Richard Pospesel pushed to branch tor-browser-102.8.0esr-12.0-1 at The Tor Project / Applications / Tor Browser
Commits:
07121bec by hackademix at 2023-02-15T18:38:54+00:00
amend! Bug 8324: Prevent DNS proxy bypasses caused by Drag&Drop
Bug 8324: Prevent DNS proxy bypasses caused by Drag&Drop
Bug 41613: Skip Drang & Drop filtering for DNS-safe URLs
- - - - -
1 changed file:
- toolkit/torbutton/components/dragDropFilter.js
Changes:
=====================================
toolkit/torbutton/components/dragDropFilter.js
=====================================
@@ -113,6 +113,25 @@ DragDropFilter.prototype = {
for (let i = 0, count = aDataTransfer.mozItemCount; i < count; ++i) {
this.logger.log(3, `Inspecting the data transfer: ${i}.`);
const types = aDataTransfer.mozTypesAt(i);
+ const urlType = "text/x-moz-url";
+ // Fallback url type, to be parsed by this browser but not externally
+ const INTERNAL_FALLBACK = "application/x-torbrowser-opaque";
+ if (types.contains(urlType)) {
+ const links = aDataTransfer.mozGetDataAt(urlType, i);
+ // Skip DNS-safe URLs (no hostname, e.g. RFC 3966 tel:)
+ const mayLeakDNS = links.split("\n").some(link => {
+ try {
+ return new URL(link).hostname;
+ } catch (e) {
+ return false;
+ }
+ });
+ if (!mayLeakDNS) {
+ continue;
+ }
+ const opaqueKey = OpaqueDrag.store(links, urlType);
+ aDataTransfer.mozSetDataAt(INTERNAL_FALLBACK, opaqueKey, i);
+ }
for (const type of types) {
this.logger.log(3, `Type is: ${type}.`);
if (URLISH_TYPES.includes(type)) {
@@ -120,14 +139,6 @@ DragDropFilter.prototype = {
3,
`Removing transfer data ${aDataTransfer.mozGetDataAt(type, i)}`
);
- const urlType = "text/x-moz-url";
- // Fallback url type, to be parsed by this browser but not externally
- const INTERNAL_FALLBACK = "application/x-torbrowser-opaque";
- if (types.contains(urlType)) {
- const link = aDataTransfer.mozGetDataAt(urlType, i);
- const opaqueKey = OpaqueDrag.store(link, urlType);
- aDataTransfer.mozSetDataAt(INTERNAL_FALLBACK, opaqueKey, i);
- }
for (const type of types) {
if (
type !== INTERNAL_FALLBACK &&
View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/commit/07121be…
--
View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/commit/07121be…
You're receiving this email because of your account on gitlab.torproject.org.
Richard Pospesel pushed to branch tor-browser-102.8.0esr-12.0-1 at The Tor Project / Applications / Tor Browser
Commits:
f6e9971c by Pier Angelo Vendrame at 2023-02-15T18:21:39+00:00
Bug 41603: Customize the creation of MOZ_SOURCE_URL
MOZ_SOURCE_URL is created by combining MOZ_SOURCE_REPO and
MOZ_SOURCE_CHANGESET.
But the code takes for granted that it refers to a Hg instance, so it
combines them as `$MOZ_SOURCE_REPO/rev/$MOZ_SOURCE_CHANGESET`.
With this commit, we change this logic to combine them to create a URL
that is valid for GitLab.
$MOZ_SOURCE_CHANGESET needs to be a commit hash, not a branch or a tag.
If that is needed, we could use /-/tree/, instead of /-/commit/.
- - - - -
1 changed file:
- build/variables.py
Changes:
=====================================
build/variables.py
=====================================
@@ -97,7 +97,7 @@ def source_repo_header(output):
output.write("#define MOZ_SOURCE_STAMP %s\n" % changeset)
if repo and buildconfig.substs.get("MOZ_INCLUDE_SOURCE_INFO"):
- source = "%s/rev/%s" % (repo, changeset)
+ source = "%s/-/commit/%s" % (repo, changeset)
output.write("#define MOZ_SOURCE_REPO %s\n" % repo)
output.write("#define MOZ_SOURCE_URL %s\n" % source)
View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/commit/f6e9971…
--
View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/commit/f6e9971…
You're receiving this email because of your account on gitlab.torproject.org.
Richard Pospesel pushed to branch base-browser-102.8.0esr-12.0-1 at The Tor Project / Applications / Tor Browser
Commits:
002dd17a by Pier Angelo Vendrame at 2023-02-15T18:22:05+00:00
Bug 41603: Customize the creation of MOZ_SOURCE_URL
MOZ_SOURCE_URL is created by combining MOZ_SOURCE_REPO and
MOZ_SOURCE_CHANGESET.
But the code takes for granted that it refers to a Hg instance, so it
combines them as `$MOZ_SOURCE_REPO/rev/$MOZ_SOURCE_CHANGESET`.
With this commit, we change this logic to combine them to create a URL
that is valid for GitLab.
$MOZ_SOURCE_CHANGESET needs to be a commit hash, not a branch or a tag.
If that is needed, we could use /-/tree/, instead of /-/commit/.
- - - - -
1 changed file:
- build/variables.py
Changes:
=====================================
build/variables.py
=====================================
@@ -97,7 +97,7 @@ def source_repo_header(output):
output.write("#define MOZ_SOURCE_STAMP %s\n" % changeset)
if repo and buildconfig.substs.get("MOZ_INCLUDE_SOURCE_INFO"):
- source = "%s/rev/%s" % (repo, changeset)
+ source = "%s/-/commit/%s" % (repo, changeset)
output.write("#define MOZ_SOURCE_REPO %s\n" % repo)
output.write("#define MOZ_SOURCE_URL %s\n" % source)
View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/commit/002dd17…
--
View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/commit/002dd17…
You're receiving this email because of your account on gitlab.torproject.org.