diff options
-rw-r--r-- | js/xpconnect/wrappers/AccessCheck.cpp | 14 |
1 files changed, 14 insertions, 0 deletions
diff --git a/js/xpconnect/wrappers/AccessCheck.cpp b/js/xpconnect/wrappers/AccessCheck.cpp index 085e7100e..d17c0629e 100644 --- a/js/xpconnect/wrappers/AccessCheck.cpp +++ b/js/xpconnect/wrappers/AccessCheck.cpp @@ -307,6 +307,20 @@ ExposedPropertiesOnly::check(JSContext* cx, HandleObject wrapper, HandleId id, W // Unfortunately, |cx| can be in either compartment when we call ::check. :-( JSAutoCompartment ac(cx, wrappedObject); + // Proxies are not allowed in the proto chain. + RootedObject o(cx, wrappedObject); + while (o) { + JSObject* unwrapped = js::IsWrapper(o) ? js::CheckedUnwrap(o, false) : o; + if (!unwrapped || js::IsProxy(unwrapped)) + return false; + + RootedObject p(cx); + if (!js::GetObjectProto(cx, o, &p)) + return false; + + o = p; + } + bool found = false; if (!JS_HasPropertyById(cx, wrappedObject, exposedPropsId, &found)) return false; |