[tor-commits] [Git][tpo/applications/tor-browser-spec][main] Bug 40052: FF105 Audit

richard (@richard) git at gitlab.torproject.org
Wed Sep 20 20:59:33 UTC 2023 


richard pushed to branch main at The Tor Project / Applications / tor-browser-spec


Commits:
885c79fd by Richard Pospesel at 2023-09-20T20:58:45+00:00
Bug 40052: FF105 Audit

- - - - -


1 changed file:

- + audits/FF105_AUDIT


Changes:

=====================================
audits/FF105_AUDIT
=====================================
@@ -0,0 +1,86 @@
+# General
+
+The audit begins at the commit hash where the previous audit ended. Use code_audit.sh for creating the diff and highlighting potentially problematic code. The audit is scoped to a specific language (currently C/C++, Rust, Java/Kotlin, and Javascript).
+
+The output includes the entire patch where the new problematic code was introduced. Search for `XXX MATCH XXX` to find the next potential violation.
+
+`code_audit.sh` contains the list of known problematic APIs. New usage of these functions are documented and analyzed in this audit.
+
+## Firefox: https://github.com/mozilla/gecko-dev.git
+
+- Start: `a8c31da1c243a855de8c3b241a437dd1b65684d5` ( `FIREFOX_104_0_2_RELEASE` )
+- End:   `2dd649f09f70ec5b9304d62daeb427a86bbc5a36`  ( `FIREFOX_105_0_3_RELEASE` )
+
+### Languages:
+- [x] java
+- [x] cpp
+- [x] js
+- [x] rust
+
+Nothing of interest (using `code_audit.sh`)
+
+---
+
+## Application Services: https://github.com/mozilla/application-services.git
+
+- Start: `78b165b798118e9b5fa62af07aa44d663f386492`  ( `v94.1.0` )
+- End:   `be8254df118b2fc2aae726e1d13ca4c982bec920`  ( `v94.3.1` )
+
+### Languages:
+- [x] java
+- [x] cpp
+- [x] js
+- [x] rust
+
+Nothing of interest (using `code_audit.sh`)
+
+## Android Components: https://github.com/mozilla-mobile/android-components.git
+
+- Start: `b3e0289b3f07929c0403ac6e672c88b5db079748`
+- End:   `658c2d239f9aef5927f654aa36a0b0739b116d92`  ( `v105.0.8` )
+
+### Languages:
+- [x] java
+- [x] cpp
+- [x] js
+- [x] rust
+
+Nothing of interest (using `code_audit.sh`)
+
+## Fenix: https://github.com/mozilla-mobile/fenix.git
+
+- Start: `a5d13e2ef26d4eb98a32c94b6c6530771e90cd56` ( `v105.0b1` )
+- End:   `01fbfd63743f30ebca31bbfb775bddef94a01a3e`  ( `v105.2.0` )
+
+### Languages:
+- [x] java
+- [x] cpp
+- [x] js
+- [x] rust
+
+Nothing of interest (using `code_audit.sh`)
+
+## Ticket Review ##
+
+Bugzilla Query: `https://bugzilla.mozilla.org/buglist.cgi?query_format=advanced&resolution=FIXED&target_milestone=105%20Branch&order=priority%2Cbug_severity&limit=0`
+
+#### Problematic Issues
+
+- **Use the WER runtime exception module to catch early crashes** https://bugzilla.mozilla.org/show_bug.cgi?id=1682520
+  - *RESOLUTION*: no new functionality here, just making it work better by moving the registration earlier in the Firefox boot process
+- **Add a pref to disable Spectre mitigations for Fission web content processes** https://bugzilla.mozilla.org/show_bug.cgi?id=1774178
+- **Add Surrogate COM Server to handle native Windows notifications when Firefox is closed.** https://bugzilla.mozilla.org/show_bug.cgi?id=1774083
+  - *RESOLUTOIN* COM sever registration happens in the official firefox installer which we do not use, so nothing to do here
+- **Add a cookie banner service to automatically handle website cookie banners** https://bugzilla.mozilla.org/show_bug.cgi?id=1783019
+  - *RESOLUTION* disabled this feature until fully audit, may bring back in the 13.5 time-frame
+- **Add a locale parameter to the text recognition API** https://bugzilla.mozilla.org/show_bug.cgi?id=1782579
+  - *RESOLUTION* we'v diabled this system entirely in https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/42057
+- **Broken since Firefox 102.0: no instant fallback to direct connection when proxy became unreachable while runtime** https://bugzilla.mozilla.org/show_bug.cgi?id=1779005
+  - *RESOLUTION*: Tor Browser uses explicitly configured proxy settings so this auto-detect system is no used/does not apply to us
+- **On systems with IPv6 preferred DNS resolution clients will fail to connect when "localhost" is used as host for the WebSocket server** https://bugzilla.mozilla.org/show_bug.cgi?id=1769994
+- **Hide the text recognition context menu if the macOS version doesn't support APIs** https://bugzilla.mozilla.org/show_bug.cgi?id=1782981
+  - *RESOLUTION* we'v diabled this system entirely in https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/42057
+- **Implement a context menu modal for text recognition** https://bugzilla.mozilla.org/show_bug.cgi?id=1782578
+  - *RESOLUTION* we've disabled this system entirely in https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/42057
+## Export
+- [ ] Export Report and save to `tor-browser-spec/audits`
\ No newline at end of file



View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-spec/-/commit/885c79fd488e02ab8a58613f73b28b3767266574

-- 
View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-spec/-/commit/885c79fd488e02ab8a58613f73b28b3767266574
You're receiving this email because of your account on gitlab.torproject.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-commits/attachments/20230920/6f7a13f9/attachment-0001.htm>

More information about the tor-commits mailing list