[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #9901 [TorBrowserButton]: DoS of TBB 2.4/3.0 when no Content-Type header and more than 512 bytes of content are sent



#9901: DoS of TBB 2.4/3.0 when no Content-Type header and more than 512 bytes of
content are sent
----------------------------------+---------------------------
     Reporter:  sqrt2             |      Owner:  mikeperry
         Type:  defect            |     Status:  reopened
     Priority:  normal            |  Milestone:
    Component:  TorBrowserButton  |    Version:
   Resolution:                    |   Keywords:  tbb-usability
Actual Points:                    |  Parent ID:
       Points:                    |
----------------------------------+---------------------------

Comment (by cypherpunks):

 {{{
            var call;
            if(params.length) call =
 "("+params.join().replace(/(?:)/g,function(){return "p"+(++x)})+")";
            else call = "()";
 -          if(method == "getTypeFromFile" || method ==
 "getTypeFromExtension" || method == "getTypeFromURI") {
 -           // XXX: Due to
 https://developer.mozilla.org/en/Exception_logging_in_JavaScript
 -           // this is necessary to prevent error console noise on the
 return to C++ code.
 -           // It is not technically correct, but as far as I can tell,
 returning null
 -           // here should be equivalent to throwing an error for the
 codepaths invovled
 -           var fun = "(function "+call+"{"+
 -              "if (arguments.length < "+wrapped[method].length+")"+
 -              "  throw Components.results.NS_ERROR_XPC_NOT_ENOUGH_ARGS;"+
 -              "try { return wrapped."+method+".apply(wrapped, arguments);
 }"+
 -              "catch(e) { if(e.result ==
 Components.results.NS_ERROR_NOT_AVAILABLE) return null; else throw e;}
 })";
 -            newObj[method] = eval(fun);
 -          } else {
 +          {
              var fun = "(function "+call+"{"+
                "if (arguments.length < "+wrapped[method].length+")"+
                "  throw Components.results.NS_ERROR_XPC_NOT_ENOUGH_ARGS;"+
 }}}
 Keep it simple.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/9901#comment:75>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs