartmentalized.

Comment 4

[Blake Kaplan (:mrbkap) (inactive)]

Comment on attachment 453889 [details] [diff] [review]
v1

Yeah, we should be able to land this now.

Comment 5

[Jason Orendorff [:jorendorff]]

http://hg.mozilla.org/tracemonkey/rev/8f3a5ad4b8d1

Comment 6

[Robert Sayre]

http://hg.mozilla.org/mozilla-central/rev/8f3a5ad4b8d1