commit d5211d99de2f37fc3e21329fd32fe80bcc663d37 Author: Kathy Brade brade@pearlcrescent.com Date: Thu May 11 15:37:54 2017 -0400
fixup! Bug #4234: Use the Firefox Update Process for Tor Browser.
Disable the updater's OSX privilege elevation feature. If the user does not have write permission to the .app directory, they will be prompted to download a new copy of the browser. Fixes bug 21940.
As defense-in-depth measures, we also removed the code that is used by Firefox to launch an OSX process with administrator privileges as well as the extra copy of the updater executable that was located under TorBrowser.app/Contents/Library/LaunchServices/. --- browser/app/Makefile.in | 3 +++ browser/installer/package-manifest.in | 2 ++ toolkit/mozapps/update/nsUpdateService.js | 10 ++++++++++ toolkit/mozapps/update/updater/launchchild_osx.mm | 2 ++ toolkit/mozapps/update/updater/updater.cpp | 10 ++++++++++ toolkit/xre/MacLaunchHelper.h | 2 ++ toolkit/xre/MacLaunchHelper.mm | 2 ++ toolkit/xre/nsUpdateDriver.cpp | 4 ++++ 8 files changed, 35 insertions(+)
diff --git a/browser/app/Makefile.in b/browser/app/Makefile.in index 1fe7676..1fbdc1e 100644 --- a/browser/app/Makefile.in +++ b/browser/app/Makefile.in @@ -86,9 +86,12 @@ tools repackage:: $(DIST)/bin/$(MOZ_APP_NAME) $(RM) $(dist_dest)/Contents/MacOS/$(MOZ_APP_NAME) rsync -aL $(DIST)/bin/$(MOZ_APP_NAME) $(dist_dest)/Contents/MacOS cp -RL $(DIST)/branding/firefox.icns $(dist_dest)/Contents/Resources/firefox.icns + cp -RL $(DIST)/branding/document.icns $(dist_dest)/Contents/Resources/document.icns +ifndef TOR_BROWSER_UPDATE $(MKDIR) -p $(dist_dest)/Contents/Library/LaunchServices mv -f $(dist_dest)/Contents/MacOS/updater.app/Contents/MacOS/org.mozilla.updater $(dist_dest)/Contents/Library/LaunchServices ln -s ../../../../Library/LaunchServices/org.mozilla.updater $(dist_dest)/Contents/MacOS/updater.app/Contents/MacOS/org.mozilla.updater +endif printf APPLTORB > $(dist_dest)/Contents/PkgInfo endif diff --git a/browser/installer/package-manifest.in b/browser/installer/package-manifest.in index 8192f93..43c89a9 100644 --- a/browser/installer/package-manifest.in +++ b/browser/installer/package-manifest.in @@ -35,7 +35,9 @@ #ifdef XP_MACOSX ; Mac bundle stuff @APPNAME@/Contents/Info.plist +#ifndef TOR_BROWSER_UPDATE @APPNAME@/Contents/Library/LaunchServices +#endif @APPNAME@/Contents/PkgInfo @RESPATH@/firefox.icns @RESPATH@/document.icns diff --git a/toolkit/mozapps/update/nsUpdateService.js b/toolkit/mozapps/update/nsUpdateService.js index 8abc55a..59c36e8 100644 --- a/toolkit/mozapps/update/nsUpdateService.js +++ b/toolkit/mozapps/update/nsUpdateService.js @@ -378,6 +378,11 @@ function areDirectoryEntriesWriteable(aDir) { * @return true if elevation is required, false otherwise */ function getElevationRequired() { +#if defined(TOR_BROWSER_UPDATE) + // To avoid potential security holes associated with running the updater + // process with elevated privileges, Tor Browser does not support elevation. + return false; +#else if (AppConstants.platform != "macosx") { return false; } @@ -401,6 +406,7 @@ function getElevationRequired() { LOG("getElevationRequired - able to write to application bundle, elevation " + "not required"); return false; +#endif }
/** @@ -1203,6 +1209,9 @@ function handleUpdateFailure(update, errorCode) { cancelations++; Services.prefs.setIntPref(PREF_APP_UPDATE_CANCELATIONS, cancelations); if (AppConstants.platform == "macosx") { +#if defined(TOR_BROWSER_UPDATE) + cleanupActiveUpdate(); +#else let osxCancelations = getPref("getIntPref", PREF_APP_UPDATE_CANCELATIONS_OSX, 0); osxCancelations++; @@ -1219,6 +1228,7 @@ function handleUpdateFailure(update, errorCode) { writeStatusFile(getUpdatesDir(), update.state = STATE_PENDING_ELEVATE); } +#endif update.statusText = gUpdateBundle.GetStringFromName("elevationFailure"); update.QueryInterface(Ci.nsIWritablePropertyBag); update.setProperty("patchingFailed", "elevationFailure"); diff --git a/toolkit/mozapps/update/updater/launchchild_osx.mm b/toolkit/mozapps/update/updater/launchchild_osx.mm index 97e31b9..749cb1f 100644 --- a/toolkit/mozapps/update/updater/launchchild_osx.mm +++ b/toolkit/mozapps/update/updater/launchchild_osx.mm @@ -284,6 +284,7 @@ bool ObtainUpdaterArguments(int* argc, char*** argv)
@end
+#ifndef TOR_BROWSER_UPDATE bool ServeElevatedUpdate(int argc, const char** argv) { MacAutoreleasePool pool; @@ -300,6 +301,7 @@ bool ServeElevatedUpdate(int argc, const char** argv) [updater release]; return didSucceed; } +#endif
bool IsOwnedByGroupAdmin(const char* aAppBundle) { diff --git a/toolkit/mozapps/update/updater/updater.cpp b/toolkit/mozapps/update/updater/updater.cpp index 1bc4867..bf4a4bb 100644 --- a/toolkit/mozapps/update/updater/updater.cpp +++ b/toolkit/mozapps/update/updater/updater.cpp @@ -83,7 +83,9 @@ bool IsRecursivelyWritable(const char* aPath); void LaunchChild(int argc, const char** argv); void LaunchMacPostProcess(const char* aAppBundle); bool ObtainUpdaterArguments(int* argc, char*** argv); +#ifndef TOR_BROWSER_UPDATE bool ServeElevatedUpdate(int argc, const char** argv); +#endif void SetGroupOwnershipAndPermissions(const char* aAppBundle); struct UpdateServerThreadArgs { @@ -2913,11 +2915,15 @@ UpdateThreadFunc(void *param) static void ServeElevatedUpdateThreadFunc(void* param) { +#ifdef TOR_BROWSER_UPDATE + WriteStatusFile(ELEVATION_CANCELED); +#else UpdateServerThreadArgs* threadArgs = (UpdateServerThreadArgs*)param; gSucceeded = ServeElevatedUpdate(threadArgs->argc, threadArgs->argv); if (!gSucceeded) { WriteStatusFile(ELEVATION_CANCELED); } +#endif QuitProgressUI(); }
@@ -2986,7 +2992,11 @@ int NS_main(int argc, NS_tchar **argv)
#ifdef XP_MACOSX bool isElevated = +#ifdef TOR_BROWSER_UPDATE + false; +#else strstr(argv[0], "/Library/PrivilegedHelperTools/org.mozilla.updater") != 0; +#endif if (isElevated) { if (!ObtainUpdaterArguments(&argc, &argv)) { // Won't actually get here because ObtainUpdaterArguments will terminate diff --git a/toolkit/xre/MacLaunchHelper.h b/toolkit/xre/MacLaunchHelper.h index 08035c5..46e1570 100644 --- a/toolkit/xre/MacLaunchHelper.h +++ b/toolkit/xre/MacLaunchHelper.h @@ -17,7 +17,9 @@ extern "C" { * pid of the terminated process to confirm that it executed successfully. */ void LaunchChildMac(int aArgc, char** aArgv, pid_t* aPid = 0); +#ifndef TOR_BROWSER_UPDATE bool LaunchElevatedUpdate(int aArgc, char** aArgv, pid_t* aPid = 0); +#endif }
#endif diff --git a/toolkit/xre/MacLaunchHelper.mm b/toolkit/xre/MacLaunchHelper.mm index 0dadb8d..84e28a4 100644 --- a/toolkit/xre/MacLaunchHelper.mm +++ b/toolkit/xre/MacLaunchHelper.mm @@ -43,6 +43,7 @@ void LaunchChildMac(int aArgc, char** aArgv, pid_t* aPid) } }
+#ifndef TOR_BROWSER_UPDATE BOOL InstallPrivilegedHelper() { AuthorizationRef authRef = NULL; @@ -135,3 +136,4 @@ bool LaunchElevatedUpdate(int aArgc, char** aArgv, pid_t* aPid) } return didSucceed; } +#endif diff --git a/toolkit/xre/nsUpdateDriver.cpp b/toolkit/xre/nsUpdateDriver.cpp index 3abbf7f..b87c84e 100644 --- a/toolkit/xre/nsUpdateDriver.cpp +++ b/toolkit/xre/nsUpdateDriver.cpp @@ -1114,6 +1114,7 @@ ApplyUpdate(nsIFile *greDir, nsIFile *updateDir, nsIFile *statusFile, #ifdef DEBUG dump_argv("ApplyUpdate after SetupMacCommandLine", argv, argc); #endif +#ifndef TOR_BROWSER_UPDATE // We need to detect whether elevation is required for this update. This can // occur when an admin user installs the application, but another admin // user attempts to update (see bug 394984). @@ -1124,12 +1125,15 @@ ApplyUpdate(nsIFile *greDir, nsIFile *updateDir, nsIFile *statusFile, } exit(0); } else { +#endif if (restart) { LaunchChildMac(argc, argv); exit(0); } LaunchChildMac(argc, argv, outpid); +#ifndef TOR_BROWSER_UPDATE } +#endif #else *outpid = PR_CreateProcess(updaterPath.get(), argv, nullptr, nullptr); if (restart) {
tbb-commits@lists.torproject.org