[tbb-bugs] #33962 [Applications/Tor Browser]: Uplift patch for 5741 (dns leak protection)

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue May 5 08:02:44 UTC 2020


#33962: Uplift patch for 5741 (dns leak protection)
-------------------------------------------------+-------------------------
 Reporter:  acat                                 |          Owner:  tbb-
                                                 |  team
     Type:  task                                 |         Status:
                                                 |  needs_review
 Priority:  Medium                               |      Milestone:
Component:  Applications/Tor Browser             |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:  ReleaseTrainMigration                |  Actual Points:
  TorBrowserTeam202005R                          |
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
                                                 |  Sponsor58
-------------------------------------------------+-------------------------

Comment (by gk):

 Replying to [comment:2 acat]:
 > I adapted the patch from #5741 to try to upstream it. You can find it in
 https://github.com/acatarineu/tor-browser/commit/33962
 (f27d3258eb3ca2a86774342248184c8111546dab).
 >
 > I know we briefly discussed about having this behind the `--enable-
 proxy-bypass-protection`, but I think there *might* be chances for this to
 be upstreamed as it is now, and be useful for Firefox (it wouldn't be for
 sure if it's behind the proxy bypass flag).
 >
 > I did a couple of changes with respect to the original patch. The main
 one is that the patch I attached is checking that both `network.proxy.type
 = MANUAL` and `network.proxy.socks_remote_dns = true`, while the current
 patch only checks `network.proxy.socks_remote_dns = true`. I think this
 change is needed to avoid blocking DNS when we should not, for example in
 a situation where a user sets up a SOCKS proxy (enabling DNS through
 socks), and then switches back to 'No proxy', in `about:preferences`. I
 think the patch with these changes is safe enough for Firefox, in the
 sense that it should not result in undesired breakage.
 >
 > The question is whether is also safe for us, in terms of proxy bypass
 protection. My assumption is yes, as the only additional change is that we
 also check for `network.proxy.type`, and we don't support changing this in
 Tor Browser. But I think it's a good idea for this to be reviewed before
 trying to push the patch to Firefox. I added this to 202005, but please
 feel free to re-prioritize.

 Hrm. I wonder if it would be smarter to open a bug at bugzilla in the mean
 time (I don't see one filed as child of
 https://bugzilla.mozilla.org/show_bug.cgi?id=1433504) and get feedback
 about what would be acceptable for Mozilla and then write a patch that
 would fix this bug, too). I mean we could go through the review process
 here and maybe merge your patch to our tree just to write yet another
 patch which Mozilla would accept. I have some hope, though, we can avoid
 the first part and save us some time. :) What do you think?

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/33962#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tbb-bugs mailing list