Bug 965921 - Handle addons that expose JS-implemented XPCOM components to content. r=mrbkap, a=sledru
authorBobby Holley <bobbyholley@gmail.com>
Mon, 10 Feb 2014 10:27:24 -0800
changeset 182807 5e88c90d7fe752cf139ca6ca7efbd44827d2f3bc
parent 182806 546fa9fbaa1a40220ea154ce7f2563f8eab166b0
child 182808 0949e63d93c2c91092b55b12714d1ba0e80aac5d
push id3343
push userffxbld
push dateMon, 17 Mar 2014 21:55:32 +0000
treeherdermozilla-beta@2f7d3415f79f [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersmrbkap, sledru
bugs965921
milestone29.0a2
Bug 965921 - Handle addons that expose JS-implemented XPCOM components to content. r=mrbkap, a=sledru
js/xpconnect/src/XPCWrappedNativeJSOps.cpp
--- a/js/xpconnect/src/XPCWrappedNativeJSOps.cpp
+++ b/js/xpconnect/src/XPCWrappedNativeJSOps.cpp
@@ -150,19 +150,22 @@ XPC_WN_DoubleWrappedGetter(JSContext *cx
     if (!realObject) {
         // This is pretty unexpected at this point. The object originally
         // responded to this get property call and now gives no object.
         // XXX Should this throw something at the caller?
         args.rval().setNull();
         return true;
     }
 
-    // It is a double wrapped object. This should never appear in content these
-    // days, but let's be safe here.
-    MOZ_RELEASE_ASSERT(nsContentUtils::IsCallerChrome());
+    // It is a double wrapped object. This should really never appear in
+    // content these days, but addons still do it - see bug 965921.
+    if (MOZ_UNLIKELY(!nsContentUtils::IsCallerChrome())) {
+        JS_ReportError(cx, "Attempt to use .wrappedJSObject in untrusted code");
+        return false;
+    }
     args.rval().setObject(*realObject);
     return JS_WrapValue(cx, args.rval());
 }
 
 /***************************************************************************/
 
 // This is our shared function to define properties on our JSObjects.