[tbb-bugs] #24755 [Applications/Tor Browser]: Shell scripts refactoring and bash privacy leak. Heredoc should not be used in start-tor-browser script.

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu Dec 28 14:46:22 UTC 2017

#24755: Shell scripts refactoring and bash privacy leak. Heredoc should not be used
in start-tor-browser script.
     Reporter:  asan                      |      Owner:  tbb-team
         Type:  defect                    |     Status:  new
     Priority:  Low                       |  Milestone:
    Component:  Applications/Tor Browser  |    Version:
     Severity:  Minor                     |   Keywords:
Actual Points:                            |  Parent ID:
       Points:                            |   Reviewer:
      Sponsor:                            |
 In most of shells (including bash) heredoc, i.e. `<<` and `<<<`, is
 implemented through creation of temporary files in TMP. In the case of
 bash these are the files like `/tmp/sh-thd-1234567890`. This can be
 checked using the command [[https://unix.stackexchange.com/questions/21602
 sleep 3 <<<"here string" & lsof -p $! | grep 0r
 Furthermore, these TMP files may remain if, e.g., shell script crashes.
 There were some complaints that these files are still accessible through
 file descriptors even after removal [[http://gnu-bash.2382.n7.nabble.com

 Since TBB and similar applications are intended to be portable, they
 should not leave traces outside of their portable directory. However, bash
 commands in scripts like `start-tor-browser` may run when separate TMP for
 TBB is not yet set, i.e. system TMP (/tmp), which is not always mounted in
 memory, may be used. It means that traces (that TBB was used) will be
 created outside of TBB directory. This is a minor leak in comparison to en
 elephant [[https://trac.torproject.org/projects/tor/ticket/7449|7449]]
 (yet unfixed), but it is still a leak.

 In general, if TMP for TBB is created before the use of heredoc command in
 script, it should be fine. However, as heredoc is potentially leaky and
 dangerous thing, it should be avoided in secure scripts. One could use
 simple `echo` command instead.

 Now `start-tor-browser` has at least one `cat <<EOF`. AFAIK, tor-messenger
 also has this problem. By the way, in this case writing `cat <<"EOF"`
 (i.e. with quotation) is the safer alternative, as variables substitution
 will not be done, and substituted text will be verbatim. Moreover, new
 safer notation {{{$(command)}}} should be used instead of old-style
 {{{`command`}}} in `start-tor-browser`.

 There are also other things in this script, which are often considered to
 be a bad practice. In particular,
  1. Multiple characters variables should be always in braces
 (`${show_output}` instead of `$show_output`).
  1. Quotation `""` should be used everywhere and in all assignments.
  1. `[[` and `]]`, as much safer alternative, should be used instead of
 `[` and `]`.
 I would refer to Google shell style guide
 [[https://google.github.io/styleguide/shell.xml|[4]]] as a good starting
 point to learn how to write secure shell scripts.

 All these notes should be applied to all shell scripts within Tor Project.

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/24755>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list