[tbb-bugs] #26067 [Applications/Tor Browser]: Downloading of images through different circuits than the ones used to view them causes data corruption and incorrect files

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu May 10 09:40:43 UTC 2018 

#26067: Downloading of images through different circuits than the ones used to view
them causes data corruption and incorrect files
-------------------------------------+-------------------------------------
     Reporter:  fufufu               |      Owner:  tbb-team
         Type:  defect               |     Status:  new
     Priority:  High                 |  Milestone:
    Component:  Applications/Tor     |    Version:  Tor: unspecified
  Browser                            |   Keywords:  images, saving,
     Severity:  Normal               |  downloading
Actual Points:                       |  Parent ID:
       Points:                       |   Reviewer:
      Sponsor:                       |
-------------------------------------+-------------------------------------
 1. You view an image in Tor Browser, right-click on it, and hit "Save
 Image As" to download it.

 2. The download appears to complete normally, Tor Browser shows no error
 or that the download has failed, and the image is seemingly on your
 computer.

 3. However, because Tor Browser picks a new circuit every time you choose
 to save an image, one that is different than the one used to actually
 deliver it to you as you see it in your browser, and because you got
 unlucky this time with the resultant IP address selected, instead of
 saving your image, you end up saving Cloudflare's "Attention Required"
 page with the name of your image, or one of those "Your IP address has
 been blacklisted." pages, or some other file that is not a valid image.
 When you go to view the "image", it is corrupt, invalid, and unviewable
 from the perspective of most image viewers as it has no valid image
 header. If the image somehow disappeared from the Internet before you
 noticed this, then you will never have it.

 4. Furthermore, there is no way to manually refresh the circuit selected
 to save the image (as opposed to the one used to view it), so if you do
 recognize this bug, and you have a bad image saving circuit currently
 open, then you have to wait 10 minutes to hopefully get a better one.

 Tor Browser should use the same circuit to download an image as the one
 that it uses to actually display it to you in the browser to prevent these
 errors.

 (This also applies to viewing the source code of pages.)

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/26067>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list