[tbb-bugs] #25851 [Applications/Tor Browser]: TBA - Make sure third-party code is proxy safe

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu Apr 19 19:40:07 UTC 2018 

#25851: TBA - Make sure third-party code is proxy safe
-------------------------------------+-------------------------------------
     Reporter:  sysrqb               |      Owner:  tbb-team
         Type:  defect               |     Status:  new
     Priority:  Medium               |  Milestone:
    Component:  Applications/Tor     |    Version:
  Browser                            |   Keywords:  tbb-mobile, tbb-proxy-
     Severity:  Normal               |  bypass
Actual Points:                       |  Parent ID:  #21863
       Points:                       |   Reviewer:
      Sponsor:  Sponsor4             |
-------------------------------------+-------------------------------------
 It looks like `Picasso` (for image download and rendering) create
 connections that aren't proxy safe. There is other third party code that
 does this, as well, but we should never use `leanplum` (telemetry). We
 should audit `httpclientandroidlib` and confirm the connections are
 correctly proxying.

 {{{
 $ git grep -n openConnection\( mobile/android/thirdparty/
 mobile/android/thirdparty/ch/boye/httpclientandroidlib/conn/ClientConnectionOperator.java:78:
 void openConnection(OperatedClientConnection conn,
 mobile/android/thirdparty/ch/boye/httpclientandroidlib/impl/conn/DefaultClientConnectionOperator.java:144:
 public void openConnection(
 mobile/android/thirdparty/ch/boye/httpclientandroidlib/impl/conn/ManagedClientConnectionImpl.java:304:
 this.operator.openConnection(
 mobile/android/thirdparty/com/leanplum/internal/SocketIOClient.java:82:
 HttpURLConnection connection = (HttpURLConnection) url.openConnection();
 mobile/android/thirdparty/com/leanplum/internal/Util.java:540:
 HttpURLConnection urlConnection = (HttpURLConnection)
 url.openConnection();
 mobile/android/thirdparty/com/squareup/picasso/UrlConnectionDownloader.java:46:
 protected HttpURLConnection openConnection(Uri path) throws IOException {
 mobile/android/thirdparty/com/squareup/picasso/UrlConnectionDownloader.java:47:
 HttpURLConnection connection = (HttpURLConnection) new
 URL(path.toString()).openConnection();
 mobile/android/thirdparty/com/squareup/picasso/UrlConnectionDownloader.java:58:
 HttpURLConnection connection = openConnection(uri);
 }}}

 This isn't the only offending method, we should audit these thoroughly.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/25851>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list