[tbb-bugs] #23044 [Applications/Tor Browser]: Don't allow GIO supported protocols by default (was: Replace stdole2.tlb with our own during build time)

Thu Jul 27 21:26:45 UTC 2017

#23044: Don't allow GIO supported protocols by default
--------------------------------------+--------------------------
 Reporter:  gk                        |          Owner:  tbb-team
     Type:  defect                    |         Status:  closed
 Priority:  Immediate                 |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Blocker                   |     Resolution:  fixed
 Keywords:  tbb-proxy-bypass          |  Actual Points:
Parent ID:                            |         Points:
 Reviewer:                            |        Sponsor:
--------------------------------------+--------------------------
Changes (by gk):

 * status:  new => closed
 * priority:  Medium => Immediate
 * keywords:  tbb-gitian => tbb-proxy-bypass
 * resolution:   => fixed
 * severity:  Normal => Blocker

Old description:

> The mingw-w64 repo contains the binary `stdole2.tlb` which is needed for
> building Tor Browser (see: 17e09279acf8b7f44d731c9a65541a474af4f1b5). It
> turns out we can do better than relying on that binary blob and create
> that typelib during build time.

New description:

 Firefox allows passing URLs along to the OS (by a whitelist) which is
 dangerous. We should avoid that.

--

Comment:

 Fixes pushed to `tor-browser-52.2.0esr-7.5-1` (commit
 a96f898e0da42de751a5e1367a9899cc96fadb1f) and `tor-
 browser-52.2.0esr-7.0-1` (commit
 720f9061496321aa978d2f022113c40e9aeb4847). They will show up in the next
 releases, 7.0.3 and 7.5a3.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/23044#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online