[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #18101 [Applications/Tor Browser]: IP leak from Windows UI dialog with URI
#18101: IP leak from Windows UI dialog with URI
-------------------------------------------------+-------------------------
Reporter: uileak | Owner:
| arthuredelstein
Type: defect | Status:
| needs_revision
Priority: Very High | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Major | Resolution:
Keywords: tbb-disk-leak, tbb-proxy-bypass, | Actual Points:
TorBrowserTeam201709R |
Parent ID: | Points:
Reviewer: | Sponsor:
-------------------------------------------------+-------------------------
Changes (by gk):
* cc: mcs, brade (added)
* status: needs_review => needs_revision
Comment:
Replying to [comment:49 arthuredelstein]:
> Replying to [comment:48 gk]:
>
> Answering questions in reverse order:
>
> > And could you verify that other Tor Browser platforms are unaffected?
comment:7 seems to point this out for Linux. See comment:9 for macOS.
>
> Here's a patch that covers all platforms:
> https://github.com/arthuredelstein/tor-browser/commit/18101+2
>
> Unfortunately, I haven't yet been able to test these on old Linux and
macOS platforms. The current platforms on desktops I tested (XFCE, KDE,
macOS) do not show a text box in the Open Dialog. Once I have builds
ready, I will post them on this ticket so that people can test on old
Mac/Linux platforms if they have them.
I built own bundles and this was a PITA to test. I can confirm that the
patch for Linux fixes the problem and it looks good to me. After trying to
reproduce the problem for quite a while I wrote custom extension code
using the example on https://developer.mozilla.org/en-
US/docs/Mozilla/Tech/XPCOM/Reference/Interface/nsIFilePicker but with
`modSave` (this is important, I could not find a way to reproduce the
issue and test the fix with `modOpen`) and, obviously,
`nsIFilePicker.filterAllowURLs` added to the filters.
Arthur/Mark/Kathy: that might be a way to test the fix on a Mac as well
(which I don't have atm).
With the patch for Windows I still see DNS leaks. Here is what I did:
1) Open the patched Tor Browser
2) Go to https://bugs.torproject.org/18101
3) Copy the URL of the Tor logo
4) Open https://bug711654.bmoattachments.org/attachment.cgi?id=582460 in a
new tab
5) Start Wireshark
6) Click on the "Browse" button and paste the URL for the Tor log and
click on "Open"
7) Wait a while and a DNS query for trac.torproject.org will be in the
Wireshark log.
Marking this as `needs_revision` for this problem. Arthur, let me know
whether you can reproduce that. This happens on a Windows 7 machine (in
case that matters).
> > Arthur: What do we want to do for XP (see comment:10)?
>
> I am inclined to treat this problem as wontfix, because XP is deprecated
by Microsoft and is expected to be deprecated in September by Mozilla as
well. I did spend a little time looking into the problem but I don't see a
quick solution.
Well, we certainly would take a patch if someone came up with one. So,
let's open a follow-up ticket for that case and set `ff59-esr-will-have`
as keyword once we are done here.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/18101#comment:54>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs