Bug 1065185 - Turn off indexed/.length access on COW arrays. r=bz
--- a/js/xpconnect/wrappers/AccessCheck.cpp
+++ b/js/xpconnect/wrappers/AccessCheck.cpp
@@ -243,26 +243,31 @@ ExposedPropertiesOnly::check(JSContext *
//
// Unfortunately, |cx| can be in either compartment when we call ::check. :-(
JSAutoCompartment ac(cx, wrappedObject);
bool found = false;
if (!JS_HasPropertyById(cx, wrappedObject, exposedPropsId, &found))
return false;
- // Always permit access to "length" and indexed properties of arrays.
- if ((JS_IsArrayObject(cx, wrappedObject) ||
- JS_IsTypedArrayObject(wrappedObject)) &&
- ((JSID_IS_INT(id) && JSID_TO_INT(id) >= 0) ||
- (JSID_IS_STRING(id) && JS_FlatStringEqualsAscii(JSID_TO_FLAT_STRING(id), "length")))) {
- return true; // Allow
- }
-
// If no __exposedProps__ existed, deny access.
if (!found) {
+ // Previously we automatically granted access to indexed properties and
+ // .length for Array COWs. We're not doing that anymore, so make sure to
+ // let people know what's going on.
+ bool isArray = JS_IsArrayObject(cx, wrappedObject) || JS_IsTypedArrayObject(wrappedObject);
+ bool isIndexedAccessOnArray = isArray && JSID_IS_INT(id) && JSID_TO_INT(id) >= 0;
+ bool isLengthAccessOnArray = isArray && JSID_IS_STRING(id) &&
+ JS_FlatStringEqualsAscii(JSID_TO_FLAT_STRING(id), "length");
+ if (isIndexedAccessOnArray || isLengthAccessOnArray) {
+ JSAutoCompartment ac2(cx, wrapper);
+ ReportWrapperDenial(cx, id, WrapperDenialForCOW,
+ "Access to elements and length of privileged Array not permitted");
+ }
+
return false;
}
if (id == JSID_VOID)
return true;
RootedValue exposedProps(cx);
if (!JS_LookupPropertyById(cx, wrappedObject, exposedPropsId, &exposedProps))