[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-commits] [tor-browser/tor-browser-60.1.0esr-8.0-1] Bug 27271 - Don't allow the user to install extensions from web

To: tor-commits@xxxxxxxxxxxxxxxxxxxx, tbb-commits@xxxxxxxxxxxxxxxxxxxx
Subject: [tor-commits] [tor-browser/tor-browser-60.1.0esr-8.0-1] Bug 27271 - Don't allow the user to install extensions from web
From: gk@xxxxxxxxxxxxxx
Date: Thu, 23 Aug 2018 07:28:37 +0000 (UTC)
Delivered-to: archiver@xxxxxxxx
Delivery-date: Thu, 23 Aug 2018 03:34:40 -0400
List-archive: <http://lists.torproject.org/pipermail/tor-commits/>
List-help: <mailto:tor-commits-request@lists.torproject.org?subject=help>
List-id: "auto: code repository commits" <tor-commits.lists.torproject.org>
List-post: <mailto:tor-commits@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits>, <mailto:tor-commits-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-commits>, <mailto:tor-commits-request@lists.torproject.org?subject=unsubscribe>
Patch-author: Igor Oliveira <igt0@xxxxxxxxxxxxxx>
Sender: "tor-commits" <tor-commits-bounces@xxxxxxxxxxxxxxxxxxxx>

commit a0620db9e7cd08e3d67a42d0c5b1067d5b3ed355
Author: Igor Oliveira <igt0@xxxxxxxxxxxxxx>
Date:   Wed Aug 22 15:51:32 2018 -0300

    Bug 27271 - Don't allow the user to install extensions from web
    
    An attacker can send a tampered torbutton extension to the user and
    TBA, currently, is not able to verify if the torbutton extension
    was built by Tor.
---
 mobile/android/app/000-tor-browser-android.js | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/mobile/android/app/000-tor-browser-android.js b/mobile/android/app/000-tor-browser-android.js
index 399c6f07718b..04a613092e6d 100644
--- a/mobile/android/app/000-tor-browser-android.js
+++ b/mobile/android/app/000-tor-browser-android.js
@@ -56,3 +56,8 @@ pref("general.useragent.updates.url", "");
 
 // Override this because Orbot uses 9050 as the default
 pref("network.proxy.socks_port", 9050);
+
+// Do not allow the user to install extensions from web
+pref("xpinstall.enabled", false);
+pref("extensions.enabledScopes", 1);
+pref("extensions.autoDisableScopes", 1);

_______________________________________________
tor-commits mailing list
tor-commits@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits

Prev by Author: [tor-commits] [tor-browser/tor-browser-60.1.0esr-8.0-1] squash! Bug 21431: Clean-up system extensions shipped in Firefox 52
Next by Author: [tor-commits] [torbutton/master] Bug 26409: Remove spoofed locale implementation
Previous by thread: [tor-commits] [tor-browser-build/master] Bump HTTPS-Everywhere version
Next by thread: [tor-commits] [tor/maint-0.3.4] Travis: list installed package versions before building
Index(es):
- Author
- Thread