[Pkg-mozext-commits] [greasemonkey] 25/43: Fix GM_listValues() by passing only plain strings.

David Prévot taffit at moszumanska.debian.org
Sun Feb 22 21:56:11 UTC 2015 

This is an automated email from the git hooks/post-receive script.

taffit pushed a commit to branch master
in repository greasemonkey.

commit 283259740e0405b81627d58ce4e5667f10509b69
Author: Anthony Lieuallen <arantius at gmail.com>
Date:   Fri Nov 21 11:52:37 2014 -0500

    Fix GM_listValues() by passing only plain strings.
    
    Plain strings can cross security boundaries without issues.  So in privileged scope return (JSON.stringify()ed) just a string, then in the sandbox scope decode that string.
    
    Refs #2004
---
 modules/sandbox.js      | 7 ++++++-
 modules/storageFront.js | 6 +-----
 2 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/modules/sandbox.js b/modules/sandbox.js
index c932a37..0907f98 100644
--- a/modules/sandbox.js
+++ b/modules/sandbox.js
@@ -111,7 +111,12 @@ function createSandbox(aScript, aScriptRunner, aMessageManager) {
   }
 
   if (GM_util.inArray(aScript.grants, 'GM_listValues')) {
-    sandbox.GM_listValues = GM_util.hitch(scriptStorage, 'listValues');
+    // Return plain (JSON) string from chrome, parse it in the sandbox,
+    // to avoid issues with objects (Array) crossing security boundaries.
+    sandbox._GM_listValues = GM_util.hitch(scriptStorage, 'listValues');
+    Components.utils.evalInSandbox(
+        'function GM_listValues() { return JSON.parse(_GM_listValues()); }',
+        sandbox);
   }
 
   if (GM_util.inArray(aScript.grants, 'GM_openInTab')) {
diff --git a/modules/storageFront.js b/modules/storageFront.js
index 03fd414..1bb6e82 100644
--- a/modules/storageFront.js
+++ b/modules/storageFront.js
@@ -81,11 +81,7 @@ GM_ScriptStorageFront.prototype.listValues = function() {
   var value = this._messageManager.sendSyncMessage(
       'greasemonkey:scriptVal-list',
       {scriptId: this._script.id});
-  value = value.length && value[0] || [];
-  // See #1637.
-  var vals = Array.prototype.slice.call(value);
-  vals.__exposedProps__ = {'length': 'r'};
-  return vals;
+  return JSON.stringify(value.length && value[0] || []);
 };
 
 

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-mozext/greasemonkey.git

More information about the Pkg-mozext-commits mailing list