Closed Bug 625559 Opened 9 years ago Closed 9 years ago

catch escaping chrome eval with wrappers

Categories

(Core :: JavaScript Engine, defect)

defect
Not set

Tracking

()

RESOLVED FIXED
Tracking Status
blocking2.0 --- betaN+

People

(Reporter: luke, Assigned: mrbkap)

References

Details

(Whiteboard: [hardblocker], fixed-in-tracemonkey)

Attachments

(1 file)

Even though, in a perfect world, chrome eval would not escape to content, we need to handle our imperfect world where lame addons can leak it.  Right now, we have a privilege check in EvalKernel (js_EvalFramePrinipals) that neuters chrome eval, but this check depends on the presence of dummy frames (which bug 625199 is going to kill).  Instead, we can do something even strong and just stop eval cold in the wrapper membrane.  Blake said he could cook it up in a few lines.
Also the Function constructor.
blocking2.0: --- → ?
IMO we should block on this. This is very dangerous, because it's very difficult to plug all the leaks.
blocking2.0: ? → betaN+
Whiteboard: hardblocker
Whiteboard: hardblocker → [hardblocker]
Attached patch Proposed fixSplinter Review
Attachment #507334 - Flags: review?(gal)
Comment on attachment 507334 [details] [diff] [review]
Proposed fix

This doesn't have a UXP bypass but we probably don't need and we should start getting rid of UXP anyway.
Attachment #507334 - Flags: review?(gal) → review+
http://hg.mozilla.org/tracemonkey/rev/9ac5cb7a9aee
Whiteboard: [hardblocker] → [hardblocker], fixed-in-tracemonkey
Some JS_FRIEND_API magic to make Windows happy.

http://hg.mozilla.org/tracemonkey/rev/0a28e819fb0a
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.