[tor-bugs] #21625 [Applications/Tor Browser]: Review networking code for Firefox 52
Tor Bug Tracker & Wiki
blackhole at torproject.org
Fri Mar 31 22:55:20 UTC 2017
#21625: Review networking code for Firefox 52
-------------------------------------------------+-------------------------
Reporter: gk | Owner:
| mikeperry
Type: task | Status:
| assigned
Priority: Very High | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Critical | Resolution:
Keywords: TorBrowserTeam201703, ff52-esr, | Actual Points:
tbb-7.0-must |
Parent ID: | Points:
Reviewer: | Sponsor:
-------------------------------------------------+-------------------------
Comment (by mikeperry):
Stuff we should patch/disable:
* FlyWeb (dom/flyweb/FlyWebService.cpp) - This is a mechanism for
contacting local devices and interacting with them. It may not be fully
implemented, but networking code is definitely here. Disable it.
* dom/presentation/* and nsNetworkInfoService::ListNetworkAddresses - the
Presentation API (for remote displays - https://developer.mozilla.org/en-
US/docs/Web/API/Presentation_API). This needs to be disabled even if
proxied, because it does ICE-style IP address discovery and advertisement.
* ./dom/presentation/provider/MulticastDNSDeviceProvider.cpp - used by
the Presentation API to announce itself (and maybe other stuff?). Make
sure it gets disabled.
* The Rust URL parser (third_party/rust/url/src/host.rs) has a
to_socket_addrs and ToSocketAddrs methods. These should be patched out for
safety and to remind us later, I think.
* netwerk/dns/mdns/libmdns/fallback/MulticastDNS.jsm - more mDNS stuff
that should be disabled.
Android stuff that definitely leaks that we should fix (missing proxy
params to HttpUrlConnection - these need to use the buildHttpConnection
helper to get a proxy):
* mobile/android/base/java/org/mozilla/gecko/feeds/FeedFetcher.java
*
mobile/android/base/java/org/mozilla/gecko/media/GeckoMediaDrmBridgeV21.java
*
mobile/android/base/java/org/mozilla/gecko/search/SearchEngineManager.java
* mobile/android/thirdparty/com/keepsafe/switchboard/SwitchBoard.java
That's it for the stuff that definitely needs patching. I'll post the
other sets as soon as I can.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/21625#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list