Bug 1052093 - Child->parent CPOWs should go through COWs in the parent for security (r=bholley)

2014-08-20 12:49:10 -07:00
parent e183624be1
commit 219eb6cb82
7 changed files with 21 additions and 4 deletions
--- a/content/base/test/chrome/cpows_parent.xul
+++ b/content/base/test/chrome/cpows_parent.xul
@@ -166,7 +166,7 @@
      let func = message.objects.func;
      let result = func(n => 2*n);
      ok(result == 20, "result == 20");
-      let obj = {a:1};
+      let obj = {a:1, __exposedProps__: {"a": "r"}};
      savedMM.sendAsyncMessage("cpows:from_parent", {}, {obj: obj});
    }

@@ -191,7 +191,7 @@
    }

    let savedWilldieObj;
-    let wontDie = {f:2};
+    let wontDie = {f:2, __exposedProps__: {"f": "r"}};
    function recvLifetimeTest1(message) {
      let obj = message.objects.obj;
      savedWilldieObj = obj.will_die;
--- a/js/ipc/JavaScriptChild.cpp
+++ b/js/ipc/JavaScriptChild.cpp
@@ -57,3 +57,9 @@ JavaScriptChild::finalize(JSFreeOp *fop)
    objects_.finalize(fop);
    objectIds_.finalize(fop);
 }
+
+JSObject *
+JavaScriptChild::defaultScope()
+{
+    return xpc::PrivilegedJunkScope();
+}
--- a/js/ipc/JavaScriptChild.h
+++ b/js/ipc/JavaScriptChild.h
@@ -27,6 +27,7 @@ class JavaScriptChild : public JavaScriptBase<PJavaScriptChild>

  protected:
    virtual bool isParent() { return false; }
+    virtual JSObject *defaultScope() MOZ_OVERRIDE;

  private:
    bool fail(JSContext *cx, ReturnStatus *rs);
--- a/js/ipc/JavaScriptParent.cpp
+++ b/js/ipc/JavaScriptParent.cpp
@@ -55,6 +55,12 @@ JavaScriptParent::trace(JSTracer *trc)
        objects_.trace(trc);
 }

+JSObject *
+JavaScriptParent::defaultScope()
+{
+    return xpc::UnprivilegedJunkScope();
+}
+
 mozilla::ipc::IProtocol*
 JavaScriptParent::CloneProtocol(Channel* aChannel, ProtocolCloneContext* aCtx)
 {
--- a/js/ipc/JavaScriptParent.h
+++ b/js/ipc/JavaScriptParent.h
@@ -30,6 +30,7 @@ class JavaScriptParent : public JavaScriptBase<PJavaScriptParent>

  protected:
    virtual bool isParent() { return true; }
+    virtual JSObject *defaultScope() MOZ_OVERRIDE;
 };

 } // jsipc
--- a/js/ipc/JavaScriptShared.cpp
+++ b/js/ipc/JavaScriptShared.cpp
@@ -394,8 +394,10 @@ JavaScriptShared::findObjectById(JSContext *cx, uint32_t objId)
        }
    }

-    // If there's no TabChildGlobal, we use the junk scope.
-    JSAutoCompartment ac(cx, xpc::PrivilegedJunkScope());
+    // If there's no TabChildGlobal, we use the junk scope. In the parent we use
+    // the unprivileged junk scope to prevent security vulnerabilities. In the
+    // child we use the privileged junk scope.
+    JSAutoCompartment ac(cx, defaultScope());
    if (!JS_WrapObject(cx, &obj))
        return nullptr;
    return obj;
--- a/js/ipc/JavaScriptShared.h
+++ b/js/ipc/JavaScriptShared.h
@@ -132,6 +132,7 @@ class JavaScriptShared
    friend class Logging;

    virtual bool isParent() = 0;
+    virtual JSObject *defaultScope() = 0;

  protected:
    JSRuntime *rt_;