[Pkg-mozext-commits] [greasemonkey] 04/13: Fix GM_xmlhttpRequest callback access.

[David Prévot]

This is an automated email from the git hooks/post-receive script.

taffit pushed a commit to branch master
in repository greasemonkey.

commit 0a7d8e9685b6bdc8893385eb6b6a877811dc61ba
Author: Anthony Lieuallen <arantius at gmail.com>
Date:   Tue Jul 8 13:55:59 2014 -0400

    Fix GM_xmlhttpRequest callback access.
    
    This was broken in Greasemonkey 2.0.
    
    Fixes #1937
---
 components/greasemonkey.js  |  2 +-
 modules/xmlhttprequester.js | 17 ++++++++++++++---
 2 files changed, 15 insertions(+), 4 deletions(-)

diff --git a/components/greasemonkey.js b/components/greasemonkey.js
index 01956fd..e9623bc 100644
--- a/components/greasemonkey.js
+++ b/components/greasemonkey.js
@@ -153,7 +153,7 @@ function createSandbox(
   }
   if (GM_util.inArray(aScript.grants, 'GM_xmlhttpRequest')) {
     sandbox.GM_xmlhttpRequest = GM_util.hitch(
-        new GM_xmlhttpRequester(aContentWin, aChromeWin, aUrl),
+        new GM_xmlhttpRequester(aContentWin, aChromeWin, aUrl, sandbox),
         'contentStartRequest');
   }
 
diff --git a/modules/xmlhttprequester.js b/modules/xmlhttprequester.js
index 57f1978..010cd28 100644
--- a/modules/xmlhttprequester.js
+++ b/modules/xmlhttprequester.js
@@ -2,10 +2,13 @@ var EXPORTED_SYMBOLS = ['GM_xmlhttpRequester'];
 
 Components.utils.import("resource://greasemonkey/util.js");
 
-function GM_xmlhttpRequester(wrappedContentWin, chromeWindow, originUrl) {
+function GM_xmlhttpRequester(
+    wrappedContentWin, chromeWindow, originUrl, sandbox
+) {
   this.wrappedContentWin = wrappedContentWin;
   this.chromeWindow = chromeWindow;
   this.originUrl = originUrl;
+  this.sandboxPrincipal = Components.utils.getObjectPrincipal(sandbox);
 }
 
 // this function gets called by user scripts in content security scope to
@@ -160,7 +163,15 @@ function(details, req) {
 // window's security context.
 GM_xmlhttpRequester.prototype.setupRequestEvent =
 function(wrappedContentWin, req, event, details) {
-  if (!details["on" + event]) return;
+  // Waive Xrays so that we can read callback function properties ...
+  details = Components.utils.waiveXrays(details);
+  var eventCallback = details["on" + event];
+  if (!eventCallback) return;
+
+  // ... but ensure that the callback came from a script, not content, by
+  // checking that its principal equals that of the sandbox.
+  var callbackPrincipal = Components.utils.getObjectPrincipal(eventCallback);
+  if (!this.sandboxPrincipal.equals(callbackPrincipal)) return;
 
   req.addEventListener(event, function(evt) {
     var responseState = {
@@ -229,6 +240,6 @@ function(wrappedContentWin, req, event, details) {
     // otherwise details[event].apply can point to window.setTimeout, which
     // can be abused to get increased privileges.
     new XPCNativeWrapper(wrappedContentWin, "setTimeout()")
-      .setTimeout(function(){ details["on" + event](responseState); }, 0);
+      .setTimeout(function(){ eventCallback(responseState); }, 0);
   }, false);
 };

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-mozext/greasemonkey.git