[tor-bugs] #33962 [Applications/Tor Browser]: Uplift patch for 5741 (dns leak protection)

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu Apr 30 16:58:10 UTC 2020 

#33962: Uplift patch for 5741 (dns leak protection)
-------------------------------------------------+-------------------------
 Reporter:  acat                                 |          Owner:  tbb-
                                                 |  team
     Type:  task                                 |         Status:
                                                 |  needs_review
 Priority:  Medium                               |      Milestone:
Component:  Applications/Tor Browser             |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:  ReleaseTrainMigration                |  Actual Points:
  TorBrowserTeam202005R                          |
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
                                                 |  Sponsor58
-------------------------------------------------+-------------------------
Changes (by acat):

 * status:  new => needs_review
 * keywords:  ReleaseTrainMigration => ReleaseTrainMigration
     TorBrowserTeam202005R


Comment:

 I adapted the patch from #5741 to try to upstream it. You can find it in
 https://github.com/acatarineu/tor-browser/commit/33962 (hash).

 I know we briefly discussed about having this behind the `--enable-proxy-
 bypass-protection`, but I think there *might* be chances for this to be
 upstreamed as it is now, and be useful for Firefox (it wouldn't be for
 sure if it's behind the proxy bypass flag).

 I did a couple of changes with respect to the original patch. The main one
 is that the patch I attached is checking that both `network.proxy.type =
 MANUAL` and `network.proxy.socks_remote_dns = true`, while the current
 patch only checks `network.proxy.socks_remote_dns = true`. I think this
 change is needed to avoid blocking DNS when we should not, for example in
 a situation where a user sets up a SOCKS proxy (enabling DNS through
 socks), and then switches back to 'No proxy', in `about:preferences`. I
 think the patch with these changes is safe enough for Firefox, in the
 sense that it should not result in undesired breakage.

 The question is whether is also safe for us, in terms of proxy bypass
 protection. My assumption is yes, as the only additional change is that we
 also check for `network.proxy.type`, and we don't support changing this in
 Tor Browser. But I think it's a good idea for this to be reviewed before
 trying to push the patch to Firefox. I added this to 202005, but please
 feel free to re-prioritize.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/33962#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list