diff --git a/mozilla/caps/src/nsScriptSecurityManager.cpp b/mozilla/caps/src/nsScriptSecurityManager.cpp index c32f40e90dc..2ed3c8cd2d7 100644 --- a/mozilla/caps/src/nsScriptSecurityManager.cpp +++ b/mozilla/caps/src/nsScriptSecurityManager.cpp @@ -457,9 +457,9 @@ nsScriptSecurityManager::CheckObjectAccess(JSContext *cx, JSObject *obj, JSObject* target = JSVAL_IS_PRIMITIVE(*vp) ? obj : JSVAL_TO_OBJECT(*vp); // Do the same-origin check -- this sets a JS exception if the check fails. - // Pass the target object's class name, as we have no class-info for it. + // Pass the parent object's class name, as we have no class-info for it. nsresult rv = - ssm->CheckPropertyAccess(cx, target, JS_GetClass(cx, target)->name, id, + ssm->CheckPropertyAccess(cx, target, JS_GetClass(cx, obj)->name, id, nsIXPCSecurityManager::ACCESS_GET_PROPERTY); if (NS_FAILED(rv)) diff --git a/mozilla/js/src/jsinterp.c b/mozilla/js/src/jsinterp.c index 64321e82783..2d779de3abe 100644 --- a/mozilla/js/src/jsinterp.c +++ b/mozilla/js/src/jsinterp.c @@ -951,8 +951,25 @@ JSBool js_InternalGetOrSet(JSContext *cx, JSObject *obj, jsid id, jsval fval, JSAccessMode mode, uintN argc, jsval *argv, jsval *rval) { + /* + * Check general (not object-ops/class-specific) access from the running + * script to obj.id only if id has a scripted getter or setter that we're + * about to invoke. If we don't check this case, nothing else will -- no + * other native code has the chance to check. + * + * Contrast this non-native (scripted) case with native getter and setter + * accesses, where the native itself must do an acess check, if security + * policies requires it. We make a checkAccess or checkObjectAccess call + * back to the embedding program only in those cases where we're not going + * to call an embedding-defined native function, getter, setter, or class + * hook anyway. Where we do call such a native, there's no need for the + * engine to impose a separate access check callback on all embeddings -- + * many embeddings have no security policy at all. + */ JS_ASSERT(mode == JSACC_READ || mode == JSACC_WRITE); if (cx->runtime->checkObjectAccess && + JSVAL_IS_FUNCTION(cx, fval) && + ((JSFunction *) JS_GetPrivate(cx, JSVAL_TO_OBJECT(fval)))->script && !cx->runtime->checkObjectAccess(cx, obj, ID_TO_VALUE(id), mode, &fval)) { return JS_FALSE;