From ef794bb39b7c5d98bd198965c987089ca146c4dd Mon Sep 17 00:00:00 2001
From: wolfbeast <mcwerewolf@gmail.com>
Date: Thu, 8 Feb 2018 19:22:33 +0100
Subject: Don't allow proxies in the proto chain.

---
 js/xpconnect/wrappers/AccessCheck.cpp | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

(limited to 'js/xpconnect')

diff --git a/js/xpconnect/wrappers/AccessCheck.cpp b/js/xpconnect/wrappers/AccessCheck.cpp
index 085e7100e..d17c0629e 100644
--- a/js/xpconnect/wrappers/AccessCheck.cpp
+++ b/js/xpconnect/wrappers/AccessCheck.cpp
@@ -307,6 +307,20 @@ ExposedPropertiesOnly::check(JSContext* cx, HandleObject wrapper, HandleId id, W
     // Unfortunately, |cx| can be in either compartment when we call ::check. :-(
     JSAutoCompartment ac(cx, wrappedObject);
 
+    // Proxies are not allowed in the proto chain.
+    RootedObject o(cx, wrappedObject);
+    while (o) {
+        JSObject* unwrapped = js::IsWrapper(o) ? js::CheckedUnwrap(o, false) : o;
+        if (!unwrapped || js::IsProxy(unwrapped))
+            return false;
+
+        RootedObject p(cx);
+        if (!js::GetObjectProto(cx, o, &p))
+            return false;
+
+        o = p;
+    }
+
     bool found = false;
     if (!JS_HasPropertyById(cx, wrappedObject, exposedPropsId, &found))
         return false;
-- 
cgit v1.2.3