Bug 1552004 - dont' use "eval" in the OTR code. r=mkmelin
authorKai Engert <kaie@kuix.de>
Tue, 04 Jun 2019 22:58:39 +0200
changeset 35770 0cddb77c70798d62b4d355c31e073fdb302a293f
parent 35769 fe88d825d3c671d9b24f56f1477e30302c7cebca
child 35771 b12420c26104dd203307856e5086cb3139493c89
push id392
push userclokep@gmail.com
push dateMon, 02 Sep 2019 20:17:19 +0000
reviewersmkmelin
bugs1552004
Bug 1552004 - dont' use "eval" in the OTR code. r=mkmelin Differential Revision: https://phabricator.services.mozilla.com/D32839
chat/content/otrWorker.js
chat/modules/OTR.jsm
--- a/chat/content/otrWorker.js
+++ b/chat/content/otrWorker.js
@@ -3,19 +3,17 @@
  * You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 /* eslint-env mozilla/chrome-worker, node */
 importScripts("resource://gre/modules/workers/require.js");
 var PromiseWorker = require("resource://gre/modules/workers/PromiseWorker.js");
 var Funcs = {};
 
 // Only what we need from libotr.js
-Funcs.generateKey = function(path, otrl_version, newkeySource) {
-  // eslint-disable-next-line no-eval
-  let newkey = eval(newkeySource);  // jshint ignore:line
+Funcs.generateKey = function(path, otrl_version, address) {
   let libotr = ctypes.open(path);
 
   let abi = ctypes.default_abi;
   let gcry_error_t = ctypes.unsigned_int;
 
   // Initialize the OTR library. Pass the version of the API you are using.
   let otrl_init = libotr.declare(
     "otrl_init", abi, gcry_error_t,
@@ -26,16 +24,18 @@ Funcs.generateKey = function(path, otrl_
   // background thread.  When it completes, call
   // otrl_privkey_generate_finish from the _main_ thread.
   let otrl_privkey_generate_calculate = libotr.declare(
     "otrl_privkey_generate_calculate", abi, gcry_error_t,
     ctypes.void_t.ptr
   );
 
   otrl_init.apply(libotr, otrl_version);
+
+  let newkey = ctypes.voidptr_t(ctypes.UInt64("0x" + address));
   let err = otrl_privkey_generate_calculate(newkey);
   libotr.close();
   if (err)
     throw new Error("otrl_privkey_generate_calculate (" + err + ")");
 };
 
 var worker = new PromiseWorker.AbstractWorker();
 
--- a/chat/modules/OTR.jsm
+++ b/chat/modules/OTR.jsm
@@ -177,19 +177,34 @@ var OTR = {
   // generate a private key in a worker
   generatePrivateKey(account, protocol) {
     let newkey = new ctypes.void_t.ptr();
     let err = OTRLib.otrl_privkey_generate_start(
       OTR.userstate, account, protocol, newkey.address()
     );
     if (err || newkey.isNull())
       return Promise.reject("otrl_privkey_generate_start (" + err + ")");
+
+    let keyPtrSrc = newkey.toSource();
+    let re = new RegExp(
+      "^ctypes\\.voidptr_t\\(ctypes\\.UInt64\\(\"0x([0-9a-fA-F]+)\"\\)\\)$");
+    let address;
+    let match = re.exec(keyPtrSrc);
+    if (match) {
+      address = match[1];
+    }
+
+    if (!address) {
+      OTRLib.otrl_privkey_generate_cancelled(OTR.userstate, newkey);
+      throw new Error("generatePrivateKey failed to parse ptr.toSource(): " + keyPtrSrc);
+    }
+
     let worker = new BasePromiseWorker(workerPath);
     return worker.post("generateKey", [
-      OTRLib.path, OTRLib.otrl_version, newkey.toSource(),
+      OTRLib.path, OTRLib.otrl_version, address,
     ]).then(function() {
       let err = OTRLib.otrl_privkey_generate_finish(
         OTR.userstate, newkey, OTR.privateKeyPath
       );
       if (err)
         throw new Error("otrl_privkey_generate_calculate (" + err + ")");
     }).catch(function(err) {
       if (!newkey.isNull())