[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #5742 [Firefox Patch Issues]: Fix image cache url isolation
#5742: Fix image cache url isolation
----------------------------------------------+-----------------------------
Reporter: mikeperry | Owner: mikeperry
Type: defect | Status: new
Priority: major | Milestone:
Component: Firefox Patch Issues | Version:
Keywords: tbb-linkability, MikePerry201207 | Parent:
Points: 20 | Actualpoints: 2
----------------------------------------------+-----------------------------
Changes (by mikeperry):
* points: => 20
* actualpoints: => 2
Comment:
Ok, I started looking into this more and it would seem that the "cacheKey"
argument to imgLoader::LoadImage is often null.. Elsewhere in the
imgLoader, the actual cache key is constructed directly from the URI
without even a channel available, so we can't use
nsHttpChannel::AssembleCacheKey() to get the expected cacheKey.
I think this might mean that several functions in the non-critical paths
of the image loader will have to become O(N), to be able to continue to
operate on uri strings and retain API compatibility. Those functions will
just search over the cache and return/remove the first matching URI,
isolated or not. We'll need to double check these functions for cross-
domain info leaks, though.. I think the only dangerous one in that regard
is imgLoader::FindEntryProperties().
For the actual cached image storage and retrieval in
imgLoader::LoadImage() and imgLoader::LoadImageWithChannel(), we'll have
to do our best to construct a url domain-isolated cacheKey using either
the referer uri, the channel, the notificationCallbacks, or who knows
what, depending upon availability.
In short, this is going to be a huge messy pile of pain. The only good
thing is that the image caching code hasn't changed since ~2001. Our patch
probably won't generate too many conflicts at that rate of code change.
This is probably going to take like a week to get right. :/
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/5742#comment:7>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs