[Pkg-mozext-commits] [greasemonkey] 25/43: Fix GM_listValues() by passing only plain strings.
David Prévot
taffit at moszumanska.debian.org
Sun Feb 22 21:56:11 UTC 2015
This is an automated email from the git hooks/post-receive script.
taffit pushed a commit to branch master
in repository greasemonkey.
commit 283259740e0405b81627d58ce4e5667f10509b69
Author: Anthony Lieuallen <arantius at gmail.com>
Date: Fri Nov 21 11:52:37 2014 -0500
Fix GM_listValues() by passing only plain strings.
Plain strings can cross security boundaries without issues. So in privileged scope return (JSON.stringify()ed) just a string, then in the sandbox scope decode that string.
Refs #2004
---
modules/sandbox.js | 7 ++++++-
modules/storageFront.js | 6 +-----
2 files changed, 7 insertions(+), 6 deletions(-)
diff --git a/modules/sandbox.js b/modules/sandbox.js
index c932a37..0907f98 100644
--- a/modules/sandbox.js
+++ b/modules/sandbox.js
@@ -111,7 +111,12 @@ function createSandbox(aScript, aScriptRunner, aMessageManager) {
}
if (GM_util.inArray(aScript.grants, 'GM_listValues')) {
- sandbox.GM_listValues = GM_util.hitch(scriptStorage, 'listValues');
+ // Return plain (JSON) string from chrome, parse it in the sandbox,
+ // to avoid issues with objects (Array) crossing security boundaries.
+ sandbox._GM_listValues = GM_util.hitch(scriptStorage, 'listValues');
+ Components.utils.evalInSandbox(
+ 'function GM_listValues() { return JSON.parse(_GM_listValues()); }',
+ sandbox);
}
if (GM_util.inArray(aScript.grants, 'GM_openInTab')) {
diff --git a/modules/storageFront.js b/modules/storageFront.js
index 03fd414..1bb6e82 100644
--- a/modules/storageFront.js
+++ b/modules/storageFront.js
@@ -81,11 +81,7 @@ GM_ScriptStorageFront.prototype.listValues = function() {
var value = this._messageManager.sendSyncMessage(
'greasemonkey:scriptVal-list',
{scriptId: this._script.id});
- value = value.length && value[0] || [];
- // See #1637.
- var vals = Array.prototype.slice.call(value);
- vals.__exposedProps__ = {'length': 'r'};
- return vals;
+ return JSON.stringify(value.length && value[0] || []);
};
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-mozext/greasemonkey.git
More information about the Pkg-mozext-commits
mailing list