[tbb-bugs] #24755 [Applications/Tor Browser]: Shell scripts refactoring and bash privacy leak. Heredoc should not be used in start-tor-browser script.

Tor Bug Tracker & Wiki blackhole at torproject.org
Mon Oct 29 09:44:26 UTC 2018


#24755: Shell scripts refactoring and bash privacy leak. Heredoc should not be used
in start-tor-browser script.
--------------------------------------+--------------------------
 Reporter:  asan                      |          Owner:  tbb-team
     Type:  defect                    |         Status:  assigned
 Priority:  Low                       |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Minor                     |     Resolution:
 Keywords:  tbb-disk-leak             |  Actual Points:
Parent ID:                            |         Points:
 Reviewer:                            |        Sponsor:
--------------------------------------+--------------------------

Comment (by boklm):

 It seems that setting `TMPDIR` to a `tmp` directory inside the Tor Browser
 directory at the beginning of `start-tor-browser` would solve the issue
 with `<<`.

 If I run the following script:
 {{{
 #!/bin/bash
 export TMPDIR='/tmp/test-heredoc'
 mkdir -p $TMPDIR
 sleep 3 <<<"here string" & lsof -p $! | grep 0r
 }}}

 I get the following output:
 {{{
 sleep   3719 user    0r   REG   0,36       12  27468 /tmp/test-heredoc/sh-
 thd-811442066 (deleted)
 }}}

 It might also be useful to set `TMPDIR` in case some part of firefox is
 using it to select the tmp directory.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/24755#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tbb-bugs mailing list