diff options
author | wolfbeast <mcwerewolf@gmail.com> | 2018-02-08 19:22:33 +0100 |
---|---|---|
committer | wolfbeast <mcwerewolf@gmail.com> | 2018-02-08 19:22:33 +0100 |
commit | ef794bb39b7c5d98bd198965c987089ca146c4dd (patch) | |
tree | 03b40a2cba695fd1f87567aab80371ff0358ec04 | |
parent | 4099ff7494f2add95d35eb4ae0de12ab1fcf2aa2 (diff) | |
download | uxp-ef794bb39b7c5d98bd198965c987089ca146c4dd.tar.gz |
Don't allow proxies in the proto chain.
-rw-r--r-- | js/xpconnect/wrappers/AccessCheck.cpp | 14 |
1 files changed, 14 insertions, 0 deletions
diff --git a/js/xpconnect/wrappers/AccessCheck.cpp b/js/xpconnect/wrappers/AccessCheck.cpp index 085e7100ef..d17c0629e1 100644 --- a/js/xpconnect/wrappers/AccessCheck.cpp +++ b/js/xpconnect/wrappers/AccessCheck.cpp @@ -307,6 +307,20 @@ ExposedPropertiesOnly::check(JSContext* cx, HandleObject wrapper, HandleId id, W // Unfortunately, |cx| can be in either compartment when we call ::check. :-( JSAutoCompartment ac(cx, wrappedObject); + // Proxies are not allowed in the proto chain. + RootedObject o(cx, wrappedObject); + while (o) { + JSObject* unwrapped = js::IsWrapper(o) ? js::CheckedUnwrap(o, false) : o; + if (!unwrapped || js::IsProxy(unwrapped)) + return false; + + RootedObject p(cx); + if (!js::GetObjectProto(cx, o, &p)) + return false; + + o = p; + } + bool found = false; if (!JS_HasPropertyById(cx, wrappedObject, exposedPropsId, &found)) return false; |