[tor-bugs] #31144 [Applications/Tor Browser]: ESR68 Network Code Review
Tor Bug Tracker & Wiki
blackhole at torproject.org
Fri Oct 11 00:24:31 UTC 2019
#31144: ESR68 Network Code Review
-------------------------------------------------+-------------------------
Reporter: pili | Owner: tbb-
| team
Type: task | Status:
| needs_review
Priority: Very High | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: TorBrowserTeam201910, tbb-9.0 | Actual Points:
-alpha-must |
Parent ID: | Points: 10
Reviewer: | Sponsor:
-------------------------------------------------+-------------------------
Changes (by mikeperry):
* status: new => needs_review
Comment:
Ok I believe I have completed the android portion now. Here is the full
list of found items, removing the ones GeKo said were fixed:
1. Rust lib check
2. java.net.URL stream usage (which looks like it bypasses the proxy)
- GeckoApplication.downloadImageForSetImage uses URL.openStream()
- GeckoActionProvider.downloadImageForIntent uses
java.net.URL.openStream()
- GeckAppShell has many wrappers to create inputstreams from
URLConnections (but these may need to be opened first?)
- GeckoMediaDrmBridgeV21.java - uses android.media.MediaDrm which seems
to fetch stuff??
- BitmapUtils.decodeUrl uses openStream for non-jar urls
- GeckoJarReader - tons of stream use.. Can this be used on remote
jars?
- AbstractCommunicator.openConnectionAndSetHeaders() - uses
url.openConnection() (I think we patched this one in #31934?)
- AbstractCommunicator.sendData() - uses url.getOutputStream().. maybe
ok?
3. IntentHelper openUriExternal usage - maybe we should just patch this to
always prompt?
- ActivityStreamContextMenu.java
- BrowserApp.java (see also onNewIntent() delegation to
BrowserAppDelegates list)
- ChromeCastDisplay.java
- HomeFragment.java
4. android.content.Intent startActivity() usage (may or may not be unsafe
depending on circumstance :/)
- ActivityHandlerHelper - Good candidate to patch for external
activities, but not everything uses it :/
- BrowserApp.onUrlOpenWithRefferer () - Might be able to launch other
apps if OPEN_WITH_INTENT flag is set?
- CustomTabsActivity.java - Several methods emit potentially external
Intents
- WebAppActivity.onLoadRequest()
- BasicGeckoViewPrompt.onFilePrompt()
- GeckoViewActivity.onExternalResponse()
5. Intent bindService() usage:
- SurfaceAllocator - no idea what is happening here :/
- RemoteManager - no idea what is happening here :/
6. android.app.PendingIntent
- ChromeCastDisplay.java - probably want to make sure this is disabled?
- CustomTabsActivity.performPendingIntent - again, hard to tell what is
happening here
7. android.app.DownloadManager
- DownloadsIntegration.java uses it, but has a check for
useSystemDownloadManager() to avoid using it
- BrowserApp.java uses it to download items without any checks
I committed a rubric of what I did for future audits/tooling here:
https://gitweb.torproject.org/tor-browser-
spec.git/tree/audits/NETWORK_AUDIT_RUBRIC
I also committed my notes here: https://gitweb.torproject.org/tor-browser-
spec.git/tree/audits/FF68_NETWORK_AUDIT
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/31144#comment:11>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list