[tor-bugs] #10686 [TorBrowserButton]: Tor allows Cross-Site Request initiations to localhost
Tor Bug Tracker & Wiki
blackhole at torproject.org
Tue Jan 21 15:04:21 UTC 2014
#10686: Tor allows Cross-Site Request initiations to localhost
-----------------------------------+-----------------------
Reporter: GerardusHendricks | Owner: mikeperry
Type: defect | Status: new
Priority: major | Milestone:
Component: TorBrowserButton | Version:
Resolution: | Keywords:
Actual Points: | Parent ID:
Points: |
-----------------------------------+-----------------------
Comment (by cypherpunks):
(Well hello this is awkward, you can refer to me as cypherpunks2)
Replying to [comment:1 cypherpunks]:
> You can't remove 127.0.0.1 too, else some part of Firefox code will go
to communicate with itself via Tor.
Can you elaborate what you mean by this? Which Firefox code are you
referring to?
If I set
{{{
user_pref("extensions.torbutton.no_proxies_on", "");
user_pref("extensions.torbutton.saved.no_proxies_on", "");
user_pref("network.proxy.no_proxies_on", "");
}}}
and then try to connect to http://127.0.0.1:631 (the CUPS printer
interface), as expected, tor rejects the connection:
{{{
[warn] Rejecting SOCKS request for anonymous connection to private address
[scrubbed].
}}}
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/10686#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list