- tbb-commits - lists.torproject.org

[torbutton] branch main updated: Bug 41353 (Update DnD filter)
by gitolite role 27 Oct '22

27 Oct '22

This is an automated email from the git hooks/post-receive script. richard pushed a commit to branch main in repository torbutton. The following commit(s) were added to refs/heads/main by this push: new dee999c4 Bug 41353 (Update DnD filter) dee999c4 is described below commit dee999c4466336928cf556291443ed05076bc382 Author: ma1 <giorgio(a)maone.net> AuthorDate: Thu Oct 27 17:18:37 2022 +0000 Bug 41353 (Update DnD filter) --- components/dragDropFilter.js | 74 ++++++++++++++++++++++++++++++++++---------- 1 file changed, 57 insertions(+), 17 deletions(-) diff --git a/components/dragDropFilter.js b/components/dragDropFilter.js index 4b76bd10..f763595b 100644 --- a/components/dragDropFilter.js +++ b/components/dragDropFilter.js @@ -21,6 +21,47 @@ const kMODULE_CID = Components.ID("f605ec27-d867-44b5-ad97-2a29276642c3"); const kInterfaces = [Ci.nsIObserver, Ci.nsIClassInfo]; +const URLISH_TYPES = Object.freeze([ + "text/x-moz-url", + "text/x-moz-url-data", + "text/uri-list", + "application/x-moz-file-promise-url", +]); + +/* + Returns true if the text resembles a URL or even just a hostname + in a way that may prompt the O.S. or other applications to send out a + validation DNS query, if not a full request (e.g. " torproject.org", + even with the leading whitespace). +*/ +function isURLish(text) { + // Ignore leading whitespace. + text = text.trim(); + + // Without any protocol or dot in the first chunk, this is unlikely + // to be considered URLish (exception: localhost, but we don't care). + if (!/^[a-z][a-z0-9+-]*:\/\//i.test(text)) { + // no protocol + if (!/^[^.\s\/]+\.[^.\s\/]/.test(text)) { + // no dot + return false; + } + // Prepare for hostname validation via relative URL building. + text = `//${text}`; + } + // Validate URL or hostname. + try { + new URL(text, "https://localhost"); + return true; + } catch (e) { + // invalid URL, bail out + } + return false; +} + +// Returns true if any chunk of text is URLish +const hasURLish = text => text.split(/[^\p{L}_.-:\/%~@$-]+/u).some(isURLish); + function DragDropFilter() { this.logger = Cc["@torproject.org/torbutton-logger;1"].getService( Ci.nsISupports @@ -63,25 +104,24 @@ DragDropFilter.prototype = { }, filterDataTransferURLs(aDataTransfer) { - var types = null; - var type = ""; - var count = aDataTransfer.mozItemCount; - var len = 0; - for (var i = 0; i < count; ++i) { - this.logger.log(3, "Inspecting the data transfer: " + i); - types = aDataTransfer.mozTypesAt(i); - len = types.length; - for (var j = 0; j < len; ++j) { - type = types[j]; - this.logger.log(3, "Type is: " + type); + for (let i = 0, count = aDataTransfer.mozItemCount; i < count; ++i) { + this.logger.log(3, `Inspecting the data transfer: ${i}.`); + const types = aDataTransfer.mozTypesAt(i); + for (const type of types) { + this.logger.log(3, `Type is: ${type}.`); if ( - type == "text/x-moz-url" || - type == "text/x-moz-url-data" || - type == "text/uri-list" || - type == "application/x-moz-file-promise-url" + URLISH_TYPES.includes(type) || + ((type === "text/plain" || type === "text/html") && + hasURLish(aDataTransfer.getData(type))) ) { - aDataTransfer.clearData(type); - this.logger.log(3, "Removing " + type); + this.logger.log( + 3, + `Removing transfer data ${aDataTransfer.getData(type)}` + ); + for (const type of types) { + aDataTransfer.clearData(type); + } + break; } } } -- To stop receiving notification emails like this one, please contact the administrator of this repository.

1 0

[builders/tor-browser-build] branch main updated: Bug 40659: Add project for gspt as it's now being included with the introduction of go 1.19 and it's new target of 'unix' which packages previously in error used to gate importing this package from
by gitolite role 27 Oct '22

27 Oct '22

This is an automated email from the git hooks/post-receive script. pierov pushed a commit to branch main in repository builders/tor-browser-build. The following commit(s) were added to refs/heads/main by this push: new 00686946 Bug 40659: Add project for gspt as it's now being included with the introduction of go 1.19 and it's new target of 'unix' which packages previously in error used to gate importing this package from 00686946 is described below commit 00686946765517de6277c41702f1b39dc5a05ab7 Author: Dan Ballard <dan(a)mindstab.net> AuthorDate: Thu Oct 27 09:36:27 2022 -0700 Bug 40659: Add project for gspt as it's now being included with the introduction of go 1.19 and it's new target of 'unix' which packages previously in error used to gate importing this package from --- projects/goservice/config | 3 +++ projects/{goservice => gspt}/config | 23 +++-------------------- projects/ncdns/config | 3 +++ 3 files changed, 9 insertions(+), 20 deletions(-) diff --git a/projects/goservice/config b/projects/goservice/config index 9aff8ebe..8195e388 100644 --- a/projects/goservice/config +++ b/projects/goservice/config @@ -13,6 +13,7 @@ var: go_lib_deps: - gosvcutils - goeasyconfig + - gspt build_go_lib_pre: | [% pc(c('var/compiler'), 'var/setup', { compiler_tarfile => c('input_files_by_name/' _ c('var/compiler')) }) %] @@ -43,3 +44,5 @@ input_files: project: gosvcutils - name: goeasyconfig project: goeasyconfig + - name: gspt + project: gspt diff --git a/projects/goservice/config b/projects/gspt/config similarity index 63% copy from projects/goservice/config copy to projects/gspt/config index 9aff8ebe..8bbfaa0d 100644 --- a/projects/goservice/config +++ b/projects/gspt/config @@ -1,7 +1,7 @@ # vim: filetype=yaml sw=2 version: '[% c("abbrev") %]' -git_url: https://github.com/hlandau/service.git -git_hash: 0496f910e39ef577ba805f512f6e1b80d652c4b9 +git_url: https://github.com/erikdubbelboer/gspt +git_hash: ce36a512837778923c9202c819eb6a3435f9d21d filename: '[% project %]-[% c("version") %]-[% c("var/osname") %]-[% c("var/build_id") %].tar.gz' container: use_container: 1 @@ -9,10 +9,7 @@ container: build: '[% c("projects/go/var/build_go_lib") %]' var: - go_lib: gopkg.in/hlandau/service.v2 - go_lib_deps: - - gosvcutils - - goeasyconfig + go_lib: github.com/erikdubbelboer/gspt build_go_lib_pre: | [% pc(c('var/compiler'), 'var/setup', { compiler_tarfile => c('input_files_by_name/' _ c('var/compiler')) }) %] @@ -21,16 +18,6 @@ var: export CGO_ENABLED=1 -targets: - linux-i686: - var: - arch_deps: - - libcap-dev:i386 - linux-x86_64: - var: - arch_deps: - - libcap-dev - input_files: - project: container-image - name: go @@ -39,7 +26,3 @@ input_files: project: '[% c("var/compiler") %]' - name: binutils project: binutils - - name: gosvcutils - project: gosvcutils - - name: goeasyconfig - project: goeasyconfig diff --git a/projects/ncdns/config b/projects/ncdns/config index 9ee20970..3ddcdb74 100644 --- a/projects/ncdns/config +++ b/projects/ncdns/config @@ -27,6 +27,7 @@ var: - goeasyconfig - goservice - goxnet + - gspt go_lib_install: - github.com/namecoin/ncdns - github.com/namecoin/ncdns/backend @@ -81,3 +82,5 @@ input_files: project: godegoutils - name: goxnet project: goxnet + - name: gspt + project: gspt \ No newline at end of file -- To stop receiving notification emails like this one, please contact the administrator of this repository.

1 0

[Git][tpo/applications/fenix][tor-browser-102.2.1-12.0-1] squash! Add Tor integration and UI
by Pier Angelo Vendrame (＠pierov) 27 Oct '22

27 Oct '22

Pier Angelo Vendrame pushed to branch tor-browser-102.2.1-12.0-1 at The Tor Project / Applications / fenix Commits: e1146f6e by Pier Angelo Vendrame at 2022-10-27T15:21:36+00:00 squash! Add Tor integration and UI Bug 41394: Implement a setting to always prioritize Onion sites. - - - - - 6 changed files: - app/src/main/java/org/mozilla/fenix/components/Core.kt - app/src/main/java/org/mozilla/fenix/settings/SettingsFragment.kt - app/src/main/java/org/mozilla/fenix/utils/Settings.kt - app/src/main/res/values/preference_keys.xml - app/src/main/res/values/torbrowser_strings.xml - app/src/main/res/xml/preferences.xml Changes: ===================================== app/src/main/java/org/mozilla/fenix/components/Core.kt ===================================== @@ -133,7 +133,8 @@ class Core( ), httpsOnlyMode = context.settings().getHttpsOnlyMode(), torSecurityLevel = context.settings().torSecurityLevel().intRepresentation, - spoofEnglish = context.settings().spoofEnglish + spoofEnglish = context.settings().spoofEnglish, + prioritizeOnions = context.settings().prioritizeOnions ) GeckoEngine( ===================================== app/src/main/java/org/mozilla/fenix/settings/SettingsFragment.kt ===================================== @@ -429,8 +429,10 @@ class SettingsFragment : PreferenceFragmentCompat() { } private fun setupPreferences() { + val prioritizeOnionsKey = getPreferenceKey(R.string.pref_key_tor_prioritize_onions) val leakKey = getPreferenceKey(R.string.pref_key_leakcanary) val debuggingKey = getPreferenceKey(R.string.pref_key_remote_debugging) + val preferencePrioritizeOnions = findPreference<Preference>(prioritizeOnionsKey) val preferenceLeakCanary = findPreference<Preference>(leakKey) val preferenceRemoteDebugging = findPreference<Preference>(debuggingKey) val preferenceMakeDefaultBrowser = @@ -442,6 +444,11 @@ class SettingsFragment : PreferenceFragmentCompat() { onPreferenceChangeListener = SharedPreferenceUpdater() } + preferencePrioritizeOnions?.setOnPreferenceChangeListener<Boolean> { preference, newValue -> + preference.context.components.core.engine.settings.prioritizeOnions = newValue + true + } + if (!Config.channel.isReleased) { preferenceLeakCanary?.setOnPreferenceChangeListener { _, newValue -> val isEnabled = newValue == true ===================================== app/src/main/java/org/mozilla/fenix/utils/Settings.kt ===================================== @@ -243,6 +243,11 @@ class Settings(private val appContext: Context) : PreferencesHolder { default = false ) + var prioritizeOnions by booleanPreference( + appContext.getPreferenceKey(R.string.pref_key_tor_prioritize_onions), + default = false + ) + var defaultSearchEngineName by stringPreference( appContext.getPreferenceKey(R.string.pref_key_search_engine), default = "" ===================================== app/src/main/res/values/preference_keys.xml ===================================== @@ -323,4 +323,6 @@ <string name="pref_key_tor_network_settings_bridges_enabled">pref_key_tor_network_settings_bridges_enabled</string> <string name="pref_key_spoof_english" translatable="false">pref_key_spoof_english</string> + + <string name="pref_key_tor_prioritize_onions" translatable="false">pref_key_tor_prioritize_onions</string> </resources> ===================================== app/src/main/res/values/torbrowser_strings.xml ===================================== @@ -73,6 +73,9 @@  <string name="tor_spoof_english">Request English versions of web pages for enhanced privacy</string> +  + <string name="preferences_tor_prioritize_onions">Prioritize .onion sites</string> +   ===================================== app/src/main/res/xml/preferences.xml ===================================== @@ -124,6 +124,11 @@ android:key="@string/pref_key_tor_network_settings" android:title="@string/preferences_tor_network_settings" /> + <SwitchPreference + app:iconSpaceReserved="false" + android:key="@string/pref_key_tor_prioritize_onions" + android:title="@string/preferences_tor_prioritize_onions" /> + <androidx.preference.Preference android:key="@string/pref_key_tracking_protection_settings" app:iconSpaceReserved="false" View it on GitLab: https://gitlab.torproject.org/tpo/applications/fenix/-/commit/e1146f6e2b569… -- View it on GitLab: https://gitlab.torproject.org/tpo/applications/fenix/-/commit/e1146f6e2b569… You're receiving this email because of your account on gitlab.torproject.org.

1 0

[tor-browser] branch tor-browser-102.4.0esr-12.0-1 updated: fixup! Base Browser's .mozconfigs.
by gitolite role 27 Oct '22

27 Oct '22

This is an automated email from the git hooks/post-receive script. pierov pushed a commit to branch tor-browser-102.4.0esr-12.0-1 in repository tor-browser. The following commit(s) were added to refs/heads/tor-browser-102.4.0esr-12.0-1 by this push: new 80d85a588080 fixup! Base Browser's .mozconfigs. 80d85a588080 is described below commit 80d85a588080fd31df96773fb2e2c0019e1c6752 Author: Pier Angelo Vendrame <pierov(a)torproject.org> AuthorDate: Thu Oct 27 15:11:21 2022 +0200 fixup! Base Browser's .mozconfigs. --- browser/config/mozconfigs/base-browser | 4 ++++ browser/config/mozconfigs/base-browser-android | 7 +++++-- mozconfig-linux-x86_64-dev | 2 -- 3 files changed, 9 insertions(+), 4 deletions(-) diff --git a/browser/config/mozconfigs/base-browser b/browser/config/mozconfigs/base-browser index 82b224f43ed1..064685670934 100644 --- a/browser/config/mozconfigs/base-browser +++ b/browser/config/mozconfigs/base-browser @@ -37,3 +37,7 @@ ac_add_options --enable-base-browser # Disable telemetry ac_add_options MOZ_TELEMETRY_REPORTING= + +if test -z "$WASI_SYSROOT"; then + ac_add_options --without-wasm-sandboxed-libraries +fi diff --git a/browser/config/mozconfigs/base-browser-android b/browser/config/mozconfigs/base-browser-android index 744485d846f6..78c5e4c3c08e 100644 --- a/browser/config/mozconfigs/base-browser-android +++ b/browser/config/mozconfigs/base-browser-android @@ -36,11 +36,14 @@ ac_add_options --enable-base-browser # Disable telemetry ac_add_options MOZ_TELEMETRY_REPORTING= -if test ! -z "$LOCAL_DEV_BUILD"; then - ac_add_options --without-wasm-sandboxed-libraries +if test -n "$LOCAL_DEV_BUILD"; then # You must use the "default" bogus channel for dev builds ac_add_options --enable-update-channel=default else # We only use beta GeckoView for now, for official builds ac_add_options --enable-update-channel=beta fi + +if test -z "$WASI_SYSROOT"; then + ac_add_options --without-wasm-sandboxed-libraries +fi diff --git a/mozconfig-linux-x86_64-dev b/mozconfig-linux-x86_64-dev index af79d8699d71..9740e0c92de9 100644 --- a/mozconfig-linux-x86_64-dev +++ b/mozconfig-linux-x86_64-dev @@ -11,7 +11,5 @@ ac_add_options --enable-default-toolkit=cairo-gtk3 ac_add_options --disable-strip ac_add_options --disable-install-strip -ac_add_options --without-wasm-sandboxed-libraries - ac_add_options --disable-tor-browser-update ac_add_options --with-tor-browser-version=dev-build -- To stop receiving notification emails like this one, please contact the administrator of this repository.

1 0

[tor-browser] branch tor-browser-102.4.0esr-12.0-1 updated (836aa1709778 -> 3cb75bc95e49)
by gitolite role 27 Oct '22

27 Oct '22

This is an automated email from the git hooks/post-receive script. pierov pushed a change to branch tor-browser-102.4.0esr-12.0-1 in repository tor-browser. from 836aa1709778 fixup! Bug 40562: Added Tor-related preferences to 000-tor-browser.js new dcbd56483f29 fixup! Bug 40209: Implement Basic Crypto Safety new 75b9985f4bdb fixup! Bug 30237: Add v3 onion services client authentication prompt new 3cb75bc95e49 fixup! Bug 40458: Implement .tor.onion aliases The 3 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference. Summary of changes: browser/actors/CryptoSafetyParent.jsm | 2 +- .../components/onionservices/content/authPreferences.css | 6 +++++- browser/components/rulesets/content/aboutRulesets.css | 14 -------------- browser/components/rulesets/content/aboutRulesets.html | 3 --- 4 files changed, 6 insertions(+), 19 deletions(-) -- To stop receiving notification emails like this one, please contact the administrator of this repository.

1 3

[builders/tor-browser-build] branch main updated: Bug 40655: Published tor-expert-bundle tar.gz files should not include their tor-browser-build build id
by gitolite role 27 Oct '22

27 Oct '22

This is an automated email from the git hooks/post-receive script. boklm pushed a commit to branch main in repository builders/tor-browser-build. The following commit(s) were added to refs/heads/main by this push: new 4ad3333c Bug 40655: Published tor-expert-bundle tar.gz files should not include their tor-browser-build build id 4ad3333c is described below commit 4ad3333c2d10355407603593a01432c79647e006 Author: Richard Pospesel <richard(a)torproject.org> AuthorDate: Fri Oct 21 19:35:40 2022 +0000 Bug 40655: Published tor-expert-bundle tar.gz files should not include their tor-browser-build build id --- projects/browser/build | 5 ++++- projects/browser/build.android | 5 ++++- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/projects/browser/build b/projects/browser/build index 52e62b59..c14e38f9 100644 --- a/projects/browser/build +++ b/projects/browser/build @@ -324,7 +324,10 @@ cp $rootdir/[% c('input_files_by_name/firefox') %]/mar-tools-*.zip "$OUTDIR"/ [% END -%] [% END -%] [%IF c("var/tor-browser") -%] - cp $rootdir/[% c("input_files_by_name/tor-expert-bundle") %] "$OUTDIR"/ + tor_expert_bundle_src="[% c("input_files_by_name/tor-expert-bundle") %]" + # strip off trailing "$buildid.tar.gz" + tor_expert_bundle_dest=${tor_expert_bundle_src:0:-14}.tar.gz + cp $rootdir/[% c("input_files_by_name/tor-expert-bundle") %] "$OUTDIR"/$tor_expert_bundle_dest [% END -%] [% IF c("var/build_infos_json") -%] cp $rootdir/[% c('input_files_by_name/firefox') %]/build-infos.json "$OUTDIR"/build-infos-[% c("var/mar_osname") %].json diff --git a/projects/browser/build.android b/projects/browser/build.android index 08a40468..ee23d698 100644 --- a/projects/browser/build.android +++ b/projects/browser/build.android @@ -42,5 +42,8 @@ apksigner sign --verbose --min-sdk-version [% c("var/android_min_api") %] --ks $ apksigner sign --verbose --min-sdk-version [% c("var/android_min_api") %] --ks $rootdir/android-qa.keystore --out $test_out_apk --in $test_in_apk --ks-key-alias androidqakey --key-pass pass:android --ks-pass pass:android [%IF c("var/tor-browser") -%] - cp $rootdir/[% c("input_files_by_name/tor-expert-bundle") %] [% dest_dir %]/[% c('filename') %]/ + tor_expert_bundle_src="[% c("input_files_by_name/tor-expert-bundle") %]" + # strip off trailing "$buildid.tar.gz" + tor_expert_bundle_dest=${tor_expert_bundle_src:0:-14}.tar.gz + cp $rootdir/$tor_expert_bundle_src [% dest_dir %]/[% c('filename') %]/$tor_expert_bundle_dest [% END -%] -- To stop receiving notification emails like this one, please contact the administrator of this repository.

1 0

[tor-browser-spec] branch main updated: Bug 40035: FF100 Audit
by gitolite role 26 Oct '22

26 Oct '22

This is an automated email from the git hooks/post-receive script. richard pushed a commit to branch main in repository tor-browser-spec. The following commit(s) were added to refs/heads/main by this push: new c520bc2 Bug 40035: FF100 Audit c520bc2 is described below commit c520bc2955dac2999d05128b3abb74441229474f Author: Richard Pospesel <richard(a)torproject.org> AuthorDate: Wed Oct 26 23:12:17 2022 +0000 Bug 40035: FF100 Audit --- audits/FF100_AUDIT | 78 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 78 insertions(+) diff --git a/audits/FF100_AUDIT b/audits/FF100_AUDIT new file mode 100644 index 0000000..726f689 --- /dev/null +++ b/audits/FF100_AUDIT @@ -0,0 +1,78 @@ +Tracking issue: https://gitlab.torproject.org/tpo/applications/tor-browser-spec/-/issues/40… + +# General + +The audit begins at the commit hash where the previous audit ended. Use code_audit.sh for creating the diff and highlighting potentially problematic code. The audit is scoped to a specific language (currently C/C++, Rust, Java/Kotlin, and Javascript). + +The output includes the entire patch where the new problematic code was introduced. Search for `XXX MATCH XXX` to find the next potential violation. + +`code_audit.sh` contains the list of known problematic APIs. New usage of these functions are documented and analyzed in this audit. + +## Firefox: https://github.com/mozilla/gecko-dev.git + +- Start: `cd4dcd48476d8cb29f4770f6fb659e440ff84345` ( `FIREFOX_RELEASE_100_BASE` ) +- End: `59930a20119813ea25546eaca75dcc3bbc500039` ( `FIREFOX_RELEASE_101_BASE` ) + +### Languages: +- [x] java +- [x] cpp +- [x] js +- [x] rust + +Nothing of interest (using `code_audit.sh`) + +--- + +## Application Services: https://github.com/mozilla/application-services.git + +- Start: `21f2904245a956366cae798e16035156c8232cad` ( `v93.0.2` ) +- End: `6a4737d1c043d71dfac67e270ee4afa4fb6c73b4` ( `v93.2.1` ) + +### Languages: +- [x] java +- [x] cpp +- [x] js +- [x] rust + +Nothing of interest (using `code_audit.sh`) + +## Android Components: https://github.com/mozilla-mobile/android-components.git + +- Start: `ba604c57073b3ed91cc863e5d9a7aa9d7e7a4b95` ( `v100.0.0` ) +- End: `7b24cbd76371562a9e9a842ca351dae7599d53f3` ( `v100.0.12` ) + +### Languages: +- [x] java +- [x] cpp +- [x] js +- [x] rust + +Nothing of interest (using `code_audit.sh`) + +## Fenix: https://github.com/mozilla-mobile/fenix.git + +- Start: `89d64fc0e8204b6f2f442a656108ee2dc9bffbef` ( `v100.0.0-beta.1` ) +- End: `827b01341f76e9ee8c152260992eb5f22a775791` ( `releases_v100.0.0` ) + +### Languages: +- [x] java +- [x] cpp +- [x] js +- [x] rust + +Nothing of interest (using `code_audit.sh`) + +## Ticket Review ## + +### 100 https://bugzilla.mozilla.org/buglist.cgi?query_format=advanced&resolution=F… + +- https://bugzilla.mozilla.org/show_bug.cgi?id=1760621 : @boklm https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41142 + - Nothing to do here +- https://bugzilla.mozilla.org/show_bug.cgi?id=1758781 : @pierov https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41143 + - Nothing to do here +- https://bugzilla.mozilla.org/show_bug.cgi?id=1752906 : @ma1 https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41144 + - Disabled the WebMIDI feature : https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41144 +- https://bugzilla.mozilla.org/show_bug.cgi?id=1759592 : @dan https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41145 + - Nothing to do here +- https://bugzilla.mozilla.org/show_bug.cgi?id=1699658 : @dan https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41146 + - Nothing to do here -- To stop receiving notification emails like this one, please contact the administrator of this repository.

1 0

[tor-browser-spec] branch main updated: Bug 40044: FF92/93 Audit
by gitolite role 26 Oct '22

26 Oct '22

This is an automated email from the git hooks/post-receive script. richard pushed a commit to branch main in repository tor-browser-spec. The following commit(s) were added to refs/heads/main by this push: new 8776a7c Bug 40044: FF92/93 Audit 8776a7c is described below commit 8776a7cc0707f381858221ef6e73e8984c45d223 Author: Richard Pospesel <richard(a)torproject.org> AuthorDate: Wed Oct 26 22:02:18 2022 +0000 Bug 40044: FF92/93 Audit --- audits/FF92_93_AUDIT | 85 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 85 insertions(+) diff --git a/audits/FF92_93_AUDIT b/audits/FF92_93_AUDIT new file mode 100644 index 0000000..1f2f38e --- /dev/null +++ b/audits/FF92_93_AUDIT @@ -0,0 +1,85 @@ +Tracking issue: https://gitlab.torproject.org/tpo/applications/tor-browser-spec/-/issues/40… + +# General + +The audit begins at the commit hash where the previous audit ended. Use code_audit.sh for creating the diff and highlighting potentially problematic code. The audit is scoped to a specific language (currently C/C++, Rust, Java/Kotlin, and Javascript). + +The output includes the entire patch where the new problematic code was introduced. Search for `XXX MATCH XXX` to find the next potential violation. + +`code_audit.sh` contains the list of known problematic APIs. New usage of these functions are documented and analyzed in this audit. + +## Firefox: https://github.com/mozilla/gecko-dev.git ( https://hg.mozilla.org/releases/ ) + +- Start: `be2c584eacac4f7fe827c1d2409399fe13ba614a` ( `FIREFOX_RELEASE_92_BASE` ) +- End: `7ea8b05d021fc8e0194e1b8eb9d37a351c9bdc5f` ( `FIREFOX_RELEASE_93_END` ) + +### Languages: +- [x] java +- [x] cpp +- [x] js +- [x] rust + +Nothing of interest (using `code_audit.sh`) +--- + +## Application Services: https://github.com/mozilla/application-services.git + +- Start: `11f7a4b079c83d37505067bd00e17e96ed52ed64` ( `v82.3.0` ) +- End: `b1f371719ca20db642b64a0e860b4ecb0aaf316f` ( `v86.1.0` ) + +### Languages: +- [x] java +- [x] cpp +- [x] js +- [x] rust + +Nothing of interest (using `code_audit.sh`) + +## Android Components: https://github.com/mozilla-mobile/android-components.git + +- Start: `84553b30da506c656f2a323aed66f8d335fcbf2b` +- End: `e39f5dba3f9c29b46856d700701f6715adc261c5` ( `v93.0.12` ) + +### Languages: +- [x] java +- [x] cpp +- [x] js +- [x] rust + +Nothing of interest (using `code_audit.sh`) + +## Fenix: https://github.com/mozilla-mobile/fenix.git + +- Start: `9552ae0ab75c81bf72637b27f59031f1d088a7bf` +- End: `bcd31c22cd5460867092c71382392f13aeb95e64` ( `v93.2.0` ) + +### Languages: +- [x] java +- [x] cpp +- [x] js +- [x] rust + +Nothing of interest (using `code_audit.sh`) + +## Ticket Review ## + +### Review List + +#### 92 (https://bugzilla.mozilla.org/buglist.cgi?query_format=advanced&resolution=F… ) + +- https://bugzilla.mozilla.org/show_bug.cgi?id=1226042 : @pierov https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41116 + - Fixed in tor-browser and patchin proces of uplift: https://bugzilla.mozilla.org/show_bug.cgi?id=1787790 +- https://bugzilla.mozilla.org/show_bug.cgi?id=1512851 : @dan https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41117 + - Made functionality dependent on MOZ_PROXY_BYPASS_PROTECTION, may uplift +- https://bugzilla.mozilla.org/show_bug.cgi?id=1714583 : @ma1 https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41118 + - Nothing to do here +- https://bugzilla.mozilla.org/show_bug.cgi?id=1721178 : @dan https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41119 + - Nothing to do here +- https://bugzilla.mozilla.org/show_bug.cgi?id=1723869 : @boklm https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41120 + - Nothing to do here +- https://bugzilla.mozilla.org/show_bug.cgi?id=516362 : @pierov https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41121 + - Tweaked this patch slightly to prevent Tor Browser from running with elevated privileges + +#### 93 (https://bugzilla.mozilla.org/buglist.cgi?query_format=advanced&resolution=F… ) + +none! -- To stop receiving notification emails like this one, please contact the administrator of this repository.

1 0

[tor-browser] branch tor-browser-102.4.0esr-12.0-1 updated: fixup! Bug 40562: Added Tor-related preferences to 000-tor-browser.js
by gitolite role 26 Oct '22

26 Oct '22

This is an automated email from the git hooks/post-receive script. richard pushed a commit to branch tor-browser-102.4.0esr-12.0-1 in repository tor-browser. The following commit(s) were added to refs/heads/tor-browser-102.4.0esr-12.0-1 by this push: new 836aa1709778 fixup! Bug 40562: Added Tor-related preferences to 000-tor-browser.js 836aa1709778 is described below commit 836aa1709778a37390a9977123700818d8026656 Author: Richard Pospesel <richard(a)torproject.org> AuthorDate: Wed Oct 26 16:28:52 2022 +0000 fixup! Bug 40562: Added Tor-related preferences to 000-tor-browser.js Bug 41317: Tor Browser leaks banned ports in network.security.ports.banned --- browser/app/profile/000-tor-browser.js | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/browser/app/profile/000-tor-browser.js b/browser/app/profile/000-tor-browser.js index 65d6bc26a8b9..be6473555aa2 100644 --- a/browser/app/profile/000-tor-browser.js +++ b/browser/app/profile/000-tor-browser.js @@ -23,7 +23,10 @@ pref("network.proxy.allow_hijacking_localhost", true); // Allow proxies for loca pref("network.proxy.type", 1); // Bug 40548: Disable proxy-bypass pref("network.proxy.failover_direct", false); -pref("network.security.ports.banned", "9050,9051,9150,9151"); +// localhost is already blocked by setting `network.proxy.allow_hijacking_localhost` to +// true, allowing users to explicitly block ports makes them fingerprintable; for details, see +// Bug 41317: Tor Browser leaks banned ports in network.security.ports.banned +pref("network.security.ports.banned", "", locked); pref("network.dns.disabled", true); // This should cover the #5741 patch for DNS leaks pref("network.http.max-persistent-connections-per-proxy", 256); -- To stop receiving notification emails like this one, please contact the administrator of this repository.

1 0

[builders/tor-browser-build] branch main updated: Bug 41317: Remove now deprecated advice regarding network.security.ports.banned from start-torbrowser script
by gitolite role 26 Oct '22

26 Oct '22

This is an automated email from the git hooks/post-receive script. richard pushed a commit to branch main in repository builders/tor-browser-build. The following commit(s) were added to refs/heads/main by this push: new c13f0484 Bug 41317: Remove now deprecated advice regarding network.security.ports.banned from start-torbrowser script c13f0484 is described below commit c13f0484e5c6d80689b581e4723a035bde50a165 Author: Richard Pospesel <richard(a)torproject.org> AuthorDate: Wed Oct 26 16:33:53 2022 +0000 Bug 41317: Remove now deprecated advice regarding network.security.ports.banned from start-torbrowser script --- projects/browser/RelativeLink/start-browser | 1 - 1 file changed, 1 deletion(-) diff --git a/projects/browser/RelativeLink/start-browser b/projects/browser/RelativeLink/start-browser index 14b50e15..b0c9b2d5 100755 --- a/projects/browser/RelativeLink/start-browser +++ b/projects/browser/RelativeLink/start-browser @@ -317,7 +317,6 @@ TOR_CONTROL_PASSWD environment variable." # torrc): # # SETTING NAME VALUE -# network.security.ports.banned [...],<SocksPort>,<ControlPort> # network.proxy.socks 127.0.0.1 # network.proxy.socks_port <SocksPort> # extensions.torbutton.inserted_button true -- To stop receiving notification emails like this one, please contact the administrator of this repository.

1 0