[tor-bugs] #21625 [Applications/Tor Browser]: Review networking code for Firefox 52

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue Apr 4 20:17:33 UTC 2017 

#21625: Review networking code for Firefox 52
-------------------------------------------------+-------------------------
 Reporter:  gk                                   |          Owner:
                                                 |  mikeperry
     Type:  task                                 |         Status:
                                                 |  assigned
 Priority:  Very High                            |      Milestone:
Component:  Applications/Tor Browser             |        Version:
 Severity:  Critical                             |     Resolution:
 Keywords:  TorBrowserTeam201703, ff52-esr,      |  Actual Points:
  tbb-7.0-must                                   |
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------

Comment (by gk):

 Replying to [comment:3 mikeperry]:
 > Stuff we should patch/disable:
 >  * FlyWeb (dom/flyweb/FlyWebService.cpp) - This is a mechanism for
 contacting local devices and interacting with them. It may not be fully
 implemented, but networking code is definitely here. Disable it.

 We have #21746 for that.

 >  * dom/presentation/* and nsNetworkInfoService::ListNetworkAddresses -
 the Presentation API (for remote displays - https://developer.mozilla.org
 /en-US/docs/Web/API/Presentation_API). This needs to be disabled even if
 proxied, because it does ICE-style IP address discovery and advertisement.

 #18862

 >  * ./dom/presentation/provider/MulticastDNSDeviceProvider.cpp - used by
 the Presentation API to announce itself (and maybe other stuff?). Make
 sure it gets disabled.
 >  * The Rust URL parser (third_party/rust/url/src/host.rs) has a
 to_socket_addrs and ToSocketAddrs methods. These should be patched out for
 safety and to remind us later, I think.
 >  * netwerk/dns/mdns/libmdns/fallback/MulticastDNS.jsm - more mDNS stuff
 that should be disabled.

 We have #21861 for the mdns stuff and #21862 for the Rust part.

 > Android stuff that definitely leaks that we should fix (missing proxy
 params to HttpUrlConnection - these need to use the buildHttpConnection
 helper to get a proxy):
 >  * mobile/android/base/java/org/mozilla/gecko/feeds/FeedFetcher.java
 >  *
 mobile/android/base/java/org/mozilla/gecko/media/GeckoMediaDrmBridgeV21.java
 >  *
 mobile/android/base/java/org/mozilla/gecko/search/SearchEngineManager.java
 >  * mobile/android/thirdparty/com/keepsafe/switchboard/SwitchBoard.java

 That's #21683.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/21625#comment:9>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list