|
|
1
|
+# General
|
|
|
2
|
+
|
|
|
3
|
+The audit begins at the commit hash where the previous audit ended. Use code_audit.sh for creating the diff and highlighting potentially problematic code. The audit is scoped to a specific language (currently C/C++, Rust, Java/Kotlin, and Javascript).
|
|
|
4
|
+
|
|
|
5
|
+The output includes the entire patch where the new problematic code was introduced. Search for `XXX MATCH XXX` to find the next potential violation.
|
|
|
6
|
+
|
|
|
7
|
+`code_audit.sh` contains the list of known problematic APIs. New usage of these functions are documented and analyzed in this audit.
|
|
|
8
|
+
|
|
|
9
|
+## Firefox: https://github.com/mozilla/gecko-dev.git
|
|
|
10
|
+
|
|
|
11
|
+- Start: `a8c31da1c243a855de8c3b241a437dd1b65684d5` ( `FIREFOX_104_0_2_RELEASE` )
|
|
|
12
|
+- End: `2dd649f09f70ec5b9304d62daeb427a86bbc5a36` ( `FIREFOX_105_0_3_RELEASE` )
|
|
|
13
|
+
|
|
|
14
|
+### Languages:
|
|
|
15
|
+- [x] java
|
|
|
16
|
+- [x] cpp
|
|
|
17
|
+- [x] js
|
|
|
18
|
+- [x] rust
|
|
|
19
|
+
|
|
|
20
|
+Nothing of interest (using `code_audit.sh`)
|
|
|
21
|
+
|
|
|
22
|
+---
|
|
|
23
|
+
|
|
|
24
|
+## Application Services: https://github.com/mozilla/application-services.git
|
|
|
25
|
+
|
|
|
26
|
+- Start: `78b165b798118e9b5fa62af07aa44d663f386492` ( `v94.1.0` )
|
|
|
27
|
+- End: `be8254df118b2fc2aae726e1d13ca4c982bec920` ( `v94.3.1` )
|
|
|
28
|
+
|
|
|
29
|
+### Languages:
|
|
|
30
|
+- [x] java
|
|
|
31
|
+- [x] cpp
|
|
|
32
|
+- [x] js
|
|
|
33
|
+- [x] rust
|
|
|
34
|
+
|
|
|
35
|
+Nothing of interest (using `code_audit.sh`)
|
|
|
36
|
+
|
|
|
37
|
+## Android Components: https://github.com/mozilla-mobile/android-components.git
|
|
|
38
|
+
|
|
|
39
|
+- Start: `b3e0289b3f07929c0403ac6e672c88b5db079748`
|
|
|
40
|
+- End: `658c2d239f9aef5927f654aa36a0b0739b116d92` ( `v105.0.8` )
|
|
|
41
|
+
|
|
|
42
|
+### Languages:
|
|
|
43
|
+- [x] java
|
|
|
44
|
+- [x] cpp
|
|
|
45
|
+- [x] js
|
|
|
46
|
+- [x] rust
|
|
|
47
|
+
|
|
|
48
|
+Nothing of interest (using `code_audit.sh`)
|
|
|
49
|
+
|
|
|
50
|
+## Fenix: https://github.com/mozilla-mobile/fenix.git
|
|
|
51
|
+
|
|
|
52
|
+- Start: `a5d13e2ef26d4eb98a32c94b6c6530771e90cd56` ( `v105.0b1` )
|
|
|
53
|
+- End: `01fbfd63743f30ebca31bbfb775bddef94a01a3e` ( `v105.2.0` )
|
|
|
54
|
+
|
|
|
55
|
+### Languages:
|
|
|
56
|
+- [x] java
|
|
|
57
|
+- [x] cpp
|
|
|
58
|
+- [x] js
|
|
|
59
|
+- [x] rust
|
|
|
60
|
+
|
|
|
61
|
+Nothing of interest (using `code_audit.sh`)
|
|
|
62
|
+
|
|
|
63
|
+## Ticket Review ##
|
|
|
64
|
+
|
|
|
65
|
+Bugzilla Query: `https://bugzilla.mozilla.org/buglist.cgi?query_format=advanced&resolution=FIXED&target_milestone=105%20Branch&order=priority%2Cbug_severity&limit=0`
|
|
|
66
|
+
|
|
|
67
|
+#### Problematic Issues
|
|
|
68
|
+
|
|
|
69
|
+- **Use the WER runtime exception module to catch early crashes** https://bugzilla.mozilla.org/show_bug.cgi?id=1682520
|
|
|
70
|
+ - *RESOLUTION*: no new functionality here, just making it work better by moving the registration earlier in the Firefox boot process
|
|
|
71
|
+- **Add a pref to disable Spectre mitigations for Fission web content processes** https://bugzilla.mozilla.org/show_bug.cgi?id=1774178
|
|
|
72
|
+- **Add Surrogate COM Server to handle native Windows notifications when Firefox is closed.** https://bugzilla.mozilla.org/show_bug.cgi?id=1774083
|
|
|
73
|
+ - *RESOLUTOIN* COM sever registration happens in the official firefox installer which we do not use, so nothing to do here
|
|
|
74
|
+- **Add a cookie banner service to automatically handle website cookie banners** https://bugzilla.mozilla.org/show_bug.cgi?id=1783019
|
|
|
75
|
+ - *RESOLUTION* disabled this feature until fully audit, may bring back in the 13.5 time-frame
|
|
|
76
|
+- **Add a locale parameter to the text recognition API** https://bugzilla.mozilla.org/show_bug.cgi?id=1782579
|
|
|
77
|
+ - *RESOLUTION* we'v diabled this system entirely in https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/42057
|
|
|
78
|
+- **Broken since Firefox 102.0: no instant fallback to direct connection when proxy became unreachable while runtime** https://bugzilla.mozilla.org/show_bug.cgi?id=1779005
|
|
|
79
|
+ - *RESOLUTION*: Tor Browser uses explicitly configured proxy settings so this auto-detect system is no used/does not apply to us
|
|
|
80
|
+- **On systems with IPv6 preferred DNS resolution clients will fail to connect when "localhost" is used as host for the WebSocket server** https://bugzilla.mozilla.org/show_bug.cgi?id=1769994
|
|
|
81
|
+- **Hide the text recognition context menu if the macOS version doesn't support APIs** https://bugzilla.mozilla.org/show_bug.cgi?id=1782981
|
|
|
82
|
+ - *RESOLUTION* we'v diabled this system entirely in https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/42057
|
|
|
83
|
+- **Implement a context menu modal for text recognition** https://bugzilla.mozilla.org/show_bug.cgi?id=1782578
|
|
|
84
|
+ - *RESOLUTION* we've disabled this system entirely in https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/42057
|
|
|
85
|
+## Export
|
|
|
86
|
+- [ ] Export Report and save to `tor-browser-spec/audits` |
|
|
\ No newline at end of file |