[tbb-bugs] #13019 [Tor Browser]: New locale fingerprinting capabilities in FF31ESR

Tor Bug Tracker & Wiki blackhole at torproject.org
Mon Sep 29 23:23:19 UTC 2014

#13019: New locale fingerprinting capabilities in FF31ESR
     Reporter:           |      Owner:  tbb-team
  mikeperry              |     Status:  needs_revision
         Type:  defect   |  Milestone:
     Priority:  major    |    Version:
    Component:  Tor      |   Keywords:  ff31-esr, tbb-fingerprinting,
  Browser                |  TorBrowserTeam201409, MikePerry201409R
   Resolution:           |  Parent ID:
Actual Points:           |
       Points:           |
Changes (by mikeperry):

 * status:  needs_review => needs_revision


 There are a couple issues with this patch. You shouldn't need to store the
 current locale just to have something to do in
 DefaultJSLocaleSetter::Run() when the pref is empty. If the pref is empty,
 just do nothing. This eliminates the need to export JS_GetDefaultLocale()
 as well.

 But beyond this, there's actually two bugs in the storage of this locale
 information. In the case of DefaultJSLocaleSetter::jsLocale, you leak it
 on XPCOM shutdown. In the case of DefaultJSLocaleSetting::systemLocale,
 you are keeping a pointer to a static buffer, so that subsequent calls to
 setlocale may cause this memory to get replaced with something else. It
 probably will always contain the actual current locale, but this seems a
 bit sloppy to rely on.

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/13019#comment:5>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list