[tbb-commits] [tor-browser/tor-browser-52.1.0esr-7.0-2] fixup! Bug #4234: Use the Firefox Update Process for Tor Browser.

gk at torproject.org gk at torproject.org
Fri May 12 21:04:22 UTC 2017


commit d5211d99de2f37fc3e21329fd32fe80bcc663d37
Author: Kathy Brade <brade at pearlcrescent.com>
Date:   Thu May 11 15:37:54 2017 -0400

    fixup! Bug #4234: Use the Firefox Update Process for Tor Browser.
    
    Disable the updater's OSX privilege elevation feature. If the user
    does not have write permission to the .app directory, they will be
    prompted to download a new copy of the browser. Fixes bug 21940.
    
    As defense-in-depth measures, we also removed the code that is
    used by Firefox to launch an OSX process with administrator privileges
    as well as the extra copy of the updater executable that was located
    under TorBrowser.app/Contents/Library/LaunchServices/.
---
 browser/app/Makefile.in                           |  3 +++
 browser/installer/package-manifest.in             |  2 ++
 toolkit/mozapps/update/nsUpdateService.js         | 10 ++++++++++
 toolkit/mozapps/update/updater/launchchild_osx.mm |  2 ++
 toolkit/mozapps/update/updater/updater.cpp        | 10 ++++++++++
 toolkit/xre/MacLaunchHelper.h                     |  2 ++
 toolkit/xre/MacLaunchHelper.mm                    |  2 ++
 toolkit/xre/nsUpdateDriver.cpp                    |  4 ++++
 8 files changed, 35 insertions(+)

diff --git a/browser/app/Makefile.in b/browser/app/Makefile.in
index 1fe7676..1fbdc1e 100644
--- a/browser/app/Makefile.in
+++ b/browser/app/Makefile.in
@@ -86,9 +86,12 @@ tools repackage:: $(DIST)/bin/$(MOZ_APP_NAME)
 	$(RM) $(dist_dest)/Contents/MacOS/$(MOZ_APP_NAME)
 	rsync -aL $(DIST)/bin/$(MOZ_APP_NAME) $(dist_dest)/Contents/MacOS
 	cp -RL $(DIST)/branding/firefox.icns $(dist_dest)/Contents/Resources/firefox.icns
+
 	cp -RL $(DIST)/branding/document.icns $(dist_dest)/Contents/Resources/document.icns
+ifndef TOR_BROWSER_UPDATE
 	$(MKDIR) -p $(dist_dest)/Contents/Library/LaunchServices
 	mv -f $(dist_dest)/Contents/MacOS/updater.app/Contents/MacOS/org.mozilla.updater $(dist_dest)/Contents/Library/LaunchServices
 	ln -s ../../../../Library/LaunchServices/org.mozilla.updater $(dist_dest)/Contents/MacOS/updater.app/Contents/MacOS/org.mozilla.updater
+endif
 	printf APPLTORB > $(dist_dest)/Contents/PkgInfo
 endif
diff --git a/browser/installer/package-manifest.in b/browser/installer/package-manifest.in
index 8192f93..43c89a9 100644
--- a/browser/installer/package-manifest.in
+++ b/browser/installer/package-manifest.in
@@ -35,7 +35,9 @@
 #ifdef XP_MACOSX
 ; Mac bundle stuff
 @APPNAME@/Contents/Info.plist
+#ifndef TOR_BROWSER_UPDATE
 @APPNAME@/Contents/Library/LaunchServices
+#endif
 @APPNAME@/Contents/PkgInfo
 @RESPATH@/firefox.icns
 @RESPATH@/document.icns
diff --git a/toolkit/mozapps/update/nsUpdateService.js b/toolkit/mozapps/update/nsUpdateService.js
index 8abc55a..59c36e8 100644
--- a/toolkit/mozapps/update/nsUpdateService.js
+++ b/toolkit/mozapps/update/nsUpdateService.js
@@ -378,6 +378,11 @@ function areDirectoryEntriesWriteable(aDir) {
  * @return true if elevation is required, false otherwise
  */
 function getElevationRequired() {
+#if defined(TOR_BROWSER_UPDATE)
+  // To avoid potential security holes associated with running the updater
+  // process with elevated privileges, Tor Browser does not support elevation.
+  return false;
+#else
   if (AppConstants.platform != "macosx") {
     return false;
   }
@@ -401,6 +406,7 @@ function getElevationRequired() {
   LOG("getElevationRequired - able to write to application bundle, elevation " +
       "not required");
   return false;
+#endif
 }
 
 /**
@@ -1203,6 +1209,9 @@ function handleUpdateFailure(update, errorCode) {
     cancelations++;
     Services.prefs.setIntPref(PREF_APP_UPDATE_CANCELATIONS, cancelations);
     if (AppConstants.platform == "macosx") {
+#if defined(TOR_BROWSER_UPDATE)
+      cleanupActiveUpdate();
+#else
       let osxCancelations = getPref("getIntPref",
                                   PREF_APP_UPDATE_CANCELATIONS_OSX, 0);
       osxCancelations++;
@@ -1219,6 +1228,7 @@ function handleUpdateFailure(update, errorCode) {
         writeStatusFile(getUpdatesDir(),
                         update.state = STATE_PENDING_ELEVATE);
       }
+#endif
       update.statusText = gUpdateBundle.GetStringFromName("elevationFailure");
       update.QueryInterface(Ci.nsIWritablePropertyBag);
       update.setProperty("patchingFailed", "elevationFailure");
diff --git a/toolkit/mozapps/update/updater/launchchild_osx.mm b/toolkit/mozapps/update/updater/launchchild_osx.mm
index 97e31b9..749cb1f 100644
--- a/toolkit/mozapps/update/updater/launchchild_osx.mm
+++ b/toolkit/mozapps/update/updater/launchchild_osx.mm
@@ -284,6 +284,7 @@ bool ObtainUpdaterArguments(int* argc, char*** argv)
 
 @end
 
+#ifndef TOR_BROWSER_UPDATE
 bool ServeElevatedUpdate(int argc, const char** argv)
 {
   MacAutoreleasePool pool;
@@ -300,6 +301,7 @@ bool ServeElevatedUpdate(int argc, const char** argv)
   [updater release];
   return didSucceed;
 }
+#endif
 
 bool IsOwnedByGroupAdmin(const char* aAppBundle)
 {
diff --git a/toolkit/mozapps/update/updater/updater.cpp b/toolkit/mozapps/update/updater/updater.cpp
index 1bc4867..bf4a4bb 100644
--- a/toolkit/mozapps/update/updater/updater.cpp
+++ b/toolkit/mozapps/update/updater/updater.cpp
@@ -83,7 +83,9 @@ bool IsRecursivelyWritable(const char* aPath);
 void LaunchChild(int argc, const char** argv);
 void LaunchMacPostProcess(const char* aAppBundle);
 bool ObtainUpdaterArguments(int* argc, char*** argv);
+#ifndef TOR_BROWSER_UPDATE
 bool ServeElevatedUpdate(int argc, const char** argv);
+#endif
 void SetGroupOwnershipAndPermissions(const char* aAppBundle);
 struct UpdateServerThreadArgs
 {
@@ -2913,11 +2915,15 @@ UpdateThreadFunc(void *param)
 static void
 ServeElevatedUpdateThreadFunc(void* param)
 {
+#ifdef TOR_BROWSER_UPDATE
+  WriteStatusFile(ELEVATION_CANCELED);
+#else
   UpdateServerThreadArgs* threadArgs = (UpdateServerThreadArgs*)param;
   gSucceeded = ServeElevatedUpdate(threadArgs->argc, threadArgs->argv);
   if (!gSucceeded) {
     WriteStatusFile(ELEVATION_CANCELED);
   }
+#endif
   QuitProgressUI();
 }
 
@@ -2986,7 +2992,11 @@ int NS_main(int argc, NS_tchar **argv)
 
 #ifdef XP_MACOSX
   bool isElevated =
+#ifdef TOR_BROWSER_UPDATE
+    false;
+#else
     strstr(argv[0], "/Library/PrivilegedHelperTools/org.mozilla.updater") != 0;
+#endif
   if (isElevated) {
     if (!ObtainUpdaterArguments(&argc, &argv)) {
       // Won't actually get here because ObtainUpdaterArguments will terminate
diff --git a/toolkit/xre/MacLaunchHelper.h b/toolkit/xre/MacLaunchHelper.h
index 08035c5..46e1570 100644
--- a/toolkit/xre/MacLaunchHelper.h
+++ b/toolkit/xre/MacLaunchHelper.h
@@ -17,7 +17,9 @@ extern "C" {
    * pid of the terminated process to confirm that it executed successfully.
    */
   void LaunchChildMac(int aArgc, char** aArgv, pid_t* aPid = 0);
+#ifndef TOR_BROWSER_UPDATE
   bool LaunchElevatedUpdate(int aArgc, char** aArgv, pid_t* aPid = 0);
+#endif
 }
 
 #endif
diff --git a/toolkit/xre/MacLaunchHelper.mm b/toolkit/xre/MacLaunchHelper.mm
index 0dadb8d..84e28a4 100644
--- a/toolkit/xre/MacLaunchHelper.mm
+++ b/toolkit/xre/MacLaunchHelper.mm
@@ -43,6 +43,7 @@ void LaunchChildMac(int aArgc, char** aArgv, pid_t* aPid)
   }
 }
 
+#ifndef TOR_BROWSER_UPDATE
 BOOL InstallPrivilegedHelper()
 {
   AuthorizationRef authRef = NULL;
@@ -135,3 +136,4 @@ bool LaunchElevatedUpdate(int aArgc, char** aArgv, pid_t* aPid)
   }
   return didSucceed;
 }
+#endif
diff --git a/toolkit/xre/nsUpdateDriver.cpp b/toolkit/xre/nsUpdateDriver.cpp
index 3abbf7f..b87c84e 100644
--- a/toolkit/xre/nsUpdateDriver.cpp
+++ b/toolkit/xre/nsUpdateDriver.cpp
@@ -1114,6 +1114,7 @@ ApplyUpdate(nsIFile *greDir, nsIFile *updateDir, nsIFile *statusFile,
 #ifdef DEBUG
   dump_argv("ApplyUpdate after SetupMacCommandLine", argv, argc);
 #endif
+#ifndef TOR_BROWSER_UPDATE
   // We need to detect whether elevation is required for this update. This can
   // occur when an admin user installs the application, but another admin
   // user attempts to update (see bug 394984).
@@ -1124,12 +1125,15 @@ ApplyUpdate(nsIFile *greDir, nsIFile *updateDir, nsIFile *statusFile,
     }
     exit(0);
   } else {
+#endif
     if (restart) {
       LaunchChildMac(argc, argv);
       exit(0);
     }
     LaunchChildMac(argc, argv, outpid);
+#ifndef TOR_BROWSER_UPDATE
   }
+#endif
 #else
   *outpid = PR_CreateProcess(updaterPath.get(), argv, nullptr, nullptr);
   if (restart) {



More information about the tbb-commits mailing list