[tor-commits] [tor-browser/tor-browser-24.7.0esr-4.x-2] fixup! Bug #2874. Remove the Components shim introduced by Mozilla Bug #790732.

mikeperry at torproject.org mikeperry at torproject.org
Wed Aug 20 04:03:15 UTC 2014


commit b81169268271e65b897e4df2a1f58dd2718af1c7
Author: Arthur Edelstein <arthuredelstein at gmail.com>
Date:   Tue Aug 12 15:14:39 2014 -0700

    fixup! Bug #2874. Remove the Components shim introduced by Mozilla Bug #790732.
    
    Includes a regression test to ensure the window.Components object is not
    exposed to untrusted content.
---
 dom/base/nsDOMClassInfo.cpp                        |   98 --------------------
 js/xpconnect/tests/mochitest/Makefile.in           |    3 +-
 js/xpconnect/tests/mochitest/file_bug790732.html   |   56 -----------
 js/xpconnect/tests/mochitest/test_bug790732.html   |   46 ---------
 js/xpconnect/tests/mochitest/test_tor_bug2874.html |   25 +++++
 toolkit/components/telemetry/Histograms.json       |    4 -
 6 files changed, 26 insertions(+), 206 deletions(-)

diff --git a/dom/base/nsDOMClassInfo.cpp b/dom/base/nsDOMClassInfo.cpp
index e5fcebf..2a9d5a8 100644
--- a/dom/base/nsDOMClassInfo.cpp
+++ b/dom/base/nsDOMClassInfo.cpp
@@ -4282,98 +4282,6 @@ LocationSetterUnwrapper(JSContext *cx, JS::Handle<JSObject*> obj_, JS::Handle<js
   return LocationSetter<nsIDOMWindow>(cx, obj, id, strict, vp);
 }
 
-struct InterfaceShimEntry {
-  const char *geckoName;
-  const char *domName;
-};
-
-// We add shims from Components.interfaces.nsIDOMFoo to window.Foo for each
-// interface that has interface constants that sites might be getting off
-// of Ci.
-const InterfaceShimEntry kInterfaceShimMap[] =
-{ { "nsIDOMFileReader", "FileReader" },
-  { "nsIXMLHttpRequest", "XMLHttpRequest" },
-  { "nsIDOMDOMException", "DOMException" },
-  { "nsIDOMNode", "Node" },
-  { "nsIDOMUserDataHandler", "UserDataHandler" },
-  { "nsIDOMCSSPrimitiveValue", "CSSPrimitiveValue" },
-  { "nsIDOMCSSRule", "CSSRule" },
-  { "nsIDOMCSSValue", "CSSValue" },
-  { "nsIDOMEvent", "Event" },
-  { "nsIDOMNSEvent", "Event" },
-  { "nsIDOMKeyEvent", "KeyEvent" },
-  { "nsIDOMMouseEvent", "MouseEvent" },
-  { "nsIDOMMouseScrollEvent", "MouseScrollEvent" },
-  { "nsIDOMMutationEvent", "MutationEvent" },
-  { "nsIDOMSimpleGestureEvent", "SimpleGestureEvent" },
-  { "nsIDOMUIEvent", "UIEvent" },
-  { "nsIDOMGeoPositionError", "GeoPositionError" },
-  { "nsIDOMHTMLMediaElement", "HTMLMediaElement" },
-  { "nsIDOMMediaError", "MediaError" },
-  { "nsIDOMLoadStatus", "LoadStatus" },
-  { "nsIDOMOfflineResourceList", "OfflineResourceList" },
-  { "nsIDOMRange", "Range" },
-  { "nsIDOMSVGFETurbulenceElement", "SVGFETurbulenceElement" },
-  { "nsIDOMSVGFEMorphologyElement", "SVGFEMorphologyElement" },
-  { "nsIDOMSVGFEConvolveMatrixElement", "SVGFEConvolveMatrixElement" },
-  { "nsIDOMSVGFEDisplacementMapElement", "SVGFEDisplacementMapElement" },
-  { "nsIDOMSVGLength", "SVGLength" },
-  { "nsIDOMSVGUnitTypes", "SVGUnitTypes" },
-  { "nsIDOMNodeFilter", "NodeFilter" },
-  { "nsIDOMXPathNamespace", "XPathNamespace" },
-  { "nsIDOMXPathResult", "XPathResult" },
-  { "nsIDOMXULButtonElement", "XULButtonElement" },
-  { "nsIDOMXULCheckboxElement", "XULCheckboxElement" },
-  { "nsIDOMXULPopupElement", "XULPopupElement" } };
-
-static nsresult
-DefineComponentsShim(JSContext *cx, JS::HandleObject global)
-{
-  // Keep track of how often this happens.
-  Telemetry::Accumulate(Telemetry::COMPONENTS_SHIM_ACCESSED_BY_CONTENT, true);
-
-  // Create a fake Components object.
-  JS::Rooted<JSObject*> components(cx, JS_NewObject(cx, nullptr, nullptr, global));
-  NS_ENSURE_TRUE(components, NS_ERROR_OUT_OF_MEMORY);
-  bool ok = JS_DefineProperty(cx, global, "Components", JS::ObjectValue(*components),
-                              JS_PropertyStub, JS_StrictPropertyStub, JSPROP_ENUMERATE);
-  NS_ENSURE_TRUE(ok, NS_ERROR_OUT_OF_MEMORY);
-
-  // Create a fake interfaces object.
-  JS::Rooted<JSObject*> interfaces(cx, JS_NewObject(cx, nullptr, nullptr, global));
-  NS_ENSURE_TRUE(interfaces, NS_ERROR_OUT_OF_MEMORY);
-  ok = JS_DefineProperty(cx, components, "interfaces", JS::ObjectValue(*interfaces),
-                         JS_PropertyStub, JS_StrictPropertyStub,
-                         JSPROP_ENUMERATE | JSPROP_PERMANENT | JSPROP_READONLY);
-  NS_ENSURE_TRUE(ok, NS_ERROR_OUT_OF_MEMORY);
-
-  // Define a bunch of shims from the Ci.nsIDOMFoo to window.Foo for DOM
-  // interfaces with constants.
-  for (uint32_t i = 0; i < ArrayLength(kInterfaceShimMap); ++i) {
-
-    // Grab the names from the table.
-    const char *geckoName = kInterfaceShimMap[i].geckoName;
-    const char *domName = kInterfaceShimMap[i].domName;
-
-    // Look up the appopriate interface object on the global.
-    JS::Rooted<JS::Value> v(cx, JS::UndefinedValue());
-    ok = JS_GetProperty(cx, global, domName, v.address());
-    NS_ENSURE_TRUE(ok, NS_ERROR_OUT_OF_MEMORY);
-    if (!v.isObject()) {
-      NS_WARNING("Unable to find interface object on global");
-      continue;
-    }
-
-    // Define the shim on the interfaces object.
-    ok = JS_DefineProperty(cx, interfaces, geckoName, v,
-                           JS_PropertyStub, JS_StrictPropertyStub,
-                           JSPROP_ENUMERATE | JSPROP_PERMANENT | JSPROP_READONLY);
-    NS_ENSURE_TRUE(ok, NS_ERROR_OUT_OF_MEMORY);
-  }
-
-  return NS_OK;
-}
-
 NS_IMETHODIMP
 nsWindowSH::NewResolve(nsIXPConnectWrappedNative *wrapper, JSContext *cx,
                        JSObject *obj_, jsid id_, uint32_t flags,
@@ -4386,12 +4294,6 @@ nsWindowSH::NewResolve(nsIXPConnectWrappedNative *wrapper, JSContext *cx,
     return NS_OK;
   }
 
-  MOZ_ASSERT(*_retval == true); // guaranteed by XPC_WN_Helper_NewResolve
-  if (id == XPCJSRuntime::Get()->GetStringID(XPCJSRuntime::IDX_COMPONENTS)) {
-    *objp = obj;
-    return DefineComponentsShim(cx, obj);
-  }
-
   nsGlobalWindow *win = nsGlobalWindow::FromWrapper(wrapper);
   MOZ_ASSERT(win->IsInnerWindow());
 
diff --git a/js/xpconnect/tests/mochitest/Makefile.in b/js/xpconnect/tests/mochitest/Makefile.in
index e3e1b63..666d1e2 100644
--- a/js/xpconnect/tests/mochitest/Makefile.in
+++ b/js/xpconnect/tests/mochitest/Makefile.in
@@ -80,8 +80,6 @@ MOCHITEST_FILES =	chrome_wrappers_helper.html \
 		file_bug781476.html \
 		test_bug785096.html \
 		test_bug789713.html \
-		test_bug790732.html \
-		file_bug790732.html \
 		test_bug793969.html \
 		file_bug795275.html \
 		file_bug795275.xml \
@@ -101,6 +99,7 @@ MOCHITEST_FILES =	chrome_wrappers_helper.html \
 		test_crosscompartment_weakmap.html \
 		test_asmjs.html \
 		file_asmjs.js \
+		test_tor_bug2874.html \
 		$(NULL)
 
 include $(topsrcdir)/config/rules.mk
diff --git a/js/xpconnect/tests/mochitest/file_bug790732.html b/js/xpconnect/tests/mochitest/file_bug790732.html
deleted file mode 100644
index 5515dfc..0000000
--- a/js/xpconnect/tests/mochitest/file_bug790732.html
+++ /dev/null
@@ -1,56 +0,0 @@
-<!DOCTYPE html>
-<html>
-<head>
-<script>
-function testShim() {
-
-  // Basic stuff
-  ok(Components, "Components shim exists!");
-  var Ci = Components.interfaces;
-  ok(Ci, "interfaces shim exists!");
-  is(typeof Components.classes, 'undefined', "Shouldn't have a Cc");
-
-  // Check each interface that we shim. We start by checking specific
-  // constants for a couple of interfaces, and then once it's pretty clear that
-  // it's working as intended we just check that the objects themselves are the
-  // same.
-  is(Ci.nsIDOMFileReader.DONE, FileReader.DONE);
-  is(Ci.nsIXMLHttpRequest.HEADERS_RECEIVED, XMLHttpRequest.HEADERS_RECEIVED);
-  is(Ci.nsIDOMDOMException.DATA_CLONE_ERR, DOMException.DATA_CLONE_ERR);
-  is(Ci.nsIDOMNode.DOCUMENT_NODE, Node.DOCUMENT_NODE);
-  is(Ci.nsIDOMUserDataHandler.NODE_CLONED, UserDataHandler.NODE_CLONED);
-  is(Ci.nsIDOMCSSPrimitiveValue.CSS_PX, CSSPrimitiveValue.CSS_PX);
-  is(Ci.nsIDOMCSSRule.NAMESPACE_RULE, CSSRule.NAMESPACE_RULE);
-  is(Ci.nsIDOMCSSValue.CSS_PRIMITIVE_VALUE, CSSValue.CSS_PRIMITIVE_VALUE);
-  is(Ci.nsIDOMEvent.FOCUS, Event.FOCUS);
-  is(Ci.nsIDOMNSEvent.CLICK, Event.CLICK);
-  is(Ci.nsIDOMKeyEvent, KeyEvent);
-  is(Ci.nsIDOMMouseEvent, MouseEvent);
-  is(Ci.nsIDOMMouseScrollEvent, MouseScrollEvent);
-  is(Ci.nsIDOMMutationEvent, MutationEvent);
-  is(Ci.nsIDOMSimpleGestureEvent, SimpleGestureEvent);
-  is(Ci.nsIDOMUIEvent, UIEvent);
-  is(Ci.nsIDOMGeoPositionError, GeoPositionError);
-  is(Ci.nsIDOMHTMLMediaElement, HTMLMediaElement);
-  is(Ci.nsIDOMMediaError, MediaError);
-  is(Ci.nsIDOMLoadStatus, LoadStatus);
-  is(Ci.nsIDOMOfflineResourceList, OfflineResourceList);
-  is(Ci.nsIDOMRange, Range);
-  is(Ci.nsIDOMSVGFETurbulenceElement, SVGFETurbulenceElement);
-  is(Ci.nsIDOMSVGFEMorphologyElement, SVGFEMorphologyElement);
-  is(Ci.nsIDOMSVGFEConvolveMatrixElement, SVGFEConvolveMatrixElement);
-  is(Ci.nsIDOMSVGFEDisplacementMapElement, SVGFEDisplacementMapElement);
-  is(Ci.nsIDOMSVGLength, SVGLength);
-  is(Ci.nsIDOMSVGUnitTypes, SVGUnitTypes);
-  is(Ci.nsIDOMNodeFilter, NodeFilter);
-  is(Ci.nsIDOMXPathNamespace, XPathNamespace);
-  is(Ci.nsIDOMXPathResult, XPathResult);
-  is(Ci.nsIDOMXULButtonElement, XULButtonElement);
-  is(Ci.nsIDOMXULCheckboxElement, XULCheckboxElement);
-  is(Ci.nsIDOMXULPopupElement, XULPopupElement);
-}
-</script>
-</head>
-<body>
-</body>
-</html>
diff --git a/js/xpconnect/tests/mochitest/test_bug790732.html b/js/xpconnect/tests/mochitest/test_bug790732.html
deleted file mode 100644
index 771950e..0000000
--- a/js/xpconnect/tests/mochitest/test_bug790732.html
+++ /dev/null
@@ -1,46 +0,0 @@
-<!DOCTYPE HTML>
-<html>
-<!--
-https://bugzilla.mozilla.org/show_bug.cgi?id=790732
--->
-<head>
-  <meta charset="utf-8">
-  <title>Test for Bug 790732</title>
-  <script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
-  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
-  <script type="application/javascript">
-
-  /** Test for the Components shim. We split into two files because this stuff
-      is currently pref-controlled. **/
-  SimpleTest.waitForExplicitFinish();
-
-  function prepare() {
-    SpecialPowers.pushPrefEnv({set: [['dom.omit_components_in_content', true]]},
-                              function () { $('ifr').onload = go;
-                                            $('ifr').contentWindow.location =
-                                              '/tests/js/xpconnect/tests/mochitest/file_bug790732.html'; }
-                             );
-  }
-
-  function go() {
-    ok(true, "Started test");
-    var iwin = $('ifr').contentWindow;
-    iwin.ok = ok;
-    iwin.is = is;
-    iwin.testShim();
-    SimpleTest.finish();
-  }
-
-  </script>
-</head>
-<body onload="prepare()">
-<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=790732">Mozilla Bug 790732</a>
-<p id="display"></p>
-<div id="content" style="display: none">
-
-</div>
-<pre id="test">
-</pre>
-<iframe id="ifr"></iframe>
-</body>
-</html>
diff --git a/js/xpconnect/tests/mochitest/test_tor_bug2874.html b/js/xpconnect/tests/mochitest/test_tor_bug2874.html
new file mode 100644
index 0000000..c0a956e
--- /dev/null
+++ b/js/xpconnect/tests/mochitest/test_tor_bug2874.html
@@ -0,0 +1,25 @@
+<!DOCTYPE HTML>
+<html>
+<!--
+Tor bug
+https://trac.torproject.org/projects/tor/ticket/2874
+-->
+<head>
+  <meta charset="utf-8">
+  <title>Test for Tor Bug 2874</title>
+  <script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
+  <script type="application/javascript">
+  is(typeof Components, 'undefined', "The global window object should not expose a Components property to untrusted content.");
+  </script>
+</head>
+<body>
+<a target="_blank" href="https://trac.torproject.org/projects/tor/ticket/2874">Tor Bug 2874</a>
+<p id="display"></p>
+<div id="content" style="display: none">
+
+</div>
+<pre id="test">
+</pre>
+</body>
+</html>
diff --git a/toolkit/components/telemetry/Histograms.json b/toolkit/components/telemetry/Histograms.json
index 9698fac..5594e01 100644
--- a/toolkit/components/telemetry/Histograms.json
+++ b/toolkit/components/telemetry/Histograms.json
@@ -2955,10 +2955,6 @@
     "kind": "flag",
     "description": "Whether content ever accesed Components.interfaces in this session"
   },
-  "COMPONENTS_SHIM_ACCESSED_BY_CONTENT": {
-    "kind": "flag",
-    "description": "Whether content ever accesed the Components shim in this session"
-  },
   "CHECK_ADDONS_MODIFIED_MS": {
     "kind": "exponential",
     "high": "5000",





More information about the tor-commits mailing list