[Pkg-mozext-commits] [greasemonkey] 04/35: Disable getObjectPrincipal if the browser does not support it.
David Prévot
taffit at moszumanska.debian.org
Wed May 20 02:43:36 UTC 2015
This is an automated email from the git hooks/post-receive script.
taffit pushed a commit to branch master
in repository greasemonkey.
commit 93611362c9fe3e10e00e893ca537061bf5033155
Author: Crazycatz00 <crazycatz.0x00 at gmail.com>
Date: Thu Feb 12 16:13:28 2015 -0500
Disable getObjectPrincipal if the browser does not support it.
Possible security risk, but older versions (1.15) don't check either. Should not affect Firefox >= 29.
---
modules/xmlhttprequester.js | 16 +++++++++++-----
1 file changed, 11 insertions(+), 5 deletions(-)
diff --git a/modules/xmlhttprequester.js b/modules/xmlhttprequester.js
index 92a2b23..f42ab8b 100644
--- a/modules/xmlhttprequester.js
+++ b/modules/xmlhttprequester.js
@@ -5,7 +5,10 @@ Components.utils.import("resource://greasemonkey/util.js");
function GM_xmlhttpRequester(wrappedContentWin, originUrl, sandbox) {
this.wrappedContentWin = wrappedContentWin;
this.originUrl = originUrl;
- this.sandboxPrincipal = Components.utils.getObjectPrincipal(sandbox);
+ // Firefox < 29 does not support getObjectPrincipal in a scriptable context.
+ // Older Greasemonkey didn't use this, so if the browser doesn't support it,
+ // this shouldn't be less secure (for that browser).
+ this.sandboxPrincipal = 'function' == typeof Components.utils.getObjectPrincipal ? Components.utils.getObjectPrincipal(sandbox) : null;
}
// this function gets called by user scripts in content security scope to
@@ -169,10 +172,13 @@ function(wrappedContentWin, req, event, details) {
var eventCallback = details["on" + event];
if (!eventCallback) return;
- // ... but ensure that the callback came from a script, not content, by
- // checking that its principal equals that of the sandbox.
- var callbackPrincipal = Components.utils.getObjectPrincipal(eventCallback);
- if (!this.sandboxPrincipal.equals(callbackPrincipal)) return;
+ // Firefox < 29 hack; see above.
+ if ('function' == typeof Components.utils.getObjectPrincipal) {
+ // ... but ensure that the callback came from a script, not content, by
+ // checking that its principal equals that of the sandbox.
+ var callbackPrincipal = Components.utils.getObjectPrincipal(eventCallback);
+ if (!this.sandboxPrincipal.equals(callbackPrincipal)) return;
+ }
req.addEventListener(event, function(evt) {
var responseState = {
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-mozext/greasemonkey.git
More information about the Pkg-mozext-commits
mailing list