[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-bugs] #17734 [Tor Browser]: Use asm.js to sanitize saved PDFs

Subject: [tor-bugs] #17734 [Tor Browser]: Use asm.js to sanitize saved PDFs
From: "Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>
Date: Tue, 01 Dec 2015 16:42:38 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Tue, 01 Dec 2015 11:42:49 -0500
List-archive: <http://lists.torproject.org/pipermail/tor-bugs/>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: "auto: Tor bug tracker status mails" <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
Reply-to: tor-assistants@xxxxxxxxxxxxxx
Sender: "tor-bugs" <tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx>

#17734: Use asm.js to sanitize saved PDFs
-----------------------------+-------------------------------------------
     Reporter:  cypherpunks  |      Owner:  tbb-team
         Type:  enhancement  |     Status:  new
     Priority:  Medium       |  Milestone:
    Component:  Tor Browser  |    Version:
     Severity:  Normal       |   Keywords:  PDF, sanity, exploits, deanon
Actual Points:               |  Parent ID:
       Points:               |    Sponsor:
-----------------------------+-------------------------------------------
 PDF files often have malicious content within itself, which can be used to
 compromise the security of the system. Rendering PDF file with PDF.js is
 often slow and broken, which makes the users to open the files with native
 readers. Unfortunately, there is no good sanitizers: they are mostly
 written in script languages (s.a. Python and Ruby) and require their
 runtime. It will be very useful to have a tool to remove malicious content
 from downloaded PDF implemented in JS right in browser. Fortunately,
 Firefox already has PDF parsing library inside its PDF.js engine.

 * Use PDF.js to parse PDF into internal representation, but do not render
 it.
 * Decompress and destream it.
 * Remove all potentially malicious tags (this should be tweakable in popup
 window similar to "Clear Recent History"): JS, fonts, flash (and other
 objects calling plugins), 3d, forms, signatures, remote content, anything
 else not needed for rendering directly.
 * Recreate PDF file from the internal representation recomputing all the
 recomputable fields to destroy memory corruption exploits.

 First I asked abou it in PDF.js bug tracker, they refused because it is
 not the goal of that project.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/17734>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Follow-Ups:
- Re: [tor-bugs] #17734 [Tor Browser]: Use PDF.js to sanitize saved PDFs (was: Use asm.js to sanitize saved PDFs)
  - From: Tor Bug Tracker & Wiki

Prev by Author: Re: [tor-bugs] #17624 [Tor]: Extend NEWNYM to also clear rendezvous caches and rendezvous connections
Next by Author: Re: [tor-bugs] #17734 [Tor Browser]: Use PDF.js to sanitize saved PDFs (was: Use asm.js to sanitize saved PDFs)
Previous by thread: Re: [tor-bugs] #17624 [Tor]: Extend NEWNYM to also clear rendezvous caches and rendezvous connections
Next by thread: Re: [tor-bugs] #17734 [Tor Browser]: Use PDF.js to sanitize saved PDFs (was: Use asm.js to sanitize saved PDFs)
Index(es):
- Author
- Thread