[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #2199 [EFF-HTTPS Everywhere]: rules with [^/@:] don't catch all traffic

To: undisclosed-recipients:;
Subject: Re: [tor-bugs] #2199 [EFF-HTTPS Everywhere]: rules with [^/@:] don't catch all traffic
From: "Tor Bug Tracker & Wiki" <torproject-admin@xxxxxxxxxxxxxx>
Date: Thu, 09 Dec 2010 17:59:29 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Thu, 09 Dec 2010 12:59:42 -0500
In-reply-to: <043.dd23484abfa2ef3948c4d0a3f7df91c5@xxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-bugs>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: Tor bugs reporting list for trac <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
References: <043.dd23484abfa2ef3948c4d0a3f7df91c5@xxxxxxxxxxxxxx>
Reply-to: tor-assistants@xxxxxxxxxxxxxx
Sender: tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx

#2199: rules with [^/@:] don't catch all traffic
----------------------------------+-----------------------------------------
 Reporter:  dkg                   |       Owner:  pde     
     Type:  defect                |      Status:  accepted
 Priority:  major                 |   Milestone:          
Component:  EFF-HTTPS Everywhere  |     Version:          
 Keywords:                        |      Parent:          
----------------------------------+-----------------------------------------

Comment(by rransom):

 Replying to [comment:6 pde]:
 > 4. Per rransom's suggestion, move to something like agl's proposed
 chromium syntax.  https://mail1.eff.org/pipermail/https-
 everywhere/2010-November/000545.html.  There are several downsides to
 that.

 The only downside is that you will need to convert all of the existing
 rulesets to the new format.  This time, add an XML namespace URI and/or
 some other version indicator.

 But the real reason this is necessary is (quoting agl's message):
 > Serialising and re-parsing URLs is very scary from a security point of
 view. It would be greatly preferable to handle URLs in their processed
 form.

 If we don't start operating on parsed URLs, we can only expect more
 exploitable bugs like this one in the future.

 Since Firefox extensions can use arbitrary !JavaScript code to munge URL
 requests before they are acted on, HTTPS Everywhere rules can easily
 continue to support matching URL components against regular expressions
 and inserting captured strings into any component of the new URL.

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/2199#comment:9>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Prev by Author: Re: [tor-bugs] #2199 [EFF-HTTPS Everywhere]: rules with [^/@:] don't catch all traffic
Next by Author: [tor-bugs] #2269 [- Select a component]: Hardware Router: 20 test relays/bridges
Previous by thread: Re: [tor-bugs] #2199 [EFF-HTTPS Everywhere]: rules with [^/@:] don't catch all traffic
Next by thread: Re: [tor-bugs] #2199 [EFF-HTTPS Everywhere]: rules with [^/@:] don't catch all traffic
Index(es):
- Author
- Thread