[tor-bugs] #21625 [Applications/Tor Browser]: Review networking code for Firefox 52

Tor Bug Tracker & Wiki blackhole at torproject.org
Fri Mar 31 22:55:20 UTC 2017


#21625: Review networking code for Firefox 52
-------------------------------------------------+-------------------------
 Reporter:  gk                                   |          Owner:
                                                 |  mikeperry
     Type:  task                                 |         Status:
                                                 |  assigned
 Priority:  Very High                            |      Milestone:
Component:  Applications/Tor Browser             |        Version:
 Severity:  Critical                             |     Resolution:
 Keywords:  TorBrowserTeam201703, ff52-esr,      |  Actual Points:
  tbb-7.0-must                                   |
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------

Comment (by mikeperry):

 Stuff we should patch/disable:
  * FlyWeb (dom/flyweb/FlyWebService.cpp) - This is a mechanism for
 contacting local devices and interacting with them. It may not be fully
 implemented, but networking code is definitely here. Disable it.
  * dom/presentation/* and nsNetworkInfoService::ListNetworkAddresses - the
 Presentation API (for remote displays - https://developer.mozilla.org/en-
 US/docs/Web/API/Presentation_API). This needs to be disabled even if
 proxied, because it does ICE-style IP address discovery and advertisement.
  * ./dom/presentation/provider/MulticastDNSDeviceProvider.cpp - used by
 the Presentation API to announce itself (and maybe other stuff?). Make
 sure it gets disabled.
  * The Rust URL parser (third_party/rust/url/src/host.rs) has a
 to_socket_addrs and ToSocketAddrs methods. These should be patched out for
 safety and to remind us later, I think.
  * netwerk/dns/mdns/libmdns/fallback/MulticastDNS.jsm - more mDNS stuff
 that should be disabled.

 Android stuff that definitely leaks that we should fix (missing proxy
 params to HttpUrlConnection - these need to use the buildHttpConnection
 helper to get a proxy):
  * mobile/android/base/java/org/mozilla/gecko/feeds/FeedFetcher.java
  *
 mobile/android/base/java/org/mozilla/gecko/media/GeckoMediaDrmBridgeV21.java
  *
 mobile/android/base/java/org/mozilla/gecko/search/SearchEngineManager.java
  * mobile/android/thirdparty/com/keepsafe/switchboard/SwitchBoard.java

 That's it for the stuff that definitely needs patching. I'll post the
 other sets as soon as I can.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/21625#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list