[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #30957 [Applications/Tor Browser]: Allow '.asc' files to be downloaded using Tor browser (PGP ascii)



#30957: Allow '.asc' files to be downloaded using Tor browser (PGP ascii)
--------------------------------------+-----------------------------------
 Reporter:  torlove                   |          Owner:  tbb-team
     Type:  enhancement               |         Status:  needs_information
 Priority:  Medium                    |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Normal                    |     Resolution:
 Keywords:  tbb-mobile                |  Actual Points:
Parent ID:                            |         Points:
 Reviewer:                            |        Sponsor:
--------------------------------------+-----------------------------------

Comment (by torlove):

 Thanks cypherpunks,

 At what point is it parsed, would it be parsed by the Firefox (and by
 extension the Tor Browser) and so therefore cause a vulnerability in the
 browser. Is there a method of parsing a '.asc' file without introducing a
 '.asc' vulnerabilty?

 If this is an issue then it needs to be solved upstream as a matter of
 some urgency, yes?

 Using a '.asc' file is supposed to be far more secure that a non ascii-
 armoured file, because the character space is far more limited, and thus
 we should be able to ensure that remote code cannot be delivered and
 excuted. I'm not an expert in this field and how to specifically deal with
 buffer overruns and such, but surely, any and all file type downloads need
 to account for this vulnerability, not just text files (or in this
 specific case, '.asc' files).

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/30957#comment:9>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs