summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorwolfbeast <mcwerewolf@gmail.com>2018-02-08 19:22:33 +0100
committerwolfbeast <mcwerewolf@gmail.com>2018-02-08 19:22:33 +0100
commitef794bb39b7c5d98bd198965c987089ca146c4dd (patch)
tree03b40a2cba695fd1f87567aab80371ff0358ec04
parent4099ff7494f2add95d35eb4ae0de12ab1fcf2aa2 (diff)
downloaduxp-ef794bb39b7c5d98bd198965c987089ca146c4dd.tar.gz
Don't allow proxies in the proto chain.
-rw-r--r--js/xpconnect/wrappers/AccessCheck.cpp14
1 files changed, 14 insertions, 0 deletions
diff --git a/js/xpconnect/wrappers/AccessCheck.cpp b/js/xpconnect/wrappers/AccessCheck.cpp
index 085e7100ef..d17c0629e1 100644
--- a/js/xpconnect/wrappers/AccessCheck.cpp
+++ b/js/xpconnect/wrappers/AccessCheck.cpp
@@ -307,6 +307,20 @@ ExposedPropertiesOnly::check(JSContext* cx, HandleObject wrapper, HandleId id, W
// Unfortunately, |cx| can be in either compartment when we call ::check. :-(
JSAutoCompartment ac(cx, wrappedObject);
+ // Proxies are not allowed in the proto chain.
+ RootedObject o(cx, wrappedObject);
+ while (o) {
+ JSObject* unwrapped = js::IsWrapper(o) ? js::CheckedUnwrap(o, false) : o;
+ if (!unwrapped || js::IsProxy(unwrapped))
+ return false;
+
+ RootedObject p(cx);
+ if (!js::GetObjectProto(cx, o, &p))
+ return false;
+
+ o = p;
+ }
+
bool found = false;
if (!JS_HasPropertyById(cx, wrappedObject, exposedPropsId, &found))
return false;