[tbb-bugs] #22170 [Applications/Tor Browser]: Check uses of ch.boye.httpclientandroidlib.impl.client.* for proxy safety on Android
Tor Bug Tracker & Wiki
blackhole at torproject.org
Wed Aug 1 16:42:01 UTC 2018
#22170: Check uses of ch.boye.httpclientandroidlib.impl.client.* for proxy safety
on Android
-------------------------------------------------+-------------------------
Reporter: gk | Owner: sysrqb
Type: defect | Status:
| needs_review
Priority: High | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: ff52-esr, tbb-mobile, | Actual Points:
TorBrowserTeam201808R |
Parent ID: #21863 | Points:
Reviewer: | Sponsor:
-------------------------------------------------+-------------------------
Comment (by sysrqb):
Replying to [comment:18 sysrqb]:
> NOTE: this resolved the proxy address using the system DNS resolver
[13]. This shouldn't leak anything, but we don't need this.
> [13] https://gitweb.torproject.org/tor-
browser.git/tree/mobile/android/thirdparty/ch/boye/httpclientandroidlib/impl/conn/DefaultClientConnectionOperator.java?h
=tor-browser-60.1.0esr-8.0-1#n159
This actually uses `java.net.InetAddress.getAllByName()` which resolves a
host name or parses the a literal IP address:
{{{
The host name can either be a machine name, such as "java.sun.com", or a
textual representation of its IP address. If a literal IP address is
supplied, only the validity of the address format is checked.
}}}
https://developer.android.com/reference/java/net/InetAddress.html#getAllByName(java.lang.String)
We are currently hard-coding an IP address, so this should not be a
problem - in theory. The main problem here is we configure the proxy using
an IP address, but that is stored as a string when it is passed around
between the different layers of abstraction as a HTTP parameter. The IP
address-as-a-String is then parsed into a InetAddress when the connection
is created. I see four options here:
1. We leave this as it is and assume this the Android API "does the
right thing"
2. We hard-code the InetAddress at this point in the code, too
3. We modify httpclientandroidlib so the `DEFAULT_PROXY` parameter is
stored as a URI so we never need to reparse the address
4. We copy another IP address parsing implementation and use that
instead of relying on the Android implementation (something like Google
Guava's which provides similar functionality but does not perform name
resolution - `InetAddresses.forString(String)`)
{{{
* <p><b>Important note:</b> Unlike {@code InetAddress.getByName()}, the
methods of this class never
* cause DNS services to be accessed. For this reason, you should prefer
these methods as much as
* possible over their JDK equivalents whenever you are expecting to
handle only IP address string
* literals -- there is no blocking DNS penalty for a malformed string.
}}}
https://github.com/google/guava/blob/master/android/guava/src/com/google/common/net/InetAddresses.java#L128
I'm more in favor or (2) or (4).
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/22170#comment:27>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tbb-bugs
mailing list