Bug 1065185 - Turn off indexed/.length access on COW arrays. r=bz
authorBobby Holley <bobbyholley@gmail.com>
Fri, 03 Oct 2014 10:05:52 +0200
changeset 208547 3bddc48c44073b037809a31496c11be10234e8e7
parent 208546 f816a5b9c4cc80c682370dc5cf29f864c5aeaf2c
child 208548 58012f4bb5f7d2dab5855bf121811a1a90d56311
push idunknown
push userunknown
push dateunknown
reviewersbz
bugs1065185
milestone35.0a1
Bug 1065185 - Turn off indexed/.length access on COW arrays. r=bz
js/xpconnect/wrappers/AccessCheck.cpp
--- a/js/xpconnect/wrappers/AccessCheck.cpp
+++ b/js/xpconnect/wrappers/AccessCheck.cpp
@@ -243,26 +243,31 @@ ExposedPropertiesOnly::check(JSContext *
     //
     // Unfortunately, |cx| can be in either compartment when we call ::check. :-(
     JSAutoCompartment ac(cx, wrappedObject);
 
     bool found = false;
     if (!JS_HasPropertyById(cx, wrappedObject, exposedPropsId, &found))
         return false;
 
-    // Always permit access to "length" and indexed properties of arrays.
-    if ((JS_IsArrayObject(cx, wrappedObject) ||
-         JS_IsTypedArrayObject(wrappedObject)) &&
-        ((JSID_IS_INT(id) && JSID_TO_INT(id) >= 0) ||
-         (JSID_IS_STRING(id) && JS_FlatStringEqualsAscii(JSID_TO_FLAT_STRING(id), "length")))) {
-        return true; // Allow
-    }
-
     // If no __exposedProps__ existed, deny access.
     if (!found) {
+        // Previously we automatically granted access to indexed properties and
+        // .length for Array COWs. We're not doing that anymore, so make sure to
+        // let people know what's going on.
+        bool isArray = JS_IsArrayObject(cx, wrappedObject) || JS_IsTypedArrayObject(wrappedObject);
+        bool isIndexedAccessOnArray = isArray && JSID_IS_INT(id) && JSID_TO_INT(id) >= 0;
+        bool isLengthAccessOnArray = isArray && JSID_IS_STRING(id) &&
+                                     JS_FlatStringEqualsAscii(JSID_TO_FLAT_STRING(id), "length");
+        if (isIndexedAccessOnArray || isLengthAccessOnArray) {
+            JSAutoCompartment ac2(cx, wrapper);
+            ReportWrapperDenial(cx, id, WrapperDenialForCOW,
+                                "Access to elements and length of privileged Array not permitted");
+        }
+
         return false;
     }
 
     if (id == JSID_VOID)
         return true;
 
     RootedValue exposedProps(cx);
     if (!JS_LookupPropertyById(cx, wrappedObject, exposedPropsId, &exposedProps))