[tor-bugs] #2199 [EFF-HTTPS Everywhere]: rules with [^/@:] don't catch all traffic

Tor Bug Tracker & Wiki torproject-admin at torproject.org
Sun Dec 12 23:11:32 UTC 2010


#2199: rules with [^/@:] don't catch all traffic
----------------------------------+-----------------------------------------
 Reporter:  dkg                   |       Owner:  pde     
     Type:  defect                |      Status:  accepted
 Priority:  major                 |   Milestone:          
Component:  EFF-HTTPS Everywhere  |     Version:          
 Keywords:                        |      Parent:          
----------------------------------+-----------------------------------------

Comment(by pde):

 Replying to [comment:9 rransom]:
 >
 > The only downside is that you will need to convert all of the existing
 rulesets to the new format.  This time, add an XML namespace URI and/or
 some other version indicator.

 Yes, and the fact that the Wikipedia and Google Search rulesets cannot be
 represented with fewer than thousands of entries in agl's format.  Yes, we
 could do interfield regexps of some sort, but only at the expense of
 significant added complexity.

 >
 > But the real reason this is necessary is (quoting agl's message):
 > > Serialising and re-parsing URLs is very scary from a security point of
 view. It would be greatly preferable to handle URLs in their processed
 form.
 >
 > If we don't start operating on parsed URLs, we can only expect more
 exploitable bugs like this one in the future.

 So my proposal #3 is a hybrid between these approaches; it relies on
 Mozilla to do some but not all of the URI parsing.  Question: can we think
 of any other categories of parsing trouble that we might run into if we do
 #3?

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/2199#comment:10>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list