Bug 674597 - abort if attempting to create an xpcom proxy for wrapped JS (r=bsmedberg)
authorLuke Wagner <luke@mozilla.com>
Thu, 28 Jul 2011 13:41:24 -0700
changeset 74216 be91fb29d950eb712abcb26929423872de68ca42
parent 74215 0cf822d12c64a1bc22782330a961c72fd34219d0
child 74217 d856045de3bcf09033fcd7fde1a94beb795d73c4
push id2
push userbsmedberg@mozilla.com
push dateFri, 19 Aug 2011 14:38:13 +0000
reviewersbsmedberg
bugs674597
milestone8.0a1
Bug 674597 - abort if attempting to create an xpcom proxy for wrapped JS (r=bsmedberg)
xpcom/proxy/src/nsProxyObjectManager.cpp
--- a/xpcom/proxy/src/nsProxyObjectManager.cpp
+++ b/xpcom/proxy/src/nsProxyObjectManager.cpp
@@ -47,16 +47,17 @@
  * ***** END LICENSE BLOCK ***** */
 
 #include "nsProxyEventPrivate.h"
 
 #include "nsIComponentManager.h"
 #include "nsIProxyObjectManager.h"
 #include "nsIServiceManager.h"
 #include "nsIThread.h"
+#include "nsIXPConnect.h"
 
 #include "nsCOMPtr.h"
 #include "nsThreadUtils.h"
 #include "xptiprivate.h"
 
 using namespace mozilla;
 
 #ifdef PR_LOGGING
@@ -203,16 +204,24 @@ nsProxyObjectManager::GetProxyForObject(
     nsCOMPtr<nsIThread> thread;
     if (aTarget == NS_PROXY_TO_CURRENT_THREAD) {
       aTarget = NS_GetCurrentThread();
     } else if (aTarget == NS_PROXY_TO_MAIN_THREAD) {
       thread = do_GetMainThread();
       aTarget = thread.get();
     }
 
+    if (nsCOMPtr<nsIXPConnectWrappedJS> wjs = do_QueryInterface(aObj)) {
+      // Only proxy wrapped JS from the main thread to the main thread
+      if (!NS_IsMainThread() || aTarget != NS_GetCurrentThread()) {
+        NS_ABORT_IF_FALSE(false, "GetProxyForObject on wrapped JS not allowed");
+        return NS_ERROR_FAILURE;
+      }
+    }
+
     // check to see if the target is on our thread.  If so, just return the
     // real object.
     
     if (!(proxyType & NS_PROXY_ASYNC) && !(proxyType & NS_PROXY_ALWAYS))
     {
         PRBool result;
         aTarget->IsOnCurrentThread(&result);