[tor-commits] [sandboxed-tor-browser/master] Enforce the patch size against that listed in the update XML metadata.

yawning at torproject.org yawning at torproject.org
Sat Jan 7 19:58:03 UTC 2017 

commit 613100ac446b405698e7927b352f1877319be05e
Author: Yawning Angel <yawning at schwanenlied.me>
Date:   Sat Jan 7 19:52:50 2017 +0000

    Enforce the patch size against that listed in the update XML metadata.
    
    This is more defense in depth than anything else since the patch's
    signature is checked, and the update XML file is what I consider
    semi-trusted (fetched from a source that's cryptographically
    authenticated either via HPKP or a `.onion`, but not signed on it's
    own).
    
    It is however the sensible thing to do since SHA512 is susceptible to
    length-extension attacks.
---
 ChangeLog                                           | 1 +
 src/cmd/sandboxed-tor-browser/internal/ui/update.go | 6 ++++++
 2 files changed, 7 insertions(+)

diff --git a/ChangeLog b/ChangeLog
index 7b7f170..8ca4df4 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -13,6 +13,7 @@ Changes in version 0.0.3 - UNRELEASED:
    on certain pages.
  * Bug 20973: Silence Gdk warnings on systems with integrated png loader.
  * Bug 20806: Try even harder to exclude gstreamer.
+ * Enforce the patch size against that listed in the update XML metadata.
  * Minor tweaks to the "something in progress" dialog box.
  * Disable the firefox safe mode prompt, because it is nonsensical when
    applied to Tor Browser.
diff --git a/src/cmd/sandboxed-tor-browser/internal/ui/update.go b/src/cmd/sandboxed-tor-browser/internal/ui/update.go
index da69562..9509c5c 100644
--- a/src/cmd/sandboxed-tor-browser/internal/ui/update.go
+++ b/src/cmd/sandboxed-tor-browser/internal/ui/update.go
@@ -145,6 +145,12 @@ func (c *Common) FetchUpdate(async *Async, patch *installer.Patch) []byte {
 	log.Printf("update: Validating Tor Browser Update.")
 	async.UpdateProgress("Validating Tor Browser Update.")
 
+	// Validate the size against that listed in the XML file.
+	if len(mar) != patch.Size {
+		async.Err = fmt.Errorf("downloaded patch size does not match patch metadata")
+		return nil
+	}
+
 	// Validate the hash against that listed in the XML file.
 	expectedHash, err := hex.DecodeString(patch.HashValue)
 	if err != nil {

More information about the tor-commits mailing list