[tbb-bugs] #34383 [Applications/Tor Browser]: Accept request if GetHost() in mixed content blocking check fails

Tor Bug Tracker & Wiki blackhole at torproject.org
Fri Jun 5 09:14:30 UTC 2020 

#34383: Accept request if GetHost() in mixed content blocking check fails
--------------------------------------+--------------------------
 Reporter:  gk                        |          Owner:  tbb-team
     Type:  defect                    |         Status:  new
 Priority:  Medium                    |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Normal                    |     Resolution:
 Keywords:  TorBrowserTeam202006      |  Actual Points:
Parent ID:                            |         Points:
 Reviewer:                            |        Sponsor:
--------------------------------------+--------------------------
Description changed by gk:

Old description:

> While reviewing acat's rebase work in #33533 I noticed the following
> block in our patch for #23247:
> {{{
>    if (!parentIsHttps) {
> +    nsAutoCString parentHost;
> +    rv = innerRequestingLocation->GetHost(parentHost);
> +    if (NS_FAILED(rv)) {
> +      NS_ERROR("requestingLocation->GetHost failed");
> +      *aDecision = REJECT_REQUEST;
> +      return NS_OK;
> +    }
> +
> +    bool parentIsOnion =
> +        StringEndsWith(parentHost, NS_LITERAL_CSTRING(".onion"));
> +    if (!parentIsOnion) {
> +      *aDecision = ACCEPT;
> +      return NS_OK;
> +    }
> +  }
> }}}
> The corresponding part in Mozilla's code looks like
> [https://searchfox.org/mozilla-
> esr68/source/dom/security/nsMixedContentBlocker.cpp#748 this]:
> {{{
>   if (!parentIsHttps) {
>     *aDecision = ACCEPT;
>     return NS_OK;
>   }
> }}}
> Mozilla does not even check the host but is accepting requests at this
> point outright while we reject them if `GetHost()` fails.
>
> I wonder whether we should follow them here because I am a little worried
> that we might introduce a subtle bug by diverging from them.
>
> I guess the question is whether it can be the case that we have a .onion
> URL but the `GetHost()` call is failing. Mozilla does not care as there
> is no decision to be made depending on the *host* but the scheme alone in
> this check. However, we do care.
>
> Let's look at that from a different angle: the code block we added is
> essentially a check for a .onion domain: if we don't have one, accept the
> request otherwise pass it on for further checks. Let's look what we do
> elsewhere when checking for a .onion domain, e.g. in
> `IsPotentiallyTrustworthyOnion()`. [https://searchfox.org/mozilla-
> esr68/source/dom/security/nsMixedContentBlocker.cpp#401 There] we have:
> {{{
>  nsAutoCString host;
>   nsresult rv = aURL->GetHost(host);
>   NS_ENSURE_SUCCESS(rv, false);
>   return StringEndsWith(host, NS_LITERAL_CSTRING(".onion"));
> }}}
> This means if the `GetHost()` check fails we say "no, that's not a
> .onion". Following that logic we would get to `parentIsOnion = false` in
> our code block in question and we should `ACCEPT` the request as well in
> case the `GetHost()` call fails.

New description:

 While reviewing acat's rebase work in #33533 I noticed the following block
 in our patch for #23247:
 {{{
    if (!parentIsHttps) {
 +    nsAutoCString parentHost;
 +    rv = innerRequestingLocation->GetHost(parentHost);
 +    if (NS_FAILED(rv)) {
 +      NS_ERROR("requestingLocation->GetHost failed");
 +      *aDecision = REJECT_REQUEST;
 +      return NS_OK;
 +    }
 +
 +    bool parentIsOnion =
 +        StringEndsWith(parentHost, NS_LITERAL_CSTRING(".onion"));
 +    if (!parentIsOnion) {
 +      *aDecision = ACCEPT;
 +      return NS_OK;
 +    }
 +  }
 }}}
 The corresponding part in Mozilla's code looks like [https://searchfox.org
 /mozilla-esr68/source/dom/security/nsMixedContentBlocker.cpp#748 this]:
 {{{
   if (!parentIsHttps) {
     *aDecision = ACCEPT;
     return NS_OK;
   }
 }}}
 Mozilla does not even check the host but is accepting requests at this
 point outright while we reject them if `GetHost()` fails.

 I wonder whether we should follow them here because I am a little worried
 that we might introduce a subtle bug by diverging from them.

 I guess the question is whether it can be the case that we have a .onion
 URL but the `GetHost()` call is failing. Mozilla does not care as there is
 no decision to be made depending on the *host* but the scheme alone in
 this check. However, we do care.

 Let's look at that from a different angle: the code block we added is
 essentially a check for a .onion domain: if we don't have one, accept the
 request otherwise pass it on for further checks. Let's look what we do
 elsewhere when checking for a .onion domain, e.g. in
 `IsPotentiallyTrustworthyOnion()`. [https://searchfox.org/mozilla-
 esr68/source/dom/security/nsMixedContentBlocker.cpp#401 There] we have:
 {{{
   nsAutoCString host;
   nsresult rv = aURL->GetHost(host);
   NS_ENSURE_SUCCESS(rv, false);
   return StringEndsWith(host, NS_LITERAL_CSTRING(".onion"));
 }}}
 This means if the `GetHost()` check fails we say "no, that's not a
 .onion". Following that logic we would get to `parentIsOnion = false` in
 our code block in question and we should `ACCEPT` the request as well in
 case the `GetHost()` call fails.

--

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/34383#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list