[tor-bugs] #25147 [Applications/Tor Browser]: Backport of fix shipped in Firefox 58.0.1?

Tor Bug Tracker & Wiki blackhole at torproject.org
Wed Mar 7 19:28:37 UTC 2018 

#25147: Backport of fix shipped in Firefox 58.0.1?
--------------------------------------+------------------------------
 Reporter:  gk                        |          Owner:  pospeselr
     Type:  task                      |         Status:  needs_review
 Priority:  Medium                    |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Normal                    |     Resolution:
 Keywords:  TorBrowserTeam201803R     |  Actual Points:
Parent ID:                            |         Points:
 Reviewer:                            |        Sponsor:
--------------------------------------+------------------------------

Comment (by gk):

 Replying to [comment:6 mcs]:
 > Replying to [comment:5 gk]:
 > > Thanks, looks good to me.
 >
 > Kathy and I also reviewed the backported patch and we think it is okay.
 We do have a couple of questions:
 > * Did we look at the "depends on" bug list from
 https://bugzilla.mozilla.org/show_bug.cgi?id=1432966? Maybe that explains
 some of the differences between the mozilla-central patch and the release
 one; for example, I just checked and the fix for
 https://bugzilla.mozilla.org/show_bug.cgi?id=1433414 is present.

 Yes, I did that during the review and I think basically all the
 differences between the m-c and the m-r patch can be explained that way.

 > * The changes to `devtools/client/responsive.html/components/Browser.js`
 are missing. Do we need them? I guess the equivalent file in ESR52 is
 browser.js (with a lowercase-B).

 Good question and nice catch! I have not checked the source but it does
 not seem to be unreasonable.

 > > I wonder whether we have some means to find out if there are instances
 of this problem that are solely on the ESR 52 branch which Mozilla did not
 deem worth enough to write a defense-in-depth for. But anyway, that should
 give us at least the protections available on -release.
 >
 > I think the only method is to look at all occurrences of `innerHTML =`,
 and that is a painful exercise. Kathy and I started that task and found
 some things that are in ESR52 but not in mozilla-central. Unfortunately,
 we had to give up after only getting part way through the huge list of
 files that need to be examined (we stopped somewhere in the d's, just
 after 'devtools'). For the record, here are the files we did find that
 contain `innerHTML =` statements that look like they should be patched:
 >  browser/base/content/newtab/sites.js
 >  browser/components/customizableui/CustomizeMode.jsm
 >  browser/components/syncedtabs/SyncedTabsDeckView.js

 I could ask one of the Moz engineers whether there is a better way. IIRC
 there is somewhere a doc where the listed all the things they checked wrt
 ESR 52.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/25147#comment:7>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list