[Pkg-mozext-commits] [greasemonkey] 04/35: Disable getObjectPrincipal if the browser does not support it.

David Prévot taffit at moszumanska.debian.org
Wed May 20 02:43:36 UTC 2015 

This is an automated email from the git hooks/post-receive script.

taffit pushed a commit to branch master
in repository greasemonkey.

commit 93611362c9fe3e10e00e893ca537061bf5033155
Author: Crazycatz00 <crazycatz.0x00 at gmail.com>
Date:   Thu Feb 12 16:13:28 2015 -0500

    Disable getObjectPrincipal if the browser does not support it.
    
    Possible security risk, but older versions (1.15) don't check either. Should not affect Firefox >= 29.
---
 modules/xmlhttprequester.js | 16 +++++++++++-----
 1 file changed, 11 insertions(+), 5 deletions(-)

diff --git a/modules/xmlhttprequester.js b/modules/xmlhttprequester.js
index 92a2b23..f42ab8b 100644
--- a/modules/xmlhttprequester.js
+++ b/modules/xmlhttprequester.js
@@ -5,7 +5,10 @@ Components.utils.import("resource://greasemonkey/util.js");
 function GM_xmlhttpRequester(wrappedContentWin, originUrl, sandbox) {
   this.wrappedContentWin = wrappedContentWin;
   this.originUrl = originUrl;
-  this.sandboxPrincipal = Components.utils.getObjectPrincipal(sandbox);
+  // Firefox < 29 does not support getObjectPrincipal in a scriptable context.
+  // Older Greasemonkey didn't use this, so if the browser doesn't support it,
+  // this shouldn't be less secure (for that browser).
+  this.sandboxPrincipal = 'function' == typeof Components.utils.getObjectPrincipal ? Components.utils.getObjectPrincipal(sandbox) : null;
 }
 
 // this function gets called by user scripts in content security scope to
@@ -169,10 +172,13 @@ function(wrappedContentWin, req, event, details) {
   var eventCallback = details["on" + event];
   if (!eventCallback) return;
 
-  // ... but ensure that the callback came from a script, not content, by
-  // checking that its principal equals that of the sandbox.
-  var callbackPrincipal = Components.utils.getObjectPrincipal(eventCallback);
-  if (!this.sandboxPrincipal.equals(callbackPrincipal)) return;
+  // Firefox < 29 hack; see above.
+  if ('function' == typeof Components.utils.getObjectPrincipal) {
+    // ... but ensure that the callback came from a script, not content, by
+    // checking that its principal equals that of the sandbox.
+    var callbackPrincipal = Components.utils.getObjectPrincipal(eventCallback);
+    if (!this.sandboxPrincipal.equals(callbackPrincipal)) return;
+  }
 
   req.addEventListener(event, function(evt) {
     var responseState = {

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-mozext/greasemonkey.git

More information about the Pkg-mozext-commits mailing list