[tor-bugs] #20772 [Applications/Tor Browser]: src="data:< ; base64 images rendered when "Show images"="Blocked"
Tor Bug Tracker & Wiki
blackhole at torproject.org
Fri Nov 25 23:13:49 UTC 2016
#20772: src="data:<;base64 images rendered when "Show images"="Blocked"
------------------------------------------+----------------------
Reporter: cypherpunks | Owner: tbb-team
Type: defect | Status: new
Priority: Immediate | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Blocker | Keywords:
Actual Points: | Parent ID:
Points: | Reviewer:
Sponsor: |
------------------------------------------+----------------------
Any webpages (e.g. ht tp://defensivepatentlicense.org/) that use base64
encoding thwart people's disabling of images.
Due to there not being enough software writers to go around, TBB and its
derivatives e.f. Orfox(ht tps://dev.guardianproject.info/issues/8039)
often leave remote code execution vulnerabilities in the image parser.
Disabling images would protect against this vector of infection, but they
can't be disabled. Due to the almost identical codebase for everything but
the menus and window borders, I think that this is likely a bug in the TBb
source code rather than in the tiny delta that is Orfox.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/20772>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list