[tbb-bugs] #13019 [Tor Browser]: New locale fingerprinting capabilities in FF31ESR
Tor Bug Tracker & Wiki
blackhole at torproject.org
Mon Sep 29 23:23:19 UTC 2014
#13019: New locale fingerprinting capabilities in FF31ESR
-------------------------+-------------------------------------------------
Reporter: | Owner: tbb-team
mikeperry | Status: needs_revision
Type: defect | Milestone:
Priority: major | Version:
Component: Tor | Keywords: ff31-esr, tbb-fingerprinting,
Browser | TorBrowserTeam201409, MikePerry201409R
Resolution: | Parent ID:
Actual Points: |
Points: |
-------------------------+-------------------------------------------------
Changes (by mikeperry):
* status: needs_review => needs_revision
Comment:
There are a couple issues with this patch. You shouldn't need to store the
current locale just to have something to do in
DefaultJSLocaleSetter::Run() when the pref is empty. If the pref is empty,
just do nothing. This eliminates the need to export JS_GetDefaultLocale()
as well.
But beyond this, there's actually two bugs in the storage of this locale
information. In the case of DefaultJSLocaleSetter::jsLocale, you leak it
on XPCOM shutdown. In the case of DefaultJSLocaleSetting::systemLocale,
you are keeping a pointer to a static buffer, so that subsequent calls to
setlocale may cause this memory to get replaced with something else. It
probably will always contain the actual current locale, but this seems a
bit sloppy to rely on.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/13019#comment:5>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tbb-bugs
mailing list