[tor-bugs] #30957 [Applications/Tor Browser]: Allow '.asc' files to be downloaded using Tor browser (PGP ascii)
Tor Bug Tracker & Wiki
blackhole at torproject.org
Sat Sep 7 08:38:59 UTC 2019
#30957: Allow '.asc' files to be downloaded using Tor browser (PGP ascii)
--------------------------------------+-----------------------------------
Reporter: torlove | Owner: tbb-team
Type: enhancement | Status: needs_information
Priority: Medium | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: tbb-mobile | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
--------------------------------------+-----------------------------------
Comment (by torlove):
Thanks cypherpunks,
At what point is it parsed, would it be parsed by the Firefox (and by
extension the Tor Browser) and so therefore cause a vulnerability in the
browser. Is there a method of parsing a '.asc' file without introducing a
'.asc' vulnerabilty?
If this is an issue then it needs to be solved upstream as a matter of
some urgency, yes?
Using a '.asc' file is supposed to be far more secure that a non ascii-
armoured file, because the character space is far more limited, and thus
we should be able to ensure that remote code cannot be delivered and
excuted. I'm not an expert in this field and how to specifically deal with
buffer overruns and such, but surely, any and all file type downloads need
to account for this vulnerability, not just text files (or in this
specific case, '.asc' files).
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/30957#comment:9>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list