[tor-commits] [torbutton/master] Bug 16917: Allow users to more easily set a non-tor SSH proxy.

gk at torproject.org gk at torproject.org
Fri Mar 4 10:24:21 UTC 2016 

commit 06800f1c9c0a3c2adf850f9ad70e7ee8c3e645d0
Author: Mike Perry <mikeperry-git at torproject.org>
Date:   Thu Feb 18 14:22:47 2016 -0800

    Bug 16917: Allow users to more easily set a non-tor SSH proxy.
    
    Creates a hidden torbutton pref, which if set, allows Tor Browser to work with
    non-Tor proxies (by disabling our use of SOCKS u+p auth).
    
    Enabling this pref also enables NoScript ABE (to prevent proxied connections
    from hitting localhost/RFC1918) and executes New Identity.
---
 src/chrome/content/torbutton.js         | 40 ++++++++++++++++++++++++++++++++-
 src/chrome/content/torbutton_util.js    |  4 ++++
 src/components/domain-isolator.js       | 21 +++++++++++++++++
 src/defaults/preferences/preferences.js |  1 +
 4 files changed, 65 insertions(+), 1 deletion(-)

diff --git a/src/chrome/content/torbutton.js b/src/chrome/content/torbutton.js
index bf45fea..ce49a57 100644
--- a/src/chrome/content/torbutton.js
+++ b/src/chrome/content/torbutton.js
@@ -233,6 +233,9 @@ var torbutton_unique_pref_observer =
             case "extensions.torbutton.block_disk":
                 torbutton_update_disk_prefs();
                 break;
+            case "extensions.torbutton.use_nontor_proxy":
+                torbutton_use_nontor_proxy();
+                break;
             case "extensions.torbutton.resist_fingerprinting":
             case "extensions.torbutton.spoof_english":
                 torbutton_update_fingerprinting_prefs();
@@ -2004,11 +2007,41 @@ function torbutton_clear_image_caches()
   }
 }
 
+/* Called when we switch the use_nontor_proxy pref in either direction.
+ *
+ * Enables/disables domain isolation and NoScript ABE, and then does
+ * new identity
+ */
+function torbutton_use_nontor_proxy()
+{
+  let nontor_mode = m_tb_prefs.getBoolPref("extensions.torbutton.use_nontor_proxy");
+  let domainIsolator = Cc["@torproject.org/domain-isolator;1"]
+      .getService(Ci.nsISupports).wrappedJSObject;
+
+  if (m_tb_prefs.getBoolPref("extensions.torbutton.use_nontor_proxy")) {
+    // We need to enable ABE because non-tor proxies won't reject localhost
+    // and RFC1918, and we should block them. (The default ABE policy does this).
+    m_tb_prefs.setBoolPref("noscript.ABE.enabled", true);
+
+    // Disable domain isolation
+    domainIsolator.disableIsolation();
+  } else {
+    m_tb_prefs.setBoolPref("noscript.ABE.enabled", false);
+
+    domainIsolator.enableIsolation();
+  }
+
+  // Always reset our identity if the proxy has changed from tor
+  // to non-tor.
+  torbutton_do_new_identity();
+}
+
 function torbutton_do_tor_check()
 {
   let checkSvc = Cc["@torproject.org/torbutton-torCheckService;1"]
                    .getService(Ci.nsISupports).wrappedJSObject;
   if (checkSvc.kCheckNotInitiated != checkSvc.statusOfTorCheck ||
+      m_tb_prefs.getBoolPref("extensions.torbutton.use_nontor_proxy") ||
       !m_tb_prefs.getBoolPref("extensions.torbutton.test_enabled"))
     return; // Only do the check once.
 
@@ -3161,7 +3194,12 @@ function torbutton_close_window(event) {
         var enumerator = wm.getEnumerator("navigator:browser");
         while(enumerator.hasMoreElements()) {
             var win = enumerator.getNext();
-            if(win != window) {
+            // For some reason, when New Identity is called from a pref
+            // observer (ex: torbutton_use_nontor_proxy) on an ASAN build,
+            // we sometimes don't have this symbol set in the new window yet.
+            // However, the new window will run this init later in that case,
+            // as it does in the OSX case.
+            if(win != window && "torbutton_do_main_window_startup" in win) {
                 torbutton_log(3, "Found another window");
                 win.torbutton_do_main_window_startup();
                 m_tb_is_main_window = false;
diff --git a/src/chrome/content/torbutton_util.js b/src/chrome/content/torbutton_util.js
index 1ec6dcc..68276d0 100644
--- a/src/chrome/content/torbutton_util.js
+++ b/src/chrome/content/torbutton_util.js
@@ -148,6 +148,10 @@ function torbutton_check_status() {
         return false;
     }
 
+    if (torprefs.getBoolPref("use_nontor_proxy")) {
+        return true;
+    }
+
     if (torbutton_check_socks_remote_dns())
          remote_dns = liveprefs.getBoolPref("socks_remote_dns");
     else
diff --git a/src/components/domain-isolator.js b/src/components/domain-isolator.js
index 93c7f65..caf45cf 100644
--- a/src/components/domain-isolator.js
+++ b/src/components/domain-isolator.js
@@ -53,6 +53,10 @@ let tor = tor || {};
 // A mutable map that records what nonce we are using for each domain.
 tor.noncesForDomains = {};
 
+// __tor.isolationEabled__.
+// A bool that controls if we use SOCKS auth for isolation or not.
+tor.isolationEnabled = true;
+
 // __tor.unknownDirtySince__.
 // Specifies when the current catch-all circuit was first used
 tor.unknownDirtySince = Date.now();
@@ -96,6 +100,9 @@ tor.newCircuitForDomain = function(domain) {
 // combination.
 tor.isolateCircuitsByDomain = function () {
   mozilla.registerProxyChannelFilter(function (aChannel, aProxy) {
+    if (!tor.isolationEnabled)
+      return aProxy;
+
     try {
       let channel = aChannel.QueryInterface(Ci.nsIChannel),
           firstPartyURI = mozilla.thirdPartyUtil.getFirstPartyURIFromChannel(channel, true)
@@ -145,6 +152,12 @@ DomainIsolator.prototype = {
   observe: function (subject, topic, data) {
     if (topic === "profile-after-change") {
       logger.eclog(3, "domain isolator: set up isolating circuits by domain");
+
+      let prefs =  Cc["@mozilla.org/preferences-service;1"]
+          .getService(Ci.nsIPrefBranch);
+      if (prefs.getBoolPref("extensions.torbutton.use_nontor_proxy")) {
+        tor.isolationEnabled = false;
+      }
       tor.isolateCircuitsByDomain();
     }
   },
@@ -152,6 +165,14 @@ DomainIsolator.prototype = {
     tor.newCircuitForDomain(domain);
   },
 
+  enableIsolation: function() {
+    tor.isolationEnabled = true;
+  },
+
+  disableIsolation: function() {
+    tor.isolationEnabled = false;
+  },
+
   wrappedJSObject: null
 };
 
diff --git a/src/defaults/preferences/preferences.js b/src/defaults/preferences/preferences.js
index 46bfc0e..548f4ed 100644
--- a/src/defaults/preferences/preferences.js
+++ b/src/defaults/preferences/preferences.js
@@ -33,6 +33,7 @@ pref("extensions.torbutton.test_failed",false);
 pref("extensions.torbutton.no_proxies_on","");
 pref("extensions.torbutton.versioncheck_url","https://www.torproject.org/projects/torbrowser/RecommendedTBBVersions");
 pref("extensions.torbutton.versioncheck_enabled",true);
+pref("extensions.torbutton.use_nontor_proxy",false);
 
 // XXX: wtf prefs? These seem not actually connected, but govern
 // if user wants own tor proxy settings

More information about the tor-commits mailing list