Browse files

Backed out changeset c6131ed87e9c. Jason Orendorff — Bug 583262 - Rem…

…ove security checks on f.prototype.constructor property at last. r=mrbkap. Causing nightly topcrash.

--HG--
branch : GECKO20b3_20100804_RELBRANCH
  • Loading branch information...
1 parent b7c378c commit 6500b2ec6bd209160a6f051cb12ce6a4d932e0a0 @sayrer sayrer committed Aug 4, 2010
Showing with 34 additions and 1 deletion.
  1. +34 −1 js/src/jsobj.cpp
View
35 js/src/jsobj.cpp
@@ -5592,6 +5592,39 @@ js_GetClassPrototype(JSContext *cx, JSObject *scope, JSProtoKey protoKey,
return FindClassPrototype(cx, scope, protoKey, protop, clasp);
}
+/*
+ * For shared precompilation of function objects, we support cloning on entry
+ * to an execution context in which the function declaration or expression
+ * should be processed as if it were not precompiled, where the precompiled
+ * function's scope chain does not match the execution context's. The cloned
+ * function object carries its execution-context scope in its parent slot; it
+ * links to the precompiled function (the "clone-parent") via its proto slot.
+ *
+ * Note that this prototype-based delegation leaves an unchecked access path
+ * from the clone to the clone-parent's 'constructor' property. If the clone
+ * lives in a less privileged or shared scope than the clone-parent, this is
+ * a security hole, a sharing hazard, or both. Therefore we check all such
+ * accesses with the following getter/setter pair, which we use when defining
+ * 'constructor' in f.prototype for all function objects f.
+ */
+static JSBool
+CheckCtorGetAccess(JSContext *cx, JSObject *obj, jsid id, Value *vp)
+{
+ JSAtom *atom = cx->runtime->atomState.constructorAtom;
+ JS_ASSERT(id == ATOM_TO_JSID(atom));
+ uintN attrs;
+ return CheckAccess(cx, obj, ATOM_TO_JSID(atom), JSACC_READ, vp, &attrs);
+}
+
+static JSBool
+CheckCtorSetAccess(JSContext *cx, JSObject *obj, jsid id, Value *vp)
+{
+ JSAtom *atom = cx->runtime->atomState.constructorAtom;
+ JS_ASSERT(id == ATOM_TO_JSID(atom));
+ uintN attrs;
+ return CheckAccess(cx, obj, ATOM_TO_JSID(atom), JSACC_WRITE, vp, &attrs);
+}
+
JSBool
js_SetClassPrototype(JSContext *cx, JSObject *ctor, JSObject *proto, uintN attrs)
{
@@ -5611,7 +5644,7 @@ js_SetClassPrototype(JSContext *cx, JSObject *ctor, JSObject *proto, uintN attrs
* for a user-defined function f, is DontEnum.
*/
return proto->defineProperty(cx, ATOM_TO_JSID(cx->runtime->atomState.constructorAtom),
- ObjectOrNullValue(ctor), PropertyStub, PropertyStub, 0);
+ ObjectOrNullValue(ctor), CheckCtorGetAccess, CheckCtorSetAccess, 0);
}
JSBool

0 comments on commit 6500b2e

Please sign in to comment.