ma1 pushed to branch tor-browser-115.14.0esr-13.5-1 at The Tor Project / Applications / Tor Browser Commits: 6f5ad1e3 by hackademix at 2024-08-22T00:37:28+02:00 fixup! Bug 42835: Create an actor to filter file data transfers Bug 43064: Make file filtering more specific - - - - - 1 changed file: - toolkit/actors/FilesFilterChild.sys.mjs Changes: ===================================== toolkit/actors/FilesFilterChild.sys.mjs ===================================== @@ -12,11 +12,14 @@ ChromeUtils.defineLazyGetter(lazy, "console", () => { export class FilesFilterChild extends JSWindowActorChild { handleEvent(event) { + if (!Services.prefs.getBoolPref("browser.filesfilter.enabled", true)) { + return; + } // drop or paste const { composedTarget } = event; const dt = event.clipboardData || event.dataTransfer; - if (dt.files.length) { + if ([...dt.files].some(f => f.mozFullPath)) { if ( ["HTMLInputElement", "HTMLTextAreaElement"].includes( ChromeUtils.getClassName(composedTarget) @@ -25,7 +28,7 @@ export class FilesFilterChild extends JSWindowActorChild { event.preventDefault(); lazy.console.log( `Preventing path leak on ${event.type} for ${[...dt.files] - .map(f => f.name) + .map(f => `${f.name} (${f.mozFullPath})`) .join(", ")}.` ); } @@ -33,7 +36,7 @@ export class FilesFilterChild extends JSWindowActorChild { } // "Paste Without Formatting" (ctrl+shift+V) in HTML editors coerces files into paths - if (!(event.clipboardData && dt.getData("text"))) { + if (!(event.clipboardData && /[\/\\]/.test(dt.getData("text")))) { return; } View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/commit/6f5ad1e3... -- View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/commit/6f5ad1e3... You're receiving this email because of your account on gitlab.torproject.org.