[tbb-bugs] #25851 [Applications/Tor Browser]: TBA - Make sure third-party code is proxy safe
Tor Bug Tracker & Wiki
blackhole at torproject.org
Wed Aug 1 17:34:49 UTC 2018
#25851: TBA - Make sure third-party code is proxy safe
------------------------------------------+--------------------------
Reporter: sysrqb | Owner: tbb-team
Type: defect | Status: new
Priority: Medium | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: tbb-mobile, tbb-proxy-bypass | Actual Points:
Parent ID: #21863 | Points:
Reviewer: | Sponsor: Sponsor4
------------------------------------------+--------------------------
Comment (by sysrqb):
Replying to [ticket:25851 sysrqb]:
> {{{
> $ git grep -n openConnection\( mobile/android/thirdparty/
> }}}
> {{{
>
mobile/android/thirdparty/ch/boye/httpclientandroidlib/conn/ClientConnectionOperator.java:78:
void openConnection(OperatedClientConnection conn,
>
mobile/android/thirdparty/ch/boye/httpclientandroidlib/impl/conn/DefaultClientConnectionOperator.java:144:
public void openConnection(
>
mobile/android/thirdparty/ch/boye/httpclientandroidlib/impl/conn/ManagedClientConnectionImpl.java:304:
this.operator.openConnection(
> }}}
#22170
> {{{
> mobile/android/thirdparty/com/leanplum/internal/SocketIOClient.java:82:
HttpURLConnection connection = (HttpURLConnection) url.openConnection();
> mobile/android/thirdparty/com/leanplum/internal/Util.java:540:
HttpURLConnection urlConnection = (HttpURLConnection)
url.openConnection();
> }}}
LeanPlum is not included by default. It is only included if
`MOZ_ANDROID_MMA` is `true` (`false` by default) and `MOZ_ANDROID_GCM`
must be `true` (which we set `false` at configure time):
https://gitweb.torproject.org/tor-browser.git/tree/.mozconfig-android?h
=tor-
browser-60.1.0esr-8.0-1&id=ce3ad196040db4886e953cf13fc8d24fdf712d4b#n34
> {{{
>
mobile/android/thirdparty/com/squareup/picasso/UrlConnectionDownloader.java:46:
protected HttpURLConnection openConnection(Uri path) throws IOException {
>
mobile/android/thirdparty/com/squareup/picasso/UrlConnectionDownloader.java:47:
HttpURLConnection connection = (HttpURLConnection) new
URL(path.toString()).openConnection();
>
mobile/android/thirdparty/com/squareup/picasso/UrlConnectionDownloader.java:58:
HttpURLConnection connection = openConnection(uri);
> }}}
>
> This isn't the only offending method, we should audit these thoroughly.
Code we should audit:
{{{
$ ls mobile/android/thirdparty/com/
adjust booking googlecode jakewharton leanplum squareup
}}}
{{{
$ ls
mobile/android/thirdparty/com/googlecode/eyesfree/braille/selfbraille/
ISelfBrailleService.java SelfBrailleClient.java WriteData.java
}}}
{{{
$ ls mobile/android/thirdparty/org/
json lucasr mozilla
}}}
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/25851#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tbb-bugs
mailing list