richard pushed to branch main at The Tor Project / Applications / tor-browser-spec

Commits:

1 changed file:

Changes:

  • audits/FF104_AUDIT
    1
    +# General
    
    2
    +
    
    3
    +The audit begins at the commit hash where the previous audit ended. Use code_audit.sh for creating the diff and highlighting potentially problematic code. The audit is scoped to a specific language (currently C/C++, Rust, Java/Kotlin, and Javascript).
    
    4
    +
    
    5
    +The output includes the entire patch where the new problematic code was introduced. Search for `XXX MATCH XXX` to find the next potential violation.
    
    6
    +
    
    7
    +`code_audit.sh` contains the list of known problematic APIs. New usage of these functions are documented and analyzed in this audit.
    
    8
    +
    
    9
    +## Firefox: https://github.com/mozilla/gecko-dev.git
    
    10
    +
    
    11
    +- Start: `1f1c56dc6bae6b3302471f097ed132ef44cded86` ( `FIREFOX_103_0_2_RELEASE` )
    
    12
    +- End:   `a8c31da1c243a855de8c3b241a437dd1b65684d5`  ( `FIREFOX_104_0_2_RELEASE` )
    
    13
    +
    
    14
    +### Languages:
    
    15
    +- [x] java
    
    16
    +- [x] cpp
    
    17
    +- [x] js
    
    18
    +- [x] rust
    
    19
    +
    
    20
    +#### Problematic Commits
    
    21
    +
    
    22
    +- Bug 1780014: Add specific telemetry for conservative and first-try handshakes `7a55bf9c230b83c0a195929feaad1f5e77195412`
    
    23
    +  - https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41937
    
    24
    +  - **RESOLUTION** nothing to do here, telemetry is gated in the usual fashoin
    
    25
    +- Bug 1769994 - [remote] Resolve localhost to an IP before starting httpd.js. `c193147b7b622a9b69e768079553e0d27c05c993`
    
    26
    +  - https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41938
    
    27
    +  - **RESOLUTION** nothing to do here, this is a debugger feature not a web content one
    
    28
    +---
    
    29
    +
    
    30
    +## Application Services: https://github.com/mozilla/application-services.git
    
    31
    +
    
    32
    +- Start: `b70c54882fec606d10e77520b1dd2ae144768747` ( `v94.0.0` )
    
    33
    +- End:   `78b165b798118e9b5fa62af07aa44d663f386492`  ( `v94.1.0` )
    
    34
    +
    
    35
    +### Languages:
    
    36
    +- [x] java
    
    37
    +- [x] cpp
    
    38
    +- [x] js
    
    39
    +- [x] rust
    
    40
    +
    
    41
    +Nothing of interest (using `code_audit.sh`)
    
    42
    +
    
    43
    +## Android Components: https://github.com/mozilla-mobile/android-components.git
    
    44
    +
    
    45
    +- Start: `ae333f064744e005ef22ac86ab8518d9bf7d9820`
    
    46
    +- End:   `7b0499725d3016a0d9288c337fcde4ffff60acfe`  ( `v104.0.10` )
    
    47
    +
    
    48
    +### Languages:
    
    49
    +- [x] java
    
    50
    +- [x] cpp
    
    51
    +- [x] js
    
    52
    +- [x] rust
    
    53
    +
    
    54
    +Nothing of interest (using `code_audit.sh`)
    
    55
    +
    
    56
    +## Fenix: https://github.com/mozilla-mobile/fenix.git
    
    57
    +
    
    58
    +- Start: `3f7ddd5d6ef4f8495092138149d36b42e08dbbdb` ( `v104.0b1 )
    
    59
    +- End:   `0f9ad767addb7eeef1800ac5bb80e094e3e87f07`  ( `v104.2.0` )
    
    60
    +
    
    61
    +### Languages:
    
    62
    +- [x] java
    
    63
    +- [x] cpp
    
    64
    +- [x] js
    
    65
    +- [x] rust
    
    66
    +
    
    67
    +Nothing of interest (using `code_audit.sh`)
    
    68
    +
    
    69
    +## Ticket Review ##
    
    70
    +
    
    71
    +Bugzilla Query: `https://bugzilla.mozilla.org/buglist.cgi?query_format=advanced&resolution=FIXED&target_milestone=104%20Branch&order=priority%2Cbug_severity&limit=0`
    
    72
    +
    
    73
    +#### Problematic Tickets
    
    74
    +
    
    75
    +- **Support fetching data from Remote Setting** https://bugzilla.mozilla.org/show_bug.cgi?id=1728871
    
    76
    +  - https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41939
    
    77
    +  - **RESOLUTION** nothing to do here, only applies to safe-browsing which we disable
    
    78
    +- **When a filetype is set to "always ask" and the user makes a save/open choice in the dialog, we should not also open the downloads panel** https://bugzilla.mozilla.org/show_bug.cgi?id=1739348
    
    79
    +  - https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41940
    
    80
    +  - **RESOLUTION** was not a security or privacy issue, just needed to make sure it played nciely with our own custom downloads UX which it does
    
    81
    +- **Improve Math.pow accuracy for large exponents** https://bugzilla.mozilla.org/show_bug.cgi?id=1775254
    
    82
    +  - https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41941
    
    83
    +  - **RESOLUTION** tjr fortunately verified this doesn't break existing fingerprinting assumptions upstream
    
    84
    +
    
    85
    +## Export
    
    86
    +- [ ] Export Report and save to `tor-browser-spec/audits`
    \ No newline at end of file