[tor-commits] [Git][tpo/applications/tor-browser][tor-browser-102.12.0esr-12.5-1] 2 commits: Bug 41854: Allow overriding download spam protection.
ma1 (@ma1)
git at gitlab.torproject.org
Wed Jun 28 06:28:51 UTC 2023
ma1 pushed to branch tor-browser-102.12.0esr-12.5-1 at The Tor Project / Applications / Tor Browser
Commits:
38cb023e by hackademix at 2023-06-28T08:12:58+02:00
Bug 41854: Allow overriding download spam protection.
- - - - -
d3b18f88 by hackademix at 2023-06-28T08:16:35+02:00
fixup! Firefox preference overrides.
- - - - -
5 changed files:
- browser/app/profile/001-base-profile.js
- browser/components/downloads/DownloadSpamProtection.jsm
- toolkit/components/downloads/DownloadCore.jsm
- toolkit/components/downloads/DownloadIntegration.jsm
- uriloader/exthandler/nsExternalHelperAppService.cpp
Changes:
=====================================
browser/app/profile/001-base-profile.js
=====================================
@@ -48,6 +48,9 @@ pref("security.nocertdb", true);
pref("browser.download.useDownloadDir", false);
pref("browser.download.manager.addToRecentDocs", false);
+// Prevent download stuffing / DOS (tor-browser#41764)
+pref("browser.download.enable_spam_prevention", true);
+
// Misc privacy: Disk
pref("signon.rememberSignons", false);
pref("browser.formfill.enable", false);
=====================================
browser/components/downloads/DownloadSpamProtection.jsm
=====================================
@@ -18,6 +18,8 @@ var { XPCOMUtils } = ChromeUtils.import(
"resource://gre/modules/XPCOMUtils.jsm"
);
+var { Services } = ChromeUtils.import("resource://gre/modules/Services.jsm");
+
XPCOMUtils.defineLazyModuleGetters(this, {
BrowserWindowTracker: "resource:///modules/BrowserWindowTracker.jsm",
Downloads: "resource://gre/modules/Downloads.jsm",
@@ -45,17 +47,18 @@ class DownloadSpamProtection {
return this.list;
}
- update(url) {
+ update(url, principal) {
if (this._blockedURLToDownloadSpam.has(url)) {
let downloadSpam = this._blockedURLToDownloadSpam.get(url);
this.spamList.remove(downloadSpam);
+ downloadSpam.principal = principal;
downloadSpam.blockedDownloadsCount += 1;
this.spamList.add(downloadSpam);
this._indicator.onDownloadStateChanged(downloadSpam);
return;
}
- let downloadSpam = new DownloadSpam(url);
+ let downloadSpam = new DownloadSpam(url, principal, this);
this.spamList.add(downloadSpam);
this._blockedURLToDownloadSpam.set(url, downloadSpam);
let hasActiveDownloads = DownloadsCommon.summarizeDownloads(
@@ -85,8 +88,10 @@ class DownloadSpamProtection {
* @extends Download
*/
class DownloadSpam extends Download {
- constructor(url) {
+ constructor(url, principal, protectionController) {
super();
+ this.protectionController = protectionController;
+ this.principal = principal.QueryInterface(Ci.nsIPrincipal);
this.hasBlockedData = true;
this.stopped = true;
this.error = new DownloadError({
@@ -97,4 +102,16 @@ class DownloadSpam extends Download {
this.source = { url };
this.blockedDownloadsCount = 1;
}
+ allow() {
+ const pm = Services.perms;
+ pm.addFromPrincipal(
+ this.principal,
+ "automatic-download",
+ pm.ALLOW_ACTION,
+ pm.EXPIRE_SESSION
+ );
+ this.hasBlockedData = this.hasPartialData = false;
+ this.protectionController.clearDownloadSpam(this.source.url);
+ this._notifyChange();
+ }
}
=====================================
toolkit/components/downloads/DownloadCore.jsm
=====================================
@@ -717,6 +717,10 @@ Download.prototype = {
}
this._promiseUnblock = (async () => {
+ if (this.allow) {
+ this.allow();
+ return;
+ }
try {
await IOUtils.move(this.target.partFilePath, this.target.path);
await this.target.refresh();
@@ -725,7 +729,6 @@ Download.prototype = {
this._promiseUnblock = null;
throw ex;
}
-
this.succeeded = true;
this.hasBlockedData = false;
this._notifyChange();
@@ -955,7 +958,9 @@ Download.prototype = {
await this._promiseCanceled;
}
// Ask the saver object to remove any partial data.
- await this.saver.removeData();
+ if (this.saver) {
+ await this.saver.removeData();
+ }
// For completeness, clear the number of bytes transferred.
if (this.currentBytes != 0 || this.hasPartialData) {
this.currentBytes = 0;
=====================================
toolkit/components/downloads/DownloadIntegration.jsm
=====================================
@@ -1234,7 +1234,7 @@ var DownloadObserver = {
) {
DownloadIntegration._initializeDownloadSpamProtection();
}
- DownloadIntegration.downloadSpamProtection.update(aData);
+ DownloadIntegration.downloadSpamProtection.update(aData, aSubject);
break;
}
},
=====================================
uriloader/exthandler/nsExternalHelperAppService.cpp
=====================================
@@ -1975,7 +1975,7 @@ bool nsExternalAppHandler::IsDownloadSpam(nsIChannel* aChannel) {
nsAutoCString cStringURI;
loadInfo->TriggeringPrincipal()->GetPrePath(cStringURI);
observerService->NotifyObservers(
- nullptr, "blocked-automatic-download",
+ principal, "blocked-automatic-download",
NS_ConvertASCIItoUTF16(cStringURI.get()).get());
// FIXME: In order to escape memory leaks, currently we cancel blocked
// downloads. This is temporary solution, because download data should be
@@ -1989,7 +1989,7 @@ bool nsExternalAppHandler::IsDownloadSpam(nsIChannel* aChannel) {
if (!loadInfo->GetHasValidUserGestureActivation()) {
permissionManager->AddFromPrincipal(
principal, type, nsIPermissionManager::PROMPT_ACTION,
- nsIPermissionManager::EXPIRE_NEVER, 0 /* expire time */);
+ nsIPermissionManager::EXPIRE_SESSION, 0 /* expire time */);
}
return false;
View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/compare/4a13c283b51fdf6f8748ebae9347152c59454c58...d3b18f884c127ba2cc148bf7ff00f2293745c6b3
--
View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/compare/4a13c283b51fdf6f8748ebae9347152c59454c58...d3b18f884c127ba2cc148bf7ff00f2293745c6b3
You're receiving this email because of your account on gitlab.torproject.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-commits/attachments/20230628/0ed6dd55/attachment-0001.htm>
More information about the tor-commits
mailing list