Closed Bug 976151 Opened 6 years ago Closed 6 years ago

Anti eval/Function() check during wrapping should use |subsumes|

Categories

(Core :: XPConnect, defect)

Product:
Core
Component:
XPConnect
Platform:
x86
macOS
Type:
defect
Priority:
Not set

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla30

People

(Reporter: bholley, Assigned: bholley)

References

Details

Attachments

(1 file)

Anti eval/Function() check during wrapping should use |subsumes|. v1
3.15 KB, patch
gkrizsanits
: review+
Details | Diff | Splinter Review 
We have this just-in-case check against creating a cross-compartment wrapper to either eval or the Function constructor from a privileged page. Currently, this just checks if the wrapper would be a COW, but that's suboptimal for two reasons:

(1) When we implement Xrays-to-Functions, this check will be wrong.
(2) Now that we have asymmetric privilege relationships with non-chrome principals (i.e nsIExpandedPrincipal), we want the logic to cover all non-subsuming cases, not just content->chrome.

This isn't a security problem, just the improvement of a belt-and-braces check. I'll write up a patch.
Attachment #8380825 - Flags: review?(gkrizsanits) → review+
https://hg.mozilla.org/mozilla-central/rev/9a8a8a73df71
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla30
You need to log in before you can comment on or make changes to this bug.