December 2021 - tbb-commits - lists.torproject.org

[tor-browser/tor-browser-91.4.0esr-11.0-1] Bug 18800: Remove localhost DNS lookup in nsProfileLock.cpp
by sysrqb＠torproject.org 02 Dec '21

02 Dec '21

commit ad900faec2357844ecb1fe8b1cb5247337a6f6ea Author: Kathy Brade <brade(a)pearlcrescent.com> Date: Thu Apr 21 10:40:26 2016 -0400 Bug 18800: Remove localhost DNS lookup in nsProfileLock.cpp Instead of using the local computer's IP address within symlink-based profile lock signatures, always use 127.0.0.1. --- toolkit/profile/nsProfileLock.cpp | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) diff --git a/toolkit/profile/nsProfileLock.cpp b/toolkit/profile/nsProfileLock.cpp index 28d38c11684e..a1b3edc54a05 100644 --- a/toolkit/profile/nsProfileLock.cpp +++ b/toolkit/profile/nsProfileLock.cpp @@ -304,18 +304,17 @@ nsresult nsProfileLock::LockWithSymlink(nsIFile* aLockFile, if (!mReplacedLockTime) aLockFile->GetLastModifiedTimeOfLink(&mReplacedLockTime); + // For Tor Browser, avoid a DNS lookup here so the Tor network is not + // bypassed. Instead, always use 127.0.0.1 for the IP address portion + // of the lock signature, which may cause the browser to refuse to + // start in the rare event that all of the following conditions are met: + // 1. The browser profile is on a network file system. + // 2. The file system does not support fcntl() locking. + // 3. Tor Browser is run from two different computers at the same time. + struct in_addr inaddr; inaddr.s_addr = htonl(INADDR_LOOPBACK); - char hostname[256]; - PRStatus status = PR_GetSystemInfo(PR_SI_HOSTNAME, hostname, sizeof hostname); - if (status == PR_SUCCESS) { - char netdbbuf[PR_NETDB_BUF_SIZE]; - PRHostEnt hostent; - status = PR_GetHostByName(hostname, netdbbuf, sizeof netdbbuf, &hostent); - if (status == PR_SUCCESS) memcpy(&inaddr, hostent.h_addr, sizeof inaddr); - } - mozilla::SmprintfPointer signature = mozilla::Smprintf("%s:%s%lu", inet_ntoa(inaddr), aHaveFcntlLock ? "+" : "", (unsigned long)getpid());

1 0

[tor-browser/tor-browser-91.4.0esr-11.0-1] Bug 11641: change TBB directory structure to be more like Firefox's
by sysrqb＠torproject.org 02 Dec '21

02 Dec '21

commit 3f6618418a6c4a05e61db4bdc363889df08e11a5 Author: Kathy Brade <brade(a)pearlcrescent.com> Date: Tue Apr 29 13:08:24 2014 -0400 Bug 11641: change TBB directory structure to be more like Firefox's Unless the -osint command line flag is used, the browser now defaults to the equivalent of -no-remote. There is a new -allow-remote flag that may be used to restore the original (Firefox-like) default behavior. --- toolkit/xre/nsAppRunner.cpp | 21 ++++++++++++++++----- 1 file changed, 16 insertions(+), 5 deletions(-) diff --git a/toolkit/xre/nsAppRunner.cpp b/toolkit/xre/nsAppRunner.cpp index 351766bdbdcd..6d6238feda46 100644 --- a/toolkit/xre/nsAppRunner.cpp +++ b/toolkit/xre/nsAppRunner.cpp @@ -1837,8 +1837,10 @@ static void DumpHelp() { " --migration Start with migration wizard.\n" " --ProfileManager Start with ProfileManager.\n" #ifdef MOZ_HAS_REMOTE - " --no-remote Do not accept or send remote commands; implies\n" + " --no-remote (default) Do not accept or send remote commands; " + "implies\n" " --new-instance.\n" + " --allow-remote Accept and send remote commands.\n" " --new-instance Open new instance, not a new window in running " "instance.\n" #endif @@ -4100,16 +4102,25 @@ int XREMain::XRE_mainInit(bool* aExitFlag) { gSafeMode); #if defined(MOZ_HAS_REMOTE) + // In Tor Browser, remoting is disabled by default unless -osint is used. + bool allowRemote = (CheckArg("allow-remote") == ARG_FOUND); + bool isOsint = (CheckArg("osint", nullptr, CheckArgFlag::None) == ARG_FOUND); + if (!allowRemote && !isOsint) { + SaveToEnv("MOZ_NO_REMOTE=1"); + } // Handle --no-remote and --new-instance command line arguments. Setup // the environment to better accommodate other components and various // restart scenarios. ar = CheckArg("no-remote"); - if (ar == ARG_FOUND || EnvHasValue("MOZ_NO_REMOTE")) { + if ((ar == ARG_FOUND) && allowRemote) { + PR_fprintf(PR_STDERR, + "Error: argument --no-remote is invalid when argument " + "--allow-remote is specified\n"); + return 1; + } + if (EnvHasValue("MOZ_NO_REMOTE")) { mDisableRemoteClient = true; mDisableRemoteServer = true; - if (!EnvHasValue("MOZ_NO_REMOTE")) { - SaveToEnv("MOZ_NO_REMOTE=1"); - } } ar = CheckArg("new-instance");

1 0

[tor-browser/tor-browser-91.4.0esr-11.0-1] Bug 18821: Disable libmdns for Android and Desktop
by sysrqb＠torproject.org 02 Dec '21

02 Dec '21

commit f639a49f45a50ef9c01bd2cda46a87b8cfd4c155 Author: Georg Koppen <gk(a)torproject.org> Date: Wed Apr 20 14:34:50 2016 +0000 Bug 18821: Disable libmdns for Android and Desktop There should be no need to remove the OS X support introduced in https://bugzilla.mozilla.org/show_bug.cgi?id=1225726 as enabling this is governed by a preference (which is actually set to `false`). However, we remove it at build time as well (defense in depth). This is basically a backout of the relevant passages of https://hg.mozilla.org/mozilla-central/rev/6bfb430de85d, https://hg.mozilla.org/mozilla-central/rev/609b337bf7ab and https://hg.mozilla.org/mozilla-central/rev/8e092ec5fbbd. Fixed bug 21861 (Disable additional mDNS code to avoid proxy bypasses) as well. Mozilla removed the Presentation API piece of this patch in Bug 1697680. --- netwerk/dns/mdns/libmdns/components.conf | 15 --------------- netwerk/dns/mdns/libmdns/moz.build | 28 ---------------------------- 2 files changed, 43 deletions(-) diff --git a/netwerk/dns/mdns/libmdns/components.conf b/netwerk/dns/mdns/libmdns/components.conf index 6e64140c820e..1b50dbf673a4 100644 --- a/netwerk/dns/mdns/libmdns/components.conf +++ b/netwerk/dns/mdns/libmdns/components.conf @@ -5,20 +5,5 @@ # file, You can obtain one at http://mozilla.org/MPL/2.0/. Classes = [ - { - 'cid': '{14a50f2b-7ff6-48a5-88e3-615fd111f5d3}', - 'contract_ids': ['@mozilla.org/toolkit/components/mdnsresponder/dns-info;1'], - 'type': 'mozilla::net::nsDNSServiceInfo', - 'headers': ['/netwerk/dns/mdns/libmdns/nsDNSServiceInfo.h'], - }, ] -if buildconfig.substs['MOZ_WIDGET_TOOLKIT'] != 'cocoa': - Classes += [ - { - 'cid': '{f9346d98-f27a-4e89-b744-493843416480}', - 'contract_ids': ['@mozilla.org/toolkit/components/mdnsresponder/dns-sd;1'], - 'jsm': 'resource://gre/modules/DNSServiceDiscovery.jsm', - 'constructor': 'nsDNSServiceDiscovery', - }, - ] diff --git a/netwerk/dns/mdns/libmdns/moz.build b/netwerk/dns/mdns/libmdns/moz.build index f9c025fa823e..e6e70a6d803c 100644 --- a/netwerk/dns/mdns/libmdns/moz.build +++ b/netwerk/dns/mdns/libmdns/moz.build @@ -4,34 +4,6 @@ # License, v. 2.0. If a copy of the MPL was not distributed with this # file, You can obtain one at http://mozilla.org/MPL/2.0/. -if CONFIG["MOZ_WIDGET_TOOLKIT"] == "cocoa": - UNIFIED_SOURCES += [ - "MDNSResponderOperator.cpp", - "MDNSResponderReply.cpp", - "nsDNSServiceDiscovery.cpp", - ] - - LOCAL_INCLUDES += [ - "/netwerk/base", - ] - -else: - EXTRA_JS_MODULES += [ - "DNSServiceDiscovery.jsm", - "fallback/DataReader.jsm", - "fallback/DataWriter.jsm", - "fallback/DNSPacket.jsm", - "fallback/DNSRecord.jsm", - "fallback/DNSResourceRecord.jsm", - "fallback/DNSTypes.jsm", - "fallback/MulticastDNS.jsm", - ] - - if CONFIG["MOZ_WIDGET_TOOLKIT"] == "android": - EXTRA_JS_MODULES += [ - "MulticastDNSAndroid.jsm", - ] - UNIFIED_SOURCES += [ "nsDNSServiceInfo.cpp", ]

1 0

[tor-browser/tor-browser-91.4.0esr-11.0-1] Bug 21431: Clean-up system extensions shipped in Firefox
by sysrqb＠torproject.org 02 Dec '21

02 Dec '21

commit c62797ec4b9849f68b0cc29c4b6a07e73ed0fd0d Author: Kathy Brade <brade(a)pearlcrescent.com> Date: Tue May 23 17:05:29 2017 -0400 Bug 21431: Clean-up system extensions shipped in Firefox Only ship the pdfjs extension. --- browser/components/BrowserGlue.jsm | 6 ++++++ browser/extensions/moz.build | 10 +--------- browser/installer/package-manifest.in | 1 - browser/locales/Makefile.in | 8 -------- browser/locales/jar.mn | 7 ------- 5 files changed, 7 insertions(+), 25 deletions(-) diff --git a/browser/components/BrowserGlue.jsm b/browser/components/BrowserGlue.jsm index 3beb2da3ce52..7c3a7ace3ae9 100644 --- a/browser/components/BrowserGlue.jsm +++ b/browser/components/BrowserGlue.jsm @@ -1967,6 +1967,9 @@ BrowserGlue.prototype = { const ID = "screenshots(a)mozilla.org"; const _checkScreenshotsPref = async () => { let addon = await AddonManager.getAddonByID(ID); + if (!addon) { + return; + } let disabled = Services.prefs.getBoolPref(PREF, false); if (disabled) { await addon.disable({ allowSystemAddons: true }); @@ -1983,6 +1986,9 @@ BrowserGlue.prototype = { const ID = "webcompat-reporter(a)mozilla.org"; Services.prefs.addObserver(PREF, async () => { let addon = await AddonManager.getAddonByID(ID); + if (!addon) { + return; + } let enabled = Services.prefs.getBoolPref(PREF, false); if (enabled && !addon.isActive) { await addon.enable({ allowSystemAddons: true }); diff --git a/browser/extensions/moz.build b/browser/extensions/moz.build index b3cd1f249c40..72a9c9e9a636 100644 --- a/browser/extensions/moz.build +++ b/browser/extensions/moz.build @@ -4,15 +4,7 @@ # License, v. 2.0. If a copy of the MPL was not distributed with this # file, You can obtain one at http://mozilla.org/MPL/2.0/. -DIRS += [ - "doh-rollout", - "formautofill", - "screenshots", - "webcompat", - "report-site-issue", - "pictureinpicture", - "proxy-failover", -] +DIRS += [] if CONFIG["NIGHTLY_BUILD"]: DIRS += [ diff --git a/browser/installer/package-manifest.in b/browser/installer/package-manifest.in index fb4993acbe7f..dd71fb6e196f 100644 --- a/browser/installer/package-manifest.in +++ b/browser/installer/package-manifest.in @@ -259,7 +259,6 @@ @RESPATH@/browser/chrome/icons/default/default64.png @RESPATH@/browser/chrome/icons/default/default128.png #endif -@RESPATH@/browser/features/* ; [DevTools Startup Files] @RESPATH@/browser/chrome/devtools-startup@JAREXT@ diff --git a/browser/locales/Makefile.in b/browser/locales/Makefile.in index 496379c4306f..0946188813da 100644 --- a/browser/locales/Makefile.in +++ b/browser/locales/Makefile.in @@ -58,10 +58,6 @@ l10n-%: @$(MAKE) -C ../../toolkit/locales l10n-$* XPI_ROOT_APPID='$(XPI_ROOT_APPID)' @$(MAKE) -C ../../services/sync/locales AB_CD=$* XPI_NAME=locale-$* @$(MAKE) -C ../../extensions/spellcheck/locales AB_CD=$* XPI_NAME=locale-$* -ifneq (,$(wildcard ../extensions/formautofill/locales)) - @$(MAKE) -C ../extensions/formautofill/locales AB_CD=$* XPI_NAME=locale-$* -endif - @$(MAKE) -C ../extensions/report-site-issue/locales AB_CD=$* XPI_NAME=locale-$* @$(MAKE) -C ../../devtools/client/locales AB_CD=$* XPI_NAME=locale-$* XPI_ROOT_APPID='$(XPI_ROOT_APPID)' @$(MAKE) -C ../../devtools/startup/locales AB_CD=$* XPI_NAME=locale-$* XPI_ROOT_APPID='$(XPI_ROOT_APPID)' @$(MAKE) l10n AB_CD=$* XPI_NAME=locale-$* PREF_DIR=$(PREF_DIR) @@ -75,14 +71,10 @@ chrome-%: @$(MAKE) -C ../../toolkit/locales chrome-$* @$(MAKE) -C ../../services/sync/locales chrome AB_CD=$* @$(MAKE) -C ../../extensions/spellcheck/locales chrome AB_CD=$* -ifneq (,$(wildcard ../extensions/formautofill/locales)) - @$(MAKE) -C ../extensions/formautofill/locales chrome AB_CD=$* -endif @$(MAKE) -C ../../devtools/client/locales chrome AB_CD=$* @$(MAKE) -C ../../devtools/startup/locales chrome AB_CD=$* @$(MAKE) chrome AB_CD=$* @$(MAKE) -C $(DEPTH)/$(MOZ_BRANDING_DIRECTORY)/locales chrome AB_CD=$* - @$(MAKE) -C ../extensions/report-site-issue/locales chrome AB_CD=$* package-win32-installer: $(SUBMAKEFILES) $(MAKE) -C ../installer/windows CONFIG_DIR=l10ngen ZIP_IN='$(ZIP_OUT)' installer diff --git a/browser/locales/jar.mn b/browser/locales/jar.mn index c6fdccea7d70..90bc7a0d4757 100644 --- a/browser/locales/jar.mn +++ b/browser/locales/jar.mn @@ -48,10 +48,3 @@ # the following files are browser-specific overrides locale/browser/netError.dtd (%chrome/overrides/netError.dtd) locale/browser/appstrings.properties (%chrome/overrides/appstrings.properties) - -#ifdef XPI_NAME -# Bug 1240628, restructure how l10n repacks work with feature addons -# This is hacky, but ensures the chrome.manifest chain is complete -[.] chrome.jar: -% manifest features/chrome.manifest -#endif

1 0

[tor-browser/tor-browser-91.4.0esr-11.0-1] Bug 19121: reinstate the update.xml hash check
by sysrqb＠torproject.org 02 Dec '21

02 Dec '21

commit 0ea6d6570d5f14321e11d9a4b17ccda55e0632f0 Author: Kathy Brade <brade(a)pearlcrescent.com> Date: Mon Apr 23 15:22:57 2018 -0400 Bug 19121: reinstate the update.xml hash check Revert most changes from Mozilla Bug 1373267 "Remove hashFunction and hashValue attributes from nsIUpdatePatch and code related to these attributes." Changes to the tests were not reverted; the tests have been changed significantly and we do not run automated updater tests for Tor Browser at this time. Also partial revert of commit f1241db6986e4b54473a1ed870f7584c75d51122. Revert the nsUpdateService.js changes from Mozilla Bug 862173 "don't verify mar file hash when using mar signing to verify the mar file (lessens main thread I/O)." Changes to the tests were not reverted; the tests have been changed significantly and we do not run automated updater tests for Tor Browser at this time. We kept the addition to the AppConstants API in case other JS code references it in the future. --- toolkit/modules/AppConstants.jsm | 7 ++++ toolkit/mozapps/update/UpdateService.jsm | 63 ++++++++++++++++++++++++++++- toolkit/mozapps/update/UpdateTelemetry.jsm | 1 + toolkit/mozapps/update/nsIUpdateService.idl | 11 +++++ 4 files changed, 81 insertions(+), 1 deletion(-) diff --git a/toolkit/modules/AppConstants.jsm b/toolkit/modules/AppConstants.jsm index ea10dc97535d..3cb1518f2ab3 100644 --- a/toolkit/modules/AppConstants.jsm +++ b/toolkit/modules/AppConstants.jsm @@ -212,6 +212,13 @@ this.AppConstants = Object.freeze({ false, #endif + MOZ_VERIFY_MAR_SIGNATURE: +#ifdef MOZ_VERIFY_MAR_SIGNATURE + true, +#else + false, +#endif + MOZ_MAINTENANCE_SERVICE: #ifdef MOZ_MAINTENANCE_SERVICE true, diff --git a/toolkit/mozapps/update/UpdateService.jsm b/toolkit/mozapps/update/UpdateService.jsm index 4d1b1c59eff5..10581c785074 100644 --- a/toolkit/mozapps/update/UpdateService.jsm +++ b/toolkit/mozapps/update/UpdateService.jsm @@ -969,6 +969,20 @@ function LOG(string) { } } +/** + * Convert a string containing binary values to hex. + */ +function binaryToHex(input) { + var result = ""; + for (var i = 0; i < input.length; ++i) { + var hex = input.charCodeAt(i).toString(16); + if (hex.length == 1) + hex = "0" + hex; + result += hex; + } + return result; +} + /** * Gets the specified directory at the specified hierarchy under the * update root directory and creates it if it doesn't exist. @@ -1988,6 +2002,8 @@ function UpdatePatch(patch) { } break; case "finalURL": + case "hashFunction": + case "hashValue": case "state": case "type": case "URL": @@ -2007,6 +2023,8 @@ UpdatePatch.prototype = { // over writing nsIUpdatePatch attributes. _attrNames: [ "errorCode", + "hashFunction", + "hashValue", "finalURL", "selected", "size", @@ -2020,6 +2038,8 @@ UpdatePatch.prototype = { */ serialize: function UpdatePatch_serialize(updates) { var patch = updates.createElementNS(URI_UPDATE_NS, "patch"); + patch.setAttribute("hashFunction", this.hashFunction); + patch.setAttribute("hashValue", this.hashValue); patch.setAttribute("size", this.size); patch.setAttribute("type", this.type); patch.setAttribute("URL", this.URL); @@ -5122,7 +5142,42 @@ Downloader.prototype = { } LOG("Downloader:_verifyDownload downloaded size == expected size."); - return true; + let fileStream = Cc["@mozilla.org/network/file-input-stream;1"]. + createInstance(Ci.nsIFileInputStream); + fileStream.init(destination, FileUtils.MODE_RDONLY, FileUtils.PERMS_FILE, 0); + + let digest; + try { + let hash = Cc["@mozilla.org/security/hash;1"]. + createInstance(Ci.nsICryptoHash); + var hashFunction = Ci.nsICryptoHash[this._patch.hashFunction.toUpperCase()]; + if (hashFunction == undefined) { + throw Cr.NS_ERROR_UNEXPECTED; + } + hash.init(hashFunction); + hash.updateFromStream(fileStream, -1); + // NOTE: For now, we assume that the format of _patch.hashValue is hex + // encoded binary (such as what is typically output by programs like + // sha1sum). In the future, this may change to base64 depending on how + // we choose to compute these hashes. + digest = binaryToHex(hash.finish(false)); + } catch (e) { + LOG("Downloader:_verifyDownload - failed to compute hash of the " + + "downloaded update archive"); + digest = ""; + } + + fileStream.close(); + + if (digest == this._patch.hashValue.toLowerCase()) { + LOG("Downloader:_verifyDownload hashes match."); + return true; + } + + LOG("Downloader:_verifyDownload hashes do not match. "); + AUSTLMY.pingDownloadCode(this.isCompleteUpdate, + AUSTLMY.DWNLD_ERR_VERIFY_NO_HASH_MATCH); + return false; }, /** @@ -5719,6 +5774,9 @@ Downloader.prototype = { " is higher than patch size: " + this._patch.size ); + // It's important that we use a different code than + // NS_ERROR_CORRUPTED_CONTENT so that tests can verify the difference + // between a hash error and a wrong download error. AUSTLMY.pingDownloadCode( this.isCompleteUpdate, AUSTLMY.DWNLD_ERR_PATCH_SIZE_LARGER @@ -5737,6 +5795,9 @@ Downloader.prototype = { " is not equal to expected patch size: " + this._patch.size ); + // It's important that we use a different code than + // NS_ERROR_CORRUPTED_CONTENT so that tests can verify the difference + // between a hash error and a wrong download error. AUSTLMY.pingDownloadCode( this.isCompleteUpdate, AUSTLMY.DWNLD_ERR_PATCH_SIZE_NOT_EQUAL diff --git a/toolkit/mozapps/update/UpdateTelemetry.jsm b/toolkit/mozapps/update/UpdateTelemetry.jsm index dae76e09acd0..df5b8917970e 100644 --- a/toolkit/mozapps/update/UpdateTelemetry.jsm +++ b/toolkit/mozapps/update/UpdateTelemetry.jsm @@ -192,6 +192,7 @@ var AUSTLMY = { DWNLD_ERR_VERIFY_NO_REQUEST: 13, DWNLD_ERR_VERIFY_PATCH_SIZE_NOT_EQUAL: 14, DWNLD_ERR_WRITE_FAILURE: 15, + DWNLD_ERR_VERIFY_NO_HASH_MATCH: 16, // Temporary failure code to see if there are failures without an update phase DWNLD_UNKNOWN_PHASE_ERR_WRITE_FAILURE: 40, diff --git a/toolkit/mozapps/update/nsIUpdateService.idl b/toolkit/mozapps/update/nsIUpdateService.idl index 78929e1cef44..5db1db71fc81 100644 --- a/toolkit/mozapps/update/nsIUpdateService.idl +++ b/toolkit/mozapps/update/nsIUpdateService.idl @@ -39,6 +39,17 @@ interface nsIUpdatePatch : nsISupports */ attribute AString finalURL; + /** + * The hash function to use when determining this file's integrity + */ + attribute AString hashFunction; + + /** + * The value of the hash function named above that should be computed if + * this file is not corrupt. + */ + attribute AString hashValue; + /** * The size of this file, in bytes. */

1 0

[tor-browser/tor-browser-91.4.0esr-11.0-1] Bug 21830: Copying large text from web console leaks to /tmp
by sysrqb＠torproject.org 02 Dec '21

02 Dec '21

commit 6ce38d0015a8be708b29bfd5668389204a0ce810 Author: Georg Koppen <gk(a)torproject.org> Date: Fri Aug 4 05:55:49 2017 +0000 Bug 21830: Copying large text from web console leaks to /tmp Patch written by Neill Miller --- widget/nsTransferable.cpp | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/widget/nsTransferable.cpp b/widget/nsTransferable.cpp index c82549a4d1d1..f8ecfbff0983 100644 --- a/widget/nsTransferable.cpp +++ b/widget/nsTransferable.cpp @@ -33,6 +33,7 @@ Notes to self: #include "nsILoadContext.h" #include "nsXULAppAPI.h" #include "mozilla/UniquePtr.h" +#include "mozilla/Preferences.h" using namespace mozilla; @@ -195,6 +196,11 @@ nsTransferable::Init(nsILoadContext* aContext) { if (aContext) { mPrivateData = aContext->UsePrivateBrowsing(); + } else { + // without aContext here to provide PrivateBrowsing information, + // we defer to the active configured setting + mPrivateData = + mozilla::Preferences::GetBool("browser.privatebrowsing.autostart"); } #ifdef DEBUG mInitialized = true;

1 0

[tor-browser/tor-browser-91.4.0esr-11.0-1] Bug 21724: Make Firefox and Tor Browser distinct macOS apps
by sysrqb＠torproject.org 02 Dec '21

02 Dec '21

commit afb9fe0894a24df7b7001bde64d617d983a54b72 Author: teor <teor2345(a)gmail.com> Date: Mon Mar 13 23:06:23 2017 +1100 Bug 21724: Make Firefox and Tor Browser distinct macOS apps When macOS opens a document or selects a default browser, it sometimes uses the CFBundleSignature. Changing from the Firefox MOZB signature to a different signature TORB allows macOS to distinguish between Firefox and Tor Browser. --- browser/app/Makefile.in | 2 +- browser/app/macbuild/Contents/Info.plist.in | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/browser/app/Makefile.in b/browser/app/Makefile.in index 54d6b43fe126..8dd3a9a65661 100644 --- a/browser/app/Makefile.in +++ b/browser/app/Makefile.in @@ -102,5 +102,5 @@ ifdef MOZ_UPDATER mv -f '$(dist_dest)/Contents/MacOS/updater.app/Contents/MacOS/org.mozilla.updater' '$(dist_dest)/Contents/Library/LaunchServices' ln -s ../../../../Library/LaunchServices/org.mozilla.updater '$(dist_dest)/Contents/MacOS/updater.app/Contents/MacOS/org.mozilla.updater' endif - printf APPLMOZB > '$(dist_dest)/Contents/PkgInfo' + printf APPLTORB > '$(dist_dest)/Contents/PkgInfo' endif diff --git a/browser/app/macbuild/Contents/Info.plist.in b/browser/app/macbuild/Contents/Info.plist.in index 9ceaf88f15c1..d8858e9f01bf 100644 --- a/browser/app/macbuild/Contents/Info.plist.in +++ b/browser/app/macbuild/Contents/Info.plist.in @@ -179,7 +179,7 @@ <key>CFBundleShortVersionString</key> <string>@APP_VERSION@</string> <key>CFBundleSignature</key> - <string>MOZB</string> + <string>TORB</string> <key>CFBundleURLTypes</key> <array> <dict>

1 0

[tor-browser/tor-browser-91.4.0esr-11.0-1] Bug 26353: Prevent speculative connect that violated FPI.
by sysrqb＠torproject.org 02 Dec '21

02 Dec '21

commit 2008383403fbac672dd784269b851443e84cf3af Author: Arthur Edelstein <arthuredelstein(a)gmail.com> Date: Sat Jul 14 08:50:55 2018 -0700 Bug 26353: Prevent speculative connect that violated FPI. Connections were observed in the catch-all circuit when the user entered an https or http URL in the URL bar, or typed a search term. --- toolkit/components/remotebrowserutils/RemoteWebNavigation.jsm | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/toolkit/components/remotebrowserutils/RemoteWebNavigation.jsm b/toolkit/components/remotebrowserutils/RemoteWebNavigation.jsm index 5d46b1dd8e3b..5a1f8075d1e7 100644 --- a/toolkit/components/remotebrowserutils/RemoteWebNavigation.jsm +++ b/toolkit/components/remotebrowserutils/RemoteWebNavigation.jsm @@ -95,6 +95,9 @@ class RemoteWebNavigation { } uri = Services.uriFixup.getFixupURIInfo(aURI, fixupFlags).preferredURI; +/******************************************************************************* + TOR BROWSER: Disable the following speculative connect until + we can make it properly obey first-party isolation. // We know the url is going to be loaded, let's start requesting network // connection before the content process asks. @@ -118,6 +121,7 @@ class RemoteWebNavigation { } Services.io.speculativeConnect(uri, principal, null); } +*******************************************************************************/ } catch (ex) { // Can't setup speculative connection for this uri string for some // reason (such as failing to parse the URI), just ignore it.

1 0

[tor-browser/tor-browser-91.4.0esr-11.0-1] Bug 28369: Stop shipping pingsender executable
by sysrqb＠torproject.org 02 Dec '21

02 Dec '21

commit 73018c6ed456d16ac744499d83fb1bbd0f7f364f Author: Alex Catarineu <acat(a)torproject.org> Date: Wed Apr 10 17:52:51 2019 +0200 Bug 28369: Stop shipping pingsender executable --- browser/app/macbuild/Contents/MacOS-files.in | 1 - browser/installer/package-manifest.in | 4 ---- browser/installer/windows/nsis/shared.nsh | 1 - python/mozbuild/mozbuild/artifacts.py | 2 -- toolkit/components/telemetry/app/TelemetrySend.jsm | 19 +------------------ toolkit/components/telemetry/moz.build | 4 ---- 6 files changed, 1 insertion(+), 30 deletions(-) diff --git a/browser/app/macbuild/Contents/MacOS-files.in b/browser/app/macbuild/Contents/MacOS-files.in index 6f0b4481473b..6e8a1689ea19 100644 --- a/browser/app/macbuild/Contents/MacOS-files.in +++ b/browser/app/macbuild/Contents/MacOS-files.in @@ -17,7 +17,6 @@ #if defined(MOZ_CRASHREPORTER) /minidump-analyzer #endif -/pingsender /pk12util /ssltunnel /xpcshell diff --git a/browser/installer/package-manifest.in b/browser/installer/package-manifest.in index dd71fb6e196f..edfc2daf9d40 100644 --- a/browser/installer/package-manifest.in +++ b/browser/installer/package-manifest.in @@ -438,10 +438,6 @@ bin/libfreebl_64int_3.so @BINPATH@/minidump-analyzer@BIN_SUFFIX@ #endif -; [ Ping Sender ] -; -@BINPATH@/pingsender@BIN_SUFFIX@ - ; Shutdown Terminator @RESPATH@/components/terminator.manifest diff --git a/browser/installer/windows/nsis/shared.nsh b/browser/installer/windows/nsis/shared.nsh index beeb67211e47..7439ffd33e3e 100755 --- a/browser/installer/windows/nsis/shared.nsh +++ b/browser/installer/windows/nsis/shared.nsh @@ -1478,7 +1478,6 @@ ${RemoveDefaultBrowserAgentShortcut} Push "crashreporter.exe" Push "default-browser-agent.exe" Push "minidump-analyzer.exe" - Push "pingsender.exe" Push "updater.exe" Push "mozwer.dll" Push "${FileMainEXE}" diff --git a/python/mozbuild/mozbuild/artifacts.py b/python/mozbuild/mozbuild/artifacts.py index ee05eb2b2e88..f99f08b21d1c 100644 --- a/python/mozbuild/mozbuild/artifacts.py +++ b/python/mozbuild/mozbuild/artifacts.py @@ -506,7 +506,6 @@ class LinuxArtifactJob(ArtifactJob): "{product}/{product}", "{product}/{product}-bin", "{product}/minidump-analyzer", - "{product}/pingsender", "{product}/plugin-container", "{product}/updater", "{product}/**/*.so", @@ -561,7 +560,6 @@ class MacArtifactJob(ArtifactJob): "{product}-bin", "*.dylib", "minidump-analyzer", - "pingsender", "plugin-container.app/Contents/MacOS/plugin-container", "updater.app/Contents/MacOS/org.mozilla.updater", # 'xpcshell', diff --git a/toolkit/components/telemetry/app/TelemetrySend.jsm b/toolkit/components/telemetry/app/TelemetrySend.jsm index 0da39d85ad33..c87a281019e4 100644 --- a/toolkit/components/telemetry/app/TelemetrySend.jsm +++ b/toolkit/components/telemetry/app/TelemetrySend.jsm @@ -1595,23 +1595,6 @@ var TelemetrySendImpl = { }, runPingSender(pings, observer) { - if (AppConstants.platform === "android") { - throw Components.Exception("", Cr.NS_ERROR_NOT_IMPLEMENTED); - } - - const exeName = - AppConstants.platform === "win" ? "pingsender.exe" : "pingsender"; - - let exe = Services.dirsvc.get("GreBinD", Ci.nsIFile); - exe.append(exeName); - - let params = pings.flatMap(ping => [ping.url, ping.path]); - let process = Cc["@mozilla.org/process/util;1"].createInstance( - Ci.nsIProcess - ); - process.init(exe); - process.startHidden = true; - process.noShell = true; - process.runAsync(params, params.length, observer); + throw Components.Exception("", Cr.NS_ERROR_NOT_IMPLEMENTED); }, }; diff --git a/toolkit/components/telemetry/moz.build b/toolkit/components/telemetry/moz.build index 3eee4e938c4e..cedf9b313d9c 100644 --- a/toolkit/components/telemetry/moz.build +++ b/toolkit/components/telemetry/moz.build @@ -8,10 +8,6 @@ include("/ipc/chromium/chromium-config.mozbuild") FINAL_LIBRARY = "xul" -DIRS = [ - "pingsender", -] - DEFINES["MOZ_APP_VERSION"] = '"%s"' % CONFIG["MOZ_APP_VERSION"] LOCAL_INCLUDES += [

1 0

[tor-browser/tor-browser-91.4.0esr-11.0-1] Bug 13379: Sign our MAR files.
by sysrqb＠torproject.org 02 Dec '21

02 Dec '21

commit a1f6119151fb79316d1c43d8b5cac743e2f7a68a Author: Kathy Brade <brade(a)pearlcrescent.com> Date: Wed Dec 17 16:37:11 2014 -0500 Bug 13379: Sign our MAR files. Configure with --enable-verify-mar (when updating, require a valid signature on the MAR file before it is applied). Use the Tor Browser version instead of the Firefox version inside the MAR file info block (necessary to prevent downgrade attacks). Use NSS on all platforms for checking MAR signatures (instead of using OS-native APIs, which Mozilla does on Mac OS and Windows). So that the NSS and NSPR libraries the updater depends on can be found at runtime, we add the firefox directory to the shared library search path on macOS. On Linux, rpath is used by Mozilla to solve that problem, but that approach won't work on macOS because the updater executable is copied during the update process to a location that is under TorBrowser-Data, and the location of TorBrowser-Data varies. Also includes the fix for bug 18900. --- .mozconfig | 1 + .mozconfig-asan | 1 + .mozconfig-mac | 1 + .mozconfig-mingw | 1 + modules/libmar/tool/mar.c | 6 +-- modules/libmar/tool/moz.build | 12 ++++-- modules/libmar/verify/moz.build | 14 +++--- .../mozapps/update/updater/updater-common.build | 24 +++++++++-- toolkit/mozapps/update/updater/updater.cpp | 25 +++++++---- toolkit/xre/moz.build | 3 ++ toolkit/xre/nsUpdateDriver.cpp | 50 ++++++++++++++++++++++ 11 files changed, 113 insertions(+), 25 deletions(-) diff --git a/.mozconfig b/.mozconfig index 18cd1f9b6487..c50c57d410de 100755 --- a/.mozconfig +++ b/.mozconfig @@ -37,3 +37,4 @@ ac_add_options MOZ_TELEMETRY_REPORTING= ac_add_options --disable-tor-launcher ac_add_options --with-tor-browser-version=dev-build ac_add_options --disable-tor-browser-update +ac_add_options --enable-verify-mar diff --git a/.mozconfig-asan b/.mozconfig-asan index 98ea6ac6f3fe..8bee813bfee8 100644 --- a/.mozconfig-asan +++ b/.mozconfig-asan @@ -30,6 +30,7 @@ ac_add_options --enable-official-branding ac_add_options --enable-default-toolkit=cairo-gtk3 ac_add_options --enable-tor-browser-update +ac_add_options --enable-verify-mar ac_add_options --disable-strip ac_add_options --disable-install-strip diff --git a/.mozconfig-mac b/.mozconfig-mac index 26e2b6b92fdb..5b4624ef1f67 100644 --- a/.mozconfig-mac +++ b/.mozconfig-mac @@ -43,6 +43,7 @@ ac_add_options --disable-debug ac_add_options --enable-tor-browser-data-outside-app-dir ac_add_options --enable-tor-browser-update +ac_add_options --enable-verify-mar ac_add_options --disable-crashreporter ac_add_options --disable-webrtc diff --git a/.mozconfig-mingw b/.mozconfig-mingw index 3ec6ff18a3e9..ce6ace1dad67 100644 --- a/.mozconfig-mingw +++ b/.mozconfig-mingw @@ -15,6 +15,7 @@ ac_add_options --enable-strip ac_add_options --enable-official-branding ac_add_options --enable-tor-browser-update +ac_add_options --enable-verify-mar ac_add_options --disable-bits-download # Let's make sure no preference is enabling either Adobe's or Google's CDM. diff --git a/modules/libmar/tool/mar.c b/modules/libmar/tool/mar.c index 0bf2cb4bd1d4..ea2b79924914 100644 --- a/modules/libmar/tool/mar.c +++ b/modules/libmar/tool/mar.c @@ -65,7 +65,7 @@ static void print_usage() { "signed_input_archive.mar base_64_encoded_signature_file " "changed_signed_output.mar\n"); printf("(i) is the index of the certificate to extract\n"); -# if defined(XP_MACOSX) || (defined(XP_WIN) && !defined(MAR_NSS)) +# if (defined(XP_MACOSX) || defined(XP_WIN)) && !defined(MAR_NSS) printf("Verify a MAR file:\n"); printf(" mar [-C workingDir] -D DERFilePath -v signed_archive.mar\n"); printf( @@ -149,7 +149,7 @@ int main(int argc, char** argv) { memset((void*)certBuffers, 0, sizeof(certBuffers)); #endif #if !defined(NO_SIGN_VERIFY) && \ - ((!defined(MAR_NSS) && defined(XP_WIN)) || defined(XP_MACOSX)) + (!defined(MAR_NSS) && (defined(XP_WIN) || defined(XP_MACOSX))) memset(DERFilePaths, 0, sizeof(DERFilePaths)); memset(fileSizes, 0, sizeof(fileSizes)); #endif @@ -181,7 +181,7 @@ int main(int argc, char** argv) { argc -= 2; } #if !defined(NO_SIGN_VERIFY) -# if (!defined(MAR_NSS) && defined(XP_WIN)) || defined(XP_MACOSX) +# if (!defined(MAR_NSS) && (defined(XP_WIN) || defined(XP_MACOSX))) /* -D DERFilePath, also matches -D[index] DERFilePath We allow an index for verifying to be symmetric with the import and export command line arguments. */ diff --git a/modules/libmar/tool/moz.build b/modules/libmar/tool/moz.build index a6d26c66a668..d6fa1677ddf1 100644 --- a/modules/libmar/tool/moz.build +++ b/modules/libmar/tool/moz.build @@ -43,15 +43,21 @@ if CONFIG["MOZ_BUILD_APP"] != "tools/update-packaging": "verifymar", ] + if CONFIG["TOR_BROWSER_UPDATE"]: + DEFINES["MAR_NSS"] = True + if CONFIG["OS_ARCH"] == "WINNT": USE_STATIC_LIBS = True OS_LIBS += [ "ws2_32", - "crypt32", - "advapi32", ] - elif CONFIG["OS_ARCH"] == "Darwin": + if not CONFIG["TOR_BROWSER_UPDATE"]: + OS_LIBS += [ + "crypt32", + "advapi32", + ] + elif CONFIG["OS_ARCH"] == "Darwin" and not CONFIG["TOR_BROWSER_UPDATE"]: OS_LIBS += [ "-framework Security", ] diff --git a/modules/libmar/verify/moz.build b/modules/libmar/verify/moz.build index b07475655f0d..03718eee50b4 100644 --- a/modules/libmar/verify/moz.build +++ b/modules/libmar/verify/moz.build @@ -16,15 +16,12 @@ FORCE_STATIC_LIB = True if CONFIG["OS_ARCH"] == "WINNT": USE_STATIC_LIBS = True elif CONFIG["OS_ARCH"] == "Darwin": - UNIFIED_SOURCES += [ - "MacVerifyCrypto.cpp", - ] - OS_LIBS += [ - "-framework Security", + USE_LIBS += [ + "nspr", + "nss", + "signmar", ] else: - DEFINES["MAR_NSS"] = True - LOCAL_INCLUDES += ["../sign"] USE_LIBS += [ "nspr", "nss", @@ -38,6 +35,9 @@ else: "-Wl,-rpath=\\$$ORIGIN", ] +DEFINES["MAR_NSS"] = True +LOCAL_INCLUDES += ["../sign"] + LOCAL_INCLUDES += [ "../src", ] diff --git a/toolkit/mozapps/update/updater/updater-common.build b/toolkit/mozapps/update/updater/updater-common.build index 13926ea82046..a4173889271b 100644 --- a/toolkit/mozapps/update/updater/updater-common.build +++ b/toolkit/mozapps/update/updater/updater-common.build @@ -4,6 +4,10 @@ # License, v. 2.0. If a copy of the MPL was not distributed with this # file, You can obtain one at http://mozilla.org/MPL/2.0/. +DEFINES["MAR_NSS"] = True + +link_with_nss = DEFINES["MAR_NSS"] or (CONFIG["OS_ARCH"] == "Linux" and CONFIG["MOZ_VERIFY_MAR_SIGNATURE"]) + srcs = [ "archivereader.cpp", "updater.cpp", @@ -36,10 +40,14 @@ if CONFIG["OS_ARCH"] == "WINNT": "ws2_32", "shell32", "shlwapi", - "crypt32", - "advapi32", ] + if not link_with_nss: + OS_LIBS += [ + "crypt32", + "advapi32", + ] + USE_LIBS += [ "bspatch", "mar", @@ -47,6 +55,13 @@ USE_LIBS += [ "xz-embedded", ] +if link_with_nss: + USE_LIBS += [ + "nspr", + "nss", + "signmar", + ] + if CONFIG["MOZ_WIDGET_TOOLKIT"] == "gtk": have_progressui = 1 srcs += [ @@ -61,9 +76,12 @@ if CONFIG["MOZ_WIDGET_TOOLKIT"] == "cocoa": ] OS_LIBS += [ "-framework Cocoa", - "-framework Security", "-framework SystemConfiguration", ] + if not link_with_nss: + OS_LIBS += [ + "-framework Security", + ] UNIFIED_SOURCES += [ "/toolkit/xre/updaterfileutils_osx.mm", ] diff --git a/toolkit/mozapps/update/updater/updater.cpp b/toolkit/mozapps/update/updater/updater.cpp index 646261c70967..70ca36dcc3d2 100644 --- a/toolkit/mozapps/update/updater/updater.cpp +++ b/toolkit/mozapps/update/updater/updater.cpp @@ -110,9 +110,11 @@ struct UpdateServerThreadArgs { # define stat64 stat #endif -#if defined(MOZ_VERIFY_MAR_SIGNATURE) && !defined(XP_WIN) && !defined(XP_MACOSX) -# include "nss.h" -# include "prerror.h" +#if defined(MOZ_VERIFY_MAR_SIGNATURE) +# if defined(MAR_NSS) || (!defined(XP_WIN) && !defined(XP_MACOSX)) +# include "nss.h" +# include "prerror.h" +# endif #endif #include "crctable.h" @@ -2726,8 +2728,13 @@ static void UpdateThreadFunc(void* param) { if (ReadMARChannelIDs(updateSettingsPath, &MARStrings) != OK) { rv = UPDATE_SETTINGS_FILE_CHANNEL; } else { +# ifdef TOR_BROWSER_UPDATE + const char* appVersion = TOR_BROWSER_VERSION_QUOTED; +# else + const char* appVersion = MOZ_APP_VERSION; +# endif rv = gArchiveReader.VerifyProductInformation( - MARStrings.MARChannelID.get(), MOZ_APP_VERSION); + MARStrings.MARChannelID.get(), appVersion); } } } @@ -2957,11 +2964,10 @@ int NS_main(int argc, NS_tchar** argv) { } #endif -#if defined(MOZ_VERIFY_MAR_SIGNATURE) && !defined(XP_WIN) && !defined(XP_MACOSX) - // On Windows and Mac we rely on native APIs to do verifications so we don't - // need to initialize NSS at all there. - // Otherwise, minimize the amount of NSS we depend on by avoiding all the NSS - // databases. +#if defined(MOZ_VERIFY_MAR_SIGNATURE) +# if defined(MAR_NSS) || (!defined(XP_WIN) && !defined(XP_MACOSX)) + // If using NSS for signature verification, initialize NSS but minimize + // the portion we depend on by avoiding all of the NSS databases. if (NSS_NoDB_Init(nullptr) != SECSuccess) { PRErrorCode error = PR_GetError(); fprintf(stderr, "Could not initialize NSS: %s (%d)", PR_ErrorToName(error), @@ -2969,6 +2975,7 @@ int NS_main(int argc, NS_tchar** argv) { _exit(1); } #endif +#endif #ifdef XP_MACOSX if (!isElevated) { diff --git a/toolkit/xre/moz.build b/toolkit/xre/moz.build index 90d06481ee9e..56a2d7173d3c 100644 --- a/toolkit/xre/moz.build +++ b/toolkit/xre/moz.build @@ -233,6 +233,9 @@ for var in ("APP_VERSION", "APP_ID"): if CONFIG["MOZ_BUILD_APP"] == "browser": DEFINES["MOZ_BUILD_APP_IS_BROWSER"] = True +if CONFIG['TOR_BROWSER_UPDATE']: + DEFINES['MAR_NSS'] = True + LOCAL_INCLUDES += [ "../../other-licenses/nsis/Contrib/CityHash/cityhash", "../components/find", diff --git a/toolkit/xre/nsUpdateDriver.cpp b/toolkit/xre/nsUpdateDriver.cpp index f83f28288786..4d2ca85928a9 100644 --- a/toolkit/xre/nsUpdateDriver.cpp +++ b/toolkit/xre/nsUpdateDriver.cpp @@ -366,6 +366,42 @@ static nsresult GetUpdateDirFromAppDir(nsIFile* aAppDir, nsIFile** aResult) { # endif #endif +#if defined(TOR_BROWSER_UPDATE) && defined(MOZ_VERIFY_MAR_SIGNATURE) && \ + defined(MAR_NSS) && defined(XP_MACOSX) +/** + * Ideally we would save and restore the original library path value after + * the updater finishes its work (and before firefox is re-launched). + * Doing so would avoid potential problems like the following bug: + * https://bugzilla.mozilla.org/show_bug.cgi?id=1434033 + */ +/** + * Appends the specified path to the library path. + * This is used so that the updater can find libnss3.dylib and other + * shared libs. + * + * @param pathToAppend A new library path to prepend to the dynamic linker's + * search path. + */ +# include "prprf.h" +# define PATH_SEPARATOR ":" +# define LD_LIBRARY_PATH_ENVVAR_NAME "DYLD_LIBRARY_PATH" +static void AppendToLibPath(const char* pathToAppend) { + char* pathValue = getenv(LD_LIBRARY_PATH_ENVVAR_NAME); + if (nullptr == pathValue || '\0' == *pathValue) { + // Leak the string because that is required by PR_SetEnv. + char* s = + Smprintf("%s=%s", LD_LIBRARY_PATH_ENVVAR_NAME, pathToAppend).release(); + PR_SetEnv(s); + } else { + // Leak the string because that is required by PR_SetEnv. + char* s = Smprintf("%s=%s" PATH_SEPARATOR "%s", LD_LIBRARY_PATH_ENVVAR_NAME, + pathToAppend, pathValue) + .release(); + PR_SetEnv(s); + } +} +#endif + /** * Applies, switches, or stages an update. * @@ -612,6 +648,20 @@ static void ApplyUpdate(nsIFile* greDir, nsIFile* updateDir, nsIFile* appDir, PR_SetEnv("MOZ_SAFE_MODE_RESTART=1"); } +#if defined(TOR_BROWSER_UPDATE) && defined(MOZ_VERIFY_MAR_SIGNATURE) && \ + defined(MAR_NSS) && defined(XP_MACOSX) + // On macOS, append the app directory to the shared library search path + // so the system can locate the shared libraries that are needed by the + // updater, e.g., libnss3.dylib). + nsAutoCString appPath; + nsresult rv2 = appDir->GetNativePath(appPath); + if (NS_SUCCEEDED(rv2)) { + AppendToLibPath(appPath.get()); + } else { + LOG(("ApplyUpdate -- appDir->GetNativePath() failed (0x%x)\n", rv2)); + } +#endif + LOG(("spawning updater process [%s]\n", updaterPath.get())); #ifdef DEBUG dump_argv("ApplyUpdate updater", argv, argc);

1 0