[tor-bugs] #21862 [Applications/Tor Browser]: Make rust code in ESR 52 proxy safe

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu Jun 1 23:27:12 UTC 2017


#21862: Make rust code in ESR 52 proxy safe
-------------------------------------------------+-------------------------
 Reporter:  gk                                   |          Owner:  tbb-
                                                 |  team
     Type:  defect                               |         Status:
                                                 |  needs_review
 Priority:  Medium                               |      Milestone:
Component:  Applications/Tor Browser             |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:  ff52-esr, tbb-7.0-must,              |  Actual Points:
  TorBrowserTeam201706R                          |
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
                                                 |  Sponsor4
-------------------------------------------------+-------------------------

Comment (by arthuredelstein):

 I don't know rust either, but I was curious what happens if these
 functions are ripped out. Is any code calling them?

 I tried building with `ac_add_options --enable-rust` in the mozconfig file
 and I got the follow error message:

 {{{
  2:45.75 error: the listed checksum of `/home/arthur/tor-
 browser/third_party/rust/url/src/lib.rs` has changed:
  2:45.75 expected:
 c3542aabc733f76a3b9c7d24b5c41e60e9eb84d2712660611300d1de0e7c2072
  2:45.75 actual:
 3abae55faf84f05be573d6275fa49ca2e61a4a95e3717a9059e3971b5d53101a
  2:45.75
  2:45.75 directory sources are not intended to be edited, if modifications
 are required then it is recommended that [replace] is used with a forked
 copy of the source
  2:45.76 /home/arthur/tor-browser/config/rules.mk:939: recipe for target
 'force-cargo-build' failed
  2:45.76 make[5]: *** [force-cargo-build] Error 101
  2:45.76 /home/arthur/tor-browser/config/recurse.mk:71: recipe for target
 'toolkit/library/rust/target' failed
  2:45.76 make[4]: *** [toolkit/library/rust/target] Error 2
  2:45.76 make[4]: *** Waiting for unfinished jobs....
 }}}

 The "expected" hash (c3542aab...) is located in `third_party/rust/url
 /.cargo-checksum.json`. The README in the same directory says this code is
 a
 {{{
 URL library for Rust, based on the [URL
 Standard](https://url.spec.whatwg.org/).
 }}}

 So it looks to me like this is patching a "third-party library", whereas
 we should probably be ripping out something considered to be "first-party"
 gecko code.

 Another option might be just to remove the whole third-party directory or
 even all rust files from the source code.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/21862#comment:9>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list