[tor-bugs] #13019 [Tor Browser]: New locale fingerprinting capabilities in FF31ESR

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu Oct 2 20:40:42 UTC 2014 

#13019: New locale fingerprinting capabilities in FF31ESR
-------------------------+-------------------------------------------------
     Reporter:           |      Owner:  tbb-team
  mikeperry              |     Status:  needs_revision
         Type:  defect   |  Milestone:
     Priority:  major    |    Version:
    Component:  Tor      |   Keywords:  ff31-esr, tbb-fingerprinting,
  Browser                |  MikePerry201409R, TorBrowserTeam201410
   Resolution:           |  Parent ID:
Actual Points:           |
       Points:           |
-------------------------+-------------------------------------------------

Comment (by arthuredelstein):

 Replying to [comment:5 mikeperry]:
 > There are a couple issues with this patch. You shouldn't need to store
 the current locale just to have something to do in
 DefaultJSLocaleSetter::Run() when the pref is empty. If the pref is empty,
 just do nothing. This eliminates the need to export JS_GetDefaultLocale()
 as well.

 My thinking is that it is nice to be able to set this pref at runtime. So
 if the user sets the pref to empty at some point, then the original locale
 will be restored. That's why we need to store the original locale on
 startup. Otherwise we would have to require restarting the browser
 whenever the pref is changed.

 > But beyond this, there's actually two bugs in the storage of this locale
 information. In the case of DefaultJSLocaleSetter::jsLocale, you leak it
 on XPCOM shutdown. In the case of DefaultJSLocaleSetting::systemLocale,
 you are keeping a pointer to a static buffer, so that subsequent calls to
 setlocale may cause this memory to get replaced with something else. It
 probably will always contain the actual current locale, but this seems a
 bit sloppy to rely on.

 Thanks for catching these two bad mistakes. I believe I've fixed them in
 the new patch version, added above. I also changed the implementation to
 use Preferences::RegisterCallback/UnRegisterCallback, which is more
 concise than the nsIObserver approach.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/13019#comment:7>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list