[tor-bugs] #22170 [Applications/Tor Browser]: Check uses of ch.boye.httpclientandroidlib.impl.client.* for proxy safety on Android

Tue Jul 31 21:18:06 UTC 2018

#22170: Check uses of ch.boye.httpclientandroidlib.impl.client.* for proxy safety
on Android
-------------------------------------------------+-------------------------
 Reporter:  gk                                   |          Owner:  sysrqb
     Type:  defect                               |         Status:
                                                 |  accepted
 Priority:  High                                 |      Milestone:
Component:  Applications/Tor Browser             |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:  ff52-esr, tbb-mobile,                |  Actual Points:
  TorBrowserTeam201807                           |
Parent ID:  #21863                               |         Points:
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------

Comment (by sysrqb):

 Replying to [comment:20 sysrqb]:
 > All files where Fennec uses `conn`
 >
 > {{{
 > $ git grep -n ch.boye.httpclientandroidlib.conn mobile/android/[bs]*
 > mobile/android/base/java/org/mozilla/gecko/util/URIUtils.java:14:import
 ch.boye.httpclientandroidlib.conn.util.InetAddressUtils;
 > }}}

 Only used for parsing a string. This class is only a utility, it doesn't
 create any connections.

 > {{{
 >
 mobile/android/services/src/main/java/org/mozilla/gecko/sync/net/BaseResource.java:44:import
 ch.boye.httpclientandroidlib.conn.ClientConnectionManager;
 >
 mobile/android/services/src/main/java/org/mozilla/gecko/sync/net/BaseResource.java:45:import
 ch.boye.httpclientandroidlib.conn.params.ConnRoutePNames;
 >
 mobile/android/services/src/main/java/org/mozilla/gecko/sync/net/BaseResource.java:46:import
 ch.boye.httpclientandroidlib.conn.scheme.PlainSocketFactory;
 >
 mobile/android/services/src/main/java/org/mozilla/gecko/sync/net/BaseResource.java:47:import
 ch.boye.httpclientandroidlib.conn.scheme.Scheme;
 >
 mobile/android/services/src/main/java/org/mozilla/gecko/sync/net/BaseResource.java:48:import
 ch.boye.httpclientandroidlib.conn.scheme.SchemeRegistry;
 >
 mobile/android/services/src/main/java/org/mozilla/gecko/sync/net/BaseResource.java:49:import
 ch.boye.httpclientandroidlib.conn.ssl.SSLSocketFactory;
 > }}}

 This is proxy-safe but only because we hard-code the default HTTP proxy.
 `scheme.PlainSocketFactory` and `ssl.SSLSocketFactory` are used for
 establishing a connection to the proxy, instead of the destination.
 `params.ConnRoutePNames` is used for specifying the default proxy.
 `scheme.Scheme`, `scheme.SchemeRegistry`, and `ClientConnectionManager`
 are used during instantiation of the connection manager
 (`ThreadSafeClientConnManager`).

 > {{{
 >
 mobile/android/services/src/main/java/org/mozilla/gecko/sync/net/TLSSocketFactory.java:16:import
 ch.boye.httpclientandroidlib.conn.ssl.SSLSocketFactory;
 > }}}

 Dead class.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/22170#comment:22>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online