[tor-bugs] #22170 [Applications/Tor Browser]: Check uses of ch.boye.httpclientandroidlib.impl.client.* for proxy safety on Android
Tor Bug Tracker & Wiki
blackhole at torproject.org
Mon Jul 30 18:00:19 UTC 2018
#22170: Check uses of ch.boye.httpclientandroidlib.impl.client.* for proxy safety
on Android
-------------------------------------------------+-------------------------
Reporter: gk | Owner: sysrqb
Type: defect | Status:
| accepted
Priority: High | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: ff52-esr, tbb-mobile, | Actual Points:
TorBrowserTeam201807 |
Parent ID: #21863 | Points:
Reviewer: | Sponsor:
-------------------------------------------------+-------------------------
Comment (by sysrqb):
This code is kinda scary. It's highly configurable, so we must be very
careful that we don't miss something.
In
`mobile/android/services/src/main/java/org/mozilla/gecko/sync/net/BaseResource.java`,
when the connection is instantiated we configure the default proxy on the
client connection.
HttpClientAndroidLib is a crazy web of abstractions over HTTP connections.
It uses connection pools for reusing existing connections, it uses routes
for retrying connection requests that failed on different interfaces
and/or using other proxy servers.
As long as the `PlainSocketFactory` and `SSLSocketFactory` are
instantiated without setting `nameResolver`, we should not leak the DNS
lookup.
The `client` is created as a `DefaultHttpClient` [0]. This is where we
hard-code the proxy config:
{{{
HttpHost defaultProxy = new
HttpHost(ProxySelector.getProxyHostAddress(),
ProxySelector.getHttpProxyPort());
client.getParams().setParameter(ConnRoutePNames.DEFAULT_PROXY,
defaultProxy);
}}}
`getParams()` returns a `HttpParams` [1] which is an instance of
`SyncBasicHttpParams` [2]. Then, when `client.execute()` is called [3],
after some levels of abstraction a `RequestDirector` is created as a
`DefaultRequestDirector`[4]. Here a `BasicClientConnectionManager` is
created as the `ClientConnectionManager`. In the
`RequestDirector.execute()` method, the request's `HttpRoute` is found via
the `DefaultRoutePlanner`[6] (created when the `Director` was created[7]).
This is where the default proxy is checked (as it is set above) [8] and
this information is passed into the `HttpRoute` constructor[9]. This
configures the `proxyChain` array of proxies used by this route.
Inside `RequestDirector.execute()`, at the first connection a new
connection is created by calling `connManager.requestConnection()` in
`BasicClientConnectionManager`. This then creates a new
`ClientConnectionOperator` as a `DefaultClientConnectionOperator`[10].
Then an `OperatedClientConnection` is created by
`DefaultClientConnectionOperator.createConnection()`. last a
`ManagedClientConnectionImpl` [11] is created and returned.
Later in `execute()`, `tryConnect()` is called, where
`ManagedClientConnectionImpl.open()` is then called. Here,
`DefaultClientConnectionOperator.open()` connection is called where the
target is the previously configured proxy [12]. In this method, a `Socket`
is created by the respective `Scheme` factory for the proxy.
NOTE: this resolved the proxy address using the system DNS resolver [13].
This shouldn't leak anything, but we don't need this.
[0]
`mobile/android/thirdparty/ch/boye/httpclientandroidlib/impl/client/DefaultHttpClient.java`
[1]
`mobile/android/thirdparty/ch/boye/httpclientandroidlib/params/HttpParams.java`
[2]
`mobile/android/thirdparty/ch/boye/httpclientandroidlib/params/SyncBasicHttpParams.java`
[3] https://gitweb.torproject.org/tor-
browser.git/tree/mobile/android/services/src/main/java/org/mozilla/gecko/sync/net/BaseResource.java?h
=tor-browser-60.1.0esr-8.0-1#n315
[4] https://gitweb.torproject.org/tor-
browser.git/tree/mobile/android/thirdparty/ch/boye/httpclientandroidlib/impl/client/AbstractHttpClient.java?h
=tor-browser-60.1.0esr-8.0-1#n805
[5]
`mobile/android/thirdparty/ch/boye/httpclientandroidlib/impl/conn/BasicClientConnectionManager.java`
[6]
`mobile/android/thirdparty/ch/boye/httpclientandroidlib/impl/conn/DefaultHttpRoutePlanner.java`
[7] https://gitweb.torproject.org/tor-
browser.git/tree/mobile/android/thirdparty/ch/boye/httpclientandroidlib/impl/client/AbstractHttpClient.java?h
=tor-browser-60.1.0esr-8.0-1#n811
[8] https://gitweb.torproject.org/tor-
browser.git/tree/mobile/android/thirdparty/ch/boye/httpclientandroidlib/conn/params/ConnRouteParams.java?h
=tor-browser-60.1.0esr-8.0-1#n68
[9] https://gitweb.torproject.org/tor-
browser.git/tree/mobile/android/thirdparty/ch/boye/httpclientandroidlib/impl/conn/DefaultHttpRoutePlanner.java?h
=tor-browser-60.1.0esr-8.0-1#n118
[10] https://gitweb.torproject.org/tor-
browser.git/tree/mobile/android/thirdparty/ch/boye/httpclientandroidlib/impl/conn/BasicClientConnectionManager.java?h
=tor-browser-60.1.0esr-8.0-1#n167
[11]
`mobile/android/thirdparty/ch/boye/httpclientandroidlib/impl/conn/ManagedClientConnectionImpl.java`
[12] https://gitweb.torproject.org/tor-
browser.git/tree/mobile/android/thirdparty/ch/boye/httpclientandroidlib/impl/conn/ManagedClientConnectionImpl.java?h
=tor-browser-60.1.0esr-8.0-1#n304
[13] https://gitweb.torproject.org/tor-
browser.git/tree/mobile/android/thirdparty/ch/boye/httpclientandroidlib/impl/conn/DefaultClientConnectionOperator.java?h
=tor-browser-60.1.0esr-8.0-1#n159
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/22170#comment:18>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list