Bug 1096267. Stop calling into the nsIInputStream overload of XMLHttpRequest.send() if a random object is passed in (except in chrome code, where we will keep doing that). r=smaug
authorBoris Zbarsky <bzbarsky@mit.edu>
Thu, 22 Sep 2016 16:58:37 +0100
changeset 357829 d29f9abbeaca6fe28bd493046b004fb91cd4332f
parent 357828 30a646a9a18c02cd3cb297f6edb79ad587e542bb
child 357830 755e16dfd05ab828fbfe0d79168c1f2cf256d75b
push id6795
push userjlund@mozilla.com
push dateMon, 23 Jan 2017 14:19:46 +0000
treeherdermozilla-beta@76101b503191 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerssmaug
bugs1096267
milestone52.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1096267. Stop calling into the nsIInputStream overload of XMLHttpRequest.send() if a random object is passed in (except in chrome code, where we will keep doing that). r=smaug
dom/bindings/BindingUtils.cpp
dom/xhr/XMLHttpRequestMainThread.h
--- a/dom/bindings/BindingUtils.cpp
+++ b/dom/bindings/BindingUtils.cpp
@@ -3056,16 +3056,23 @@ UnwrapArgImpl(JS::Handle<JSObject*> src,
   if (iface) {
     if (NS_FAILED(iface->QueryInterface(iid, ppArg))) {
       return NS_ERROR_XPC_BAD_CONVERT_JS;
     }
 
     return NS_OK;
   }
 
+  // Only allow XPCWrappedJS stuff in system code.  Ideally we would remove this
+  // even there, but that involves converting some things to WebIDL callback
+  // interfaces and making some other things builtinclass...
+  if (!nsContentUtils::IsCallerChrome()) {
+    return NS_ERROR_XPC_BAD_CONVERT_JS;
+  }
+
   RefPtr<nsXPCWrappedJS> wrappedJS;
   nsresult rv = nsXPCWrappedJS::GetNewOrUsed(src, iid, getter_AddRefs(wrappedJS));
   if (NS_FAILED(rv) || !wrappedJS) {
     return rv;
   }
 
   // We need to go through the QueryInterface logic to make this return
   // the right thing for the various 'special' interfaces; e.g.
--- a/dom/xhr/XMLHttpRequestMainThread.h
+++ b/dom/xhr/XMLHttpRequestMainThread.h
@@ -384,33 +384,16 @@ public:
     RequestBody<FormData> body(&aFormData);
     aRv = SendInternal(&body);
   }
 
   virtual void
   Send(JSContext* aCx, nsIInputStream* aStream, ErrorResult& aRv) override
   {
     NS_ASSERTION(aStream, "Null should go to string version");
-    nsCOMPtr<nsIXPConnectWrappedJS> wjs = do_QueryInterface(aStream);
-    if (wjs) {
-      JSObject* data = wjs->GetJSObject();
-      if (!data) {
-        aRv.Throw(NS_ERROR_DOM_TYPE_ERR);
-        return;
-      }
-      JS::Rooted<JS::Value> dataAsValue(aCx, JS::ObjectValue(*data));
-      nsAutoString dataAsString;
-      if (ConvertJSValueToString(aCx, dataAsValue, eNull,
-                                 eNull, dataAsString)) {
-        Send(aCx, dataAsString, aRv);
-      } else {
-        aRv.Throw(NS_ERROR_FAILURE);
-      }
-      return;
-    }
     RequestBody<nsIInputStream> body(aStream);
     aRv = SendInternal(&body);
   }
 
   void
   Abort() {
     ErrorResult rv;
     Abort(rv);