Closed
Bug 872772
Opened 11 years ago
Closed 11 years ago
Xray expando infrastructure loses Xray waivers
Categories
(Core :: XPConnect, defect)
Tracking
()
RESOLVED
FIXED
mozilla24
People
(Reporter: bholley, Assigned: bholley)
Details
Attachments
(2 files, 1 obsolete file)
4.93 KB,
patch
|
gkrizsanits
:
review+
|
Details | Diff | Splinter Review |
2.51 KB,
patch
|
gkrizsanits
:
review+
|
Details | Diff | Splinter Review |
This seems to be happening, presumably because of how we rewrap things into the target compartment. I'll attach a testcase.
Assignee | ||
Comment 1•11 years ago
|
||
Here's a testcase.
Assignee | ||
Comment 2•11 years ago
|
||
So. We store Xray expandos in the compartment of the Xrayed object (though they're entirely inaccessible to script running in that compartment). Moreover, Xray waivers are represented by a same-compartment wrapper in the compartment of the Xrayed object. So when we have some waived wrapper to |foo| and want to store it on an Xray wrapper to an object in foo's compartment, we run into problems. Wrapping the object into foo's compartment causes the waiver to be stripped off, and we have no way of knowing to apply it again when it's retrieved. I played with the idea of propagating these waivers into content in a general fashion via same compartment wrapping callback. But I think this has the potentially to get nasty. For example, if you have some waiver to a function function foo(x), invoking foo(foo) would cause content to see |x != foo|. There are probably a million other ways this breaks. So I think I'm just going to manually apply these waivers when adding things to the Xray expando object. Patch coming up.
Assignee | ||
Comment 3•11 years ago
|
||
Attachment #750203 -
Flags: review?(gkrizsanits)
Assignee | ||
Comment 4•11 years ago
|
||
Attachment #750204 -
Flags: review?(gkrizsanits)
Assignee | ||
Comment 5•11 years ago
|
||
https://tbpl.mozilla.org/?tree=Try&rev=458ce58bb9b4
Assignee | ||
Updated•11 years ago
|
Attachment #750121 -
Attachment is obsolete: true
Comment 6•11 years ago
|
||
This whole thing looks a bit hacky, but I really don't see any better approach either. I guess this is just something we get with the current architecture... I had some concerns about that unsafe unwrapping and also if we catch everything with this single getOwnPropertyDescriptor function, but it seems alright. There is only one case that might not be covered, if the expando property have a content function as its setter, then a., we lose the waiver, but that's kind of expected anyway, b., content code might be able to get behind same compartment security wrappers that way. Since the 'this' pointer in that content function will be the expando object itself (so you could do this.waivedComponents in it). But then again this whole scenario is like shooting yourself in the foot intentionally on the first place by using a content function as an expando property setter/getter... What do you think? Should we somehow check if the getters/setters of the expando props are always same compartment with the xray and not with the expando object itself?
Updated•11 years ago
|
Attachment #750203 -
Flags: review?(gkrizsanits) → review+
Updated•11 years ago
|
Attachment #750204 -
Flags: review?(gkrizsanits) → review+
Assignee | ||
Comment 7•11 years ago
|
||
(In reply to Gabor Krizsanits [:krizsa :gabor] from comment #6) > b., content code might be able > to get behind same compartment security wrappers that way. Since the 'this' > pointer in that content function will be the expando object itself (so you > could do this.waivedComponents in it). But then again this whole scenario is > like shooting yourself in the foot intentionally on the first place by using > a content function as an expando property setter/getter... What do you > think? Should we somehow check if the getters/setters of the expando props > are always same compartment with the xray and not with the expando object > itself? (for posterity) We discussed this on IRC. The key observation here is that |this| is never the expando object, because we set |obj| to |wrapper| whenever we return a property descriptor corresponding to the expando object. Expando objects are private to the XrayWrapper, and should never leak.
Assignee | ||
Comment 8•11 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?changeset=c98f7f0305a7
Comment 9•11 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/532f418b9351 https://hg.mozilla.org/mozilla-central/rev/c98f7f0305a7
Status: NEW → RESOLVED
Closed: 11 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla24
You need to log in
before you can comment on or make changes to this bug.
Description
•