ma1 pushed to branch maint-13.0 at The Tor Project / Applications / tor-browser-build Commits: 8ebeb4d1 by hackademix at 2023-12-19T17:15:07+01:00 Bug 41050: Improve disk leak sanitization on startup. - - - - - 1 changed file: - projects/browser/RelativeLink/start-browser Changes: ===================================== projects/browser/RelativeLink/start-browser ===================================== @@ -258,18 +258,32 @@ HOME="${PWD}" export HOME # Prevent disk leaks in $HOME/.local/share (tor-browser#17560) +function erase_leaky() { + local leaky="$1" + [ -e "$leaky" ] && + ( srm -r "$leaky" || + wipe -r "$leaky" || + find "$leaky" -type f -exec shred -u {} \; ; + rm -rf "$leaky" + ) > /dev/null 2>&1 +} local_dir="$HOME/.local/" share_dir="$local_dir/share" -if [ -d "$share_dir" ]; then - ( srm -r "$share_dir" || - wipe -r "$share_dir" || - find "$share_dir" -type f -exec shred -u {} \; ; - rm -rf "$share_dir" - ) > /dev/null 2>&1 -else - mkdir -p "$local_dir" +# We don't want to mess with symlinks, possibly pointing outside the +# Browser directory (tor-browser-build#41050). +# We're not using realpath/readlink for consistency with the (possibly +# outdated) availability assumptions made elsewhere in this script. +if ! [ -L "$local_dir" -o -L "$share_dir" ]; then + if [ -d "$share_dir" ]; then + for leaky_path in "gvfs-metadata" "recently-used.xbel"; do + erase_leaky "$share_dir/$leaky_path" + done + else + mkdir -p "$local_dir" + fi + ln -fs /dev/null "$share_dir" fi -ln -fs /dev/null "$share_dir" +[ -L "$HOME/.cache" ] || erase_leaky "$HOME/.cache/nvidia" [% IF c("var/tor-browser") -%] SYSARCHITECTURE=$(getconf LONG_BIT) View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/commit/8e... -- View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/commit/8e... You're receiving this email because of your account on gitlab.torproject.org.