[tor-bugs] #2199 [EFF-HTTPS Everywhere]: rules with [^/@:] don't catch all traffic
Tor Bug Tracker & Wiki
torproject-admin at torproject.org
Thu Dec 9 17:59:29 UTC 2010
#2199: rules with [^/@:] don't catch all traffic
----------------------------------+-----------------------------------------
Reporter: dkg | Owner: pde
Type: defect | Status: accepted
Priority: major | Milestone:
Component: EFF-HTTPS Everywhere | Version:
Keywords: | Parent:
----------------------------------+-----------------------------------------
Comment(by rransom):
Replying to [comment:6 pde]:
> 4. Per rransom's suggestion, move to something like agl's proposed
chromium syntax. https://mail1.eff.org/pipermail/https-
everywhere/2010-November/000545.html. There are several downsides to
that.
The only downside is that you will need to convert all of the existing
rulesets to the new format. This time, add an XML namespace URI and/or
some other version indicator.
But the real reason this is necessary is (quoting agl's message):
> Serialising and re-parsing URLs is very scary from a security point of
view. It would be greatly preferable to handle URLs in their processed
form.
If we don't start operating on parsed URLs, we can only expect more
exploitable bugs like this one in the future.
Since Firefox extensions can use arbitrary !JavaScript code to munge URL
requests before they are acted on, HTTPS Everywhere rules can easily
continue to support matching URL components against regular expressions
and inserting captured strings into any component of the new URL.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/2199#comment:9>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list