[tor-bugs] #5742 [Firefox Patch Issues]: Fix image cache url isolation

Tor Bug Tracker & Wiki torproject-admin at torproject.org
Fri Jul 13 00:56:40 UTC 2012 

#5742: Fix image cache url isolation
----------------------------------------------+-----------------------------
 Reporter:  mikeperry                         |          Owner:  mikeperry
     Type:  defect                            |         Status:  new      
 Priority:  major                             |      Milestone:           
Component:  Firefox Patch Issues              |        Version:           
 Keywords:  tbb-linkability, MikePerry201207  |         Parent:           
   Points:  20                                |   Actualpoints:  2        
----------------------------------------------+-----------------------------
Changes (by mikeperry):

  * points:  => 20
  * actualpoints:  => 2


Comment:

 Ok, I started looking into this more and it would seem that the "cacheKey"
 argument to imgLoader::LoadImage is often null.. Elsewhere in the
 imgLoader, the actual cache key is constructed directly from the URI
 without even a channel available, so we can't use
 nsHttpChannel::AssembleCacheKey() to get the expected cacheKey.

 I think this might mean that several functions in the non-critical paths
 of the image loader will have to become O(N), to be able to continue to
 operate on uri strings and retain API compatibility. Those functions will
 just search over the cache and return/remove the first matching URI,
 isolated or not. We'll need to double check these functions for cross-
 domain info leaks, though.. I think the only dangerous one in that regard
 is imgLoader::FindEntryProperties().

 For the actual cached image storage and retrieval in
 imgLoader::LoadImage() and imgLoader::LoadImageWithChannel(), we'll have
 to do our best to construct a url domain-isolated cacheKey using either
 the referer uri, the channel, the notificationCallbacks, or who knows
 what, depending upon availability.

 In short, this is going to be a huge messy pile of pain. The only good
 thing is that the image caching code hasn't changed since ~2001. Our patch
 probably won't generate too many conflicts at that rate of code change.

 This is probably going to take like a week to get right. :/

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/5742#comment:7>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list