[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #22170 [Applications/Tor Browser]: Check uses of ch.boye.httpclientandroidlib.impl.client.* for proxy safety on Android

To: undisclosed-recipients: ;
Subject: Re: [tor-bugs] #22170 [Applications/Tor Browser]: Check uses of ch.boye.httpclientandroidlib.impl.client.* for proxy safety on Android
From: "Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>
Date: Tue, 31 Jul 2018 02:03:38 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Mon, 30 Jul 2018 22:03:49 -0400
In-reply-to: <042.5943f013154bf3f50da3aa4b0ca717bc@torproject.org>
List-archive: <http://lists.torproject.org/pipermail/tor-bugs/>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: "auto: Tor bug tracker status mails" <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
References: <042.5943f013154bf3f50da3aa4b0ca717bc@torproject.org>
Reply-to: no-reply@xxxxxxxxxxxxxx, tor-assistants@xxxxxxxxxxxxxx
Sender: "tor-bugs" <tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx>

#22170: Check uses of ch.boye.httpclientandroidlib.impl.client.* for proxy safety
on Android
-------------------------------------------------+-------------------------
 Reporter:  gk                                   |          Owner:  sysrqb
     Type:  defect                               |         Status:
                                                 |  accepted
 Priority:  High                                 |      Milestone:
Component:  Applications/Tor Browser             |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:  ff52-esr, tbb-mobile,                |  Actual Points:
  TorBrowserTeam201807                           |
Parent ID:  #21863                               |         Points:
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------

Comment (by sysrqb):

 Replying to [comment:20 sysrqb]:
 > All files where Fennec uses `impl.client`
 >
 > {{{
 > $ git grep -n ch.boye.httpclientandroidlib.impl.client
 mobile/android/[bs]*
 >
 mobile/android/base/java/org/mozilla/gecko/telemetry/TelemetryUploadService.java:15:import
 ch.boye.httpclientandroidlib.impl.client.DefaultHttpClient;
 > }}}

 We should never get here because its telemetry, but it's worth checking.
 The DefaultHttpClient is passed in, but not created. The `DATE` headers is
 set. A `BaseResource` is created and `BaseResource.postBlocking()` is
 called. The proxy will be set within `BaseResource.execute()`.

 > {{{
 >
 mobile/android/services/src/main/java/org/mozilla/gecko/background/fxa/FxAccountClient20.java:50:import
 ch.boye.httpclientandroidlib.impl.client.DefaultHttpClient;
 > }}}

 All connections are created via `BaseResource`. DefaultHttpClient is
 passed into an `addHeader()` where an `ACCEPT_LANGAUGE` and `ACCEPT`
 header is added.

 Note: FxA uses a unique user agent string in its request.
 https://gitweb.torproject.org/tor-
 browser.git/tree/mobile/android/services/src/main/java/org/mozilla/gecko/fxa/FxAccountConstants.java?h
 =tor-browser-60.1.0esr-8.0-1#n40

 > {{{
 >
 mobile/android/services/src/main/java/org/mozilla/gecko/background/fxa/oauth/FxAccountAbstractClient.java:30:import
 ch.boye.httpclientandroidlib.impl.client.DefaultHttpClient;
 > }}}

 DefaultHttpClient is passed into an `addHeader()` where an
 `ACCEPT_LANGAUGE` and `ACCEPT` header is added.

 > {{{
 >
 mobile/android/services/src/main/java/org/mozilla/gecko/push/autopush/AutopushClient.java:35:import
 ch.boye.httpclientandroidlib.impl.client.DefaultHttpClient;
 > }}}

 {{{
 /**
  * Interact with the autopush endpoint HTTP API.
  * <p/>
  * The API is a Mozilla-proprietary interface, and not even specified to
 Mozilla's usual ad-hoc standards.
  * This client is written against a work-in-progress, un-deployed upstream
 commit.
  */
 }}}

 That's reassuring.

 All connections are created via `BaseResource`. DefaultHttpClient is
 passed into an `addHeader()` where an `ACCEPT_LANGAUGE` and `ACCEPT`
 header is added.

 > {{{
 >
 mobile/android/services/src/main/java/org/mozilla/gecko/sync/net/AbstractBearerTokenAuthHeaderProvider.java:9:import
 ch.boye.httpclientandroidlib.impl.client.DefaultHttpClient;
 > }}}

 `DefaultHttpClient` isn't used. No network calls in this class.

 > {{{
 >
 mobile/android/services/src/main/java/org/mozilla/gecko/sync/net/AuthHeaderProvider.java:11:import
 ch.boye.httpclientandroidlib.impl.client.DefaultHttpClient;
 > }}}

 This is an `interface`, no logic here.

 > {{{
 >
 mobile/android/services/src/main/java/org/mozilla/gecko/sync/net/BaseResource.java:51:import
 ch.boye.httpclientandroidlib.impl.client.BasicAuthCache;
 >
 mobile/android/services/src/main/java/org/mozilla/gecko/sync/net/BaseResource.java:52:import
 ch.boye.httpclientandroidlib.impl.client.DefaultHttpClient;
 > }}}

 This class is probably proxy-safe. I'll need to look at this again (and a
 second pair of eyes would be welcome).

 > {{{
 >
 mobile/android/services/src/main/java/org/mozilla/gecko/sync/net/BaseResourceDelegate.java:8:import
 ch.boye.httpclientandroidlib.impl.client.DefaultHttpClient;
 > }}}

 This class only provides accessors and mutators, no network calls.

 > {{{
 >
 mobile/android/services/src/main/java/org/mozilla/gecko/sync/net/BasicAuthHeaderProvider.java:12:import
 ch.boye.httpclientandroidlib.impl.client.DefaultHttpClient;
 > }}}

 No network calls.

 > {{{
 >
 mobile/android/services/src/main/java/org/mozilla/gecko/sync/net/HMACAuthHeaderProvider.java:23:import
 ch.boye.httpclientandroidlib.impl.client.DefaultHttpClient;
 > }}}

 `DefaultHttpClient` isn't used. No network calls.

 > {{{
 >
 mobile/android/services/src/main/java/org/mozilla/gecko/sync/net/HawkAuthHeaderProvider.java:29:import
 ch.boye.httpclientandroidlib.impl.client.DefaultHttpClient;
 > }}}

 `DefaultHttpClient` isn't used. No network calls.

 > {{{
 >
 mobile/android/services/src/main/java/org/mozilla/gecko/sync/net/ResourceDelegate.java:13:import
 ch.boye.httpclientandroidlib.impl.client.DefaultHttpClient;
 > }}}

 This is an `interface`, no logic here.

 > {{{
 >
 mobile/android/services/src/main/java/org/mozilla/gecko/sync/net/SyncStorageCollectionRequest.java:20:import
 ch.boye.httpclientandroidlib.impl.client.DefaultHttpClient;
 > }}}

 {{{
 // TODO: this is awful.
 }}}

 Sets `ACCEPT` header. This class mostly handles HTTP responses.

 > {{{
 >
 mobile/android/services/src/main/java/org/mozilla/gecko/sync/net/SyncStorageRequest.java:20:import
 ch.boye.httpclientandroidlib.impl.client.DefaultHttpClient;
 > }}}

 Adds a `x-if-unmodified-since` header. Uses `BaseResource` for creating
 network connections.

 Note: uses another different user agent string.
 https://gitweb.torproject.org/tor-
 browser.git/tree/mobile/android/services/src/main/java/org/mozilla/gecko/sync/SyncConstants.java?h
 =tor-browser-60.1.0esr-8.0-1#n40

 > {{{
 >
 mobile/android/services/src/main/java/org/mozilla/gecko/tokenserver/TokenServerClient.java:37:import
 ch.boye.httpclientandroidlib.impl.client.DefaultHttpClient;
 > }}}

 Sets `X-Conditions-Accepted` and `X-Client-State` headers. Uses
 `BaseResource` for networking.

 > {{{
 >
 mobile/android/services/src/test/java/org/mozilla/android/sync/test/helpers/MockResourceDelegate.java:9:import
 ch.boye.httpclientandroidlib.impl.client.DefaultHttpClient;
 >
 mobile/android/services/src/test/java/org/mozilla/gecko/sync/net/test/TestHawkAuthHeaderProvider.java:12:import
 ch.boye.httpclientandroidlib.impl.client.DefaultHttpClient;
 >
 mobile/android/services/src/test/java/org/mozilla/gecko/sync/net/test/TestLiveHawkAuth.java:11:import
 ch.boye.httpclientandroidlib.impl.client.DefaultHttpClient;
 > }}}
 Testing.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/22170#comment:21>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Prev by Author: Re: [tor-bugs] #26367 [Core Tor/Tor]: Consider removing tor2web mode
Next by Author: Re: [tor-bugs] #26627 [Core Tor/Tor]: HSv3 throws many "Tried connecting to router at [IP:port], but RSA identity key was not as expected"
Previous by thread: Re: [tor-bugs] #22170 [Applications/Tor Browser]: Check uses of ch.boye.httpclientandroidlib.impl.client.* for proxy safety on Android
Next by thread: Re: [tor-bugs] #22170 [Applications/Tor Browser]: Check uses of ch.boye.httpclientandroidlib.impl.client.* for proxy safety on Android
Index(es):
- Author
- Thread