This is an automated email from the git hooks/post-receive script.
pierov pushed a commit to branch tor-browser-91.9.0esr-11.5-2 in repository tor-browser.
commit f4639ba025e48820fc49ce17f22024b38fa3533e Author: Mike Perry mikeperry-git@torproject.org AuthorDate: Mon Sep 29 14:30:19 2014 -0700
Bug 13028: Prevent potential proxy bypass cases.
It looks like these cases should only be invoked in the NSS command line tools, and not the browser, but I decided to patch them anyway because there literally is a maze of network function pointers being passed around, and it's very hard to tell if some random code might not pass in the proper proxied versions of the networking code here by accident.
Bugzilla: https://bugzilla.mozilla.org/show_bug.cgi?id=1433509 --- security/nss/lib/certhigh/ocsp.c | 4 ++++ security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_socket.c | 12 ++++++++++++ 2 files changed, 16 insertions(+)
diff --git a/security/nss/lib/certhigh/ocsp.c b/security/nss/lib/certhigh/ocsp.c index cea8456606bf1..76622614a80a2 100644 --- a/security/nss/lib/certhigh/ocsp.c +++ b/security/nss/lib/certhigh/ocsp.c @@ -2927,6 +2927,9 @@ loser: static PRFileDesc * ocsp_ConnectToHost(const char *host, PRUint16 port) { +#ifdef MOZ_PROXY_BYPASS_PROTECTION + return NULL; +#else PRFileDesc *sock = NULL; PRIntervalTime timeout; PRNetAddr addr; @@ -2985,6 +2988,7 @@ loser: if (netdbbuf != NULL) PORT_Free(netdbbuf); return NULL; +#endif }
/* diff --git a/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_socket.c b/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_socket.c index e8698376b5bec..f34e102721d2b 100644 --- a/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_socket.c +++ b/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_socket.c @@ -1322,6 +1322,9 @@ pkix_pl_Socket_Create( PKIX_PL_Socket **pSocket, void *plContext) { +#ifdef MOZ_PROXY_BYPASS_PROTECTION + PKIX_ERROR(PKIX_PRNEWTCPSOCKETFAILED); +#else PKIX_PL_Socket *socket = NULL;
PKIX_ENTER(SOCKET, "pkix_pl_Socket_Create"); @@ -1369,6 +1372,7 @@ cleanup: }
PKIX_RETURN(SOCKET); +#endif }
/* @@ -1418,6 +1422,9 @@ pkix_pl_Socket_CreateByName( PKIX_PL_Socket **pSocket, void *plContext) { +#ifdef MOZ_PROXY_BYPASS_PROTECTION + PKIX_ERROR(PKIX_PRNEWTCPSOCKETFAILED); +#else PRNetAddr netAddr; PKIX_PL_Socket *socket = NULL; char *sepPtr = NULL; @@ -1520,6 +1527,7 @@ cleanup: }
PKIX_RETURN(SOCKET); +#endif }
/* @@ -1571,6 +1579,9 @@ pkix_pl_Socket_CreateByHostAndPort( PKIX_PL_Socket **pSocket, void *plContext) { +#ifdef MOZ_PROXY_BYPASS_PROTECTION + PKIX_ERROR(PKIX_PRNEWTCPSOCKETFAILED); +#else PRNetAddr netAddr; PKIX_PL_Socket *socket = NULL; char *sepPtr = NULL; @@ -1658,6 +1669,7 @@ cleanup: }
PKIX_RETURN(SOCKET); +#endif }
/*