[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #30957 [Applications/Tor Browser]: Allow '.asc' files to be downloaded using Tor browser (PGP ascii)
#30957: Allow '.asc' files to be downloaded using Tor browser (PGP ascii)
--------------------------------------+-----------------------------------
Reporter: torlove | Owner: tbb-team
Type: enhancement | Status: needs_information
Priority: Medium | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: tbb-mobile | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
--------------------------------------+-----------------------------------
Comment (by torlove):
Thanks cypherpunks,
At what point is it parsed, would it be parsed by the Firefox (and by
extension the Tor Browser) and so therefore cause a vulnerability in the
browser. Is there a method of parsing a '.asc' file without introducing a
'.asc' vulnerabilty?
If this is an issue then it needs to be solved upstream as a matter of
some urgency, yes?
Using a '.asc' file is supposed to be far more secure that a non ascii-
armoured file, because the character space is far more limited, and thus
we should be able to ensure that remote code cannot be delivered and
excuted. I'm not an expert in this field and how to specifically deal with
buffer overruns and such, but surely, any and all file type downloads need
to account for this vulnerability, not just text files (or in this
specific case, '.asc' files).
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/30957#comment:9>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs