[tor-bugs] #18101 [Applications/Tor Browser]: IP leak from Windows/macOS UI dialog with URI
Tor Bug Tracker & Wiki
blackhole at torproject.org
Wed Jul 31 21:07:23 UTC 2019
#18101: IP leak from Windows/macOS UI dialog with URI
-------------------------------------------------+-------------------------
Reporter: uileak | Owner:
| arthuredelstein
Type: defect | Status:
| needs_revision
Priority: Medium | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Major | Resolution:
Keywords: tbb-disk-leak, tbb-proxy-bypass, | Actual Points:
TorBrowserTeam201907 |
Parent ID: | Points:
Reviewer: | Sponsor:
-------------------------------------------------+-------------------------
Changes (by pospeselr):
* status: needs_review => needs_revision
* keywords: tbb-disk-leak, tbb-proxy-bypass, TorBrowserTeam201907R => tbb-
disk-leak, tbb-proxy-bypass, TorBrowserTeam201907
Comment:
Tested the patch on Windows 10 by attempting to upload the remote URI
http://example.com/index.html to https://share.riseup.net.
On both current vanilla Tor Browser and one built with the patch, a DNS
request is leaked after the user attempts to open the remote URI by
clicking the 'open' button in the File Dialog. Then, there's a back and
forth negotiation via HTTP requests (OPTIONS, PROPFIND). On the vanilla
Tor Browser, after a successful negotiation, the remote URI is downloaded
with via a HTTP GET request. The patched Tor Browser does not ultimately
download the file (but it does do the DNS request and attempts the HTTP
negotiation).
The patch does not fix this issue on windows.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/18101#comment:92>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list