commit 613100ac446b405698e7927b352f1877319be05e Author: Yawning Angel yawning@schwanenlied.me Date: Sat Jan 7 19:52:50 2017 +0000
Enforce the patch size against that listed in the update XML metadata.
This is more defense in depth than anything else since the patch's signature is checked, and the update XML file is what I consider semi-trusted (fetched from a source that's cryptographically authenticated either via HPKP or a `.onion`, but not signed on it's own).
It is however the sensible thing to do since SHA512 is susceptible to length-extension attacks. --- ChangeLog | 1 + src/cmd/sandboxed-tor-browser/internal/ui/update.go | 6 ++++++ 2 files changed, 7 insertions(+)
diff --git a/ChangeLog b/ChangeLog index 7b7f170..8ca4df4 100644 --- a/ChangeLog +++ b/ChangeLog @@ -13,6 +13,7 @@ Changes in version 0.0.3 - UNRELEASED: on certain pages. * Bug 20973: Silence Gdk warnings on systems with integrated png loader. * Bug 20806: Try even harder to exclude gstreamer. + * Enforce the patch size against that listed in the update XML metadata. * Minor tweaks to the "something in progress" dialog box. * Disable the firefox safe mode prompt, because it is nonsensical when applied to Tor Browser. diff --git a/src/cmd/sandboxed-tor-browser/internal/ui/update.go b/src/cmd/sandboxed-tor-browser/internal/ui/update.go index da69562..9509c5c 100644 --- a/src/cmd/sandboxed-tor-browser/internal/ui/update.go +++ b/src/cmd/sandboxed-tor-browser/internal/ui/update.go @@ -145,6 +145,12 @@ func (c *Common) FetchUpdate(async *Async, patch *installer.Patch) []byte { log.Printf("update: Validating Tor Browser Update.") async.UpdateProgress("Validating Tor Browser Update.")
+ // Validate the size against that listed in the XML file. + if len(mar) != patch.Size { + async.Err = fmt.Errorf("downloaded patch size does not match patch metadata") + return nil + } + // Validate the hash against that listed in the XML file. expectedHash, err := hex.DecodeString(patch.HashValue) if err != nil {