commit a11a8b301950e1c25adcfd5bea07c773f5082533 Author: Georg Koppen gk@torproject.org Date: Thu Jul 27 08:10:20 2017 +0000

Apply patch for bug 23044 --- gitian/descriptors/linux/gitian-firefox.yml | 2 ++ gitian/patches/gio.patch | 48 +++++++++++++++++++++++++++++ 2 files changed, 50 insertions(+)

diff --git a/gitian/descriptors/linux/gitian-firefox.yml b/gitian/descriptors/linux/gitian-firefox.yml index 1ff66a2..49c457c 100644 --- a/gitian/descriptors/linux/gitian-firefox.yml +++ b/gitian/descriptors/linux/gitian-firefox.yml @@ -33,6 +33,7 @@ files: - "gcc-linux32-utils.zip" - "gcc-linux64-utils.zip" - "get-moz-build-date" +- "gio.patch" - "re-dzip.sh" - "dzip.sh" - "versions" @@ -88,6 +89,7 @@ script: | mkdir -p $INSTDIR/Debug/Browser/

cd tor-browser + patch -p1 < ../gio.patch # run get-moz-build-date before removing .git, which is used to get the year chmod +x ~/build/get-moz-build-date eval $(~/build/get-moz-build-date $(cat browser/config/version.txt)) diff --git a/gitian/patches/gio.patch b/gitian/patches/gio.patch new file mode 100644 index 0000000..1edae4d --- /dev/null +++ b/gitian/patches/gio.patch @@ -0,0 +1,48 @@ +From a96f898e0da42de751a5e1367a9899cc96fadb1f Mon Sep 17 00:00:00 2001 +From: Georg Koppen gk@torproject.org +Date: Thu, 27 Jul 2017 07:31:38 +0000 +Subject: [PATCH] Bug 23044: Don't allow GIO supported protocols by default + + +diff --git a/browser/app/profile/000-tor-browser.js b/browser/app/profile/000-tor-browser.js +index aaeba630422d..3edaad88f59e 100644 +--- a/browser/app/profile/000-tor-browser.js ++++ b/browser/app/profile/000-tor-browser.js +@@ -210,6 +210,9 @@ pref("network.protocol-handler.warn-external.mailto", true); + pref("network.protocol-handler.warn-external.news", true); + pref("network.protocol-handler.warn-external.nntp", true); + pref("network.protocol-handler.warn-external.snews", true); ++// Make sure we don't have any GIO supported protocols (defense in depth ++// measure) ++pref("network.gio.supported-protocols", ""); + pref("plugin.disable", true); // Disable to search plugins on first start + pref("plugins.click_to_play", true); + pref("plugin.state.flash", 1); +diff --git a/extensions/gio/nsGIOProtocolHandler.cpp b/extensions/gio/nsGIOProtocolHandler.cpp +index a378e8700821..5f6b2a0a2a57 100644 +--- a/extensions/gio/nsGIOProtocolHandler.cpp ++++ b/extensions/gio/nsGIOProtocolHandler.cpp +@@ -922,16 +922,16 @@ nsGIOProtocolHandler::InitSupportedProtocolsPref(nsIPrefBranch *prefs) + // Get user preferences to determine which protocol is supported. + // Gvfs/GIO has a set of supported protocols like obex, network, archive, + // computer, dav, cdda, gphoto2, trash, etc. Some of these seems to be +- // irrelevant to process by browser. By default accept only smb and sftp +- // protocols so far. ++ // irrelevant to process by browser. By default accept none. + nsresult rv = prefs->GetCharPref(MOZ_GIO_SUPPORTED_PROTOCOLS, + getter_Copies(mSupportedProtocols)); + if (NS_SUCCEEDED(rv)) { + mSupportedProtocols.StripWhitespace(); + ToLowerCase(mSupportedProtocols); + } +- else +- mSupportedProtocols.AssignLiteral("smb:,sftp:"); // use defaults ++ else { ++ mSupportedProtocols.AssignLiteral(""); // use none by default ++ } + + LOG(("gio: supported protocols "%s"\n", mSupportedProtocols.get())); + } +-- +2.13.2 +