[tor-commits] [sandboxed-tor-browser/master] Bug 22899: `about:addons`'s "Get Addons" pane is unsafe and should be treated as such.

Wed Jul 12 20:05:55 UTC 2017

commit e06085d63ed1d9b33787e04172365db2179003e1
Author: Yawning Angel <yawning at schwanenlied.me>
Date:   Wed Jul 12 20:04:38 2017 +0000

    Bug 22899: `about:addons`'s "Get Addons" pane is unsafe and should be treated as such.
    
    Loading Google Analytics as part of an IFRAME that implements an
    internal `about:` URL, without being explicitly opt-in is the total
    antithesis of privacy respecting.
---
 ChangeLog                                              |  2 ++
 .../sandboxed-tor-browser/internal/tor/surrogate.go    | 18 ++++++++++++++++++
 2 files changed, 20 insertions(+)

diff --git a/ChangeLog b/ChangeLog
index b19afe9..20716ab 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,6 +1,8 @@
 Changes in version 0.0.10 - UNRELEASED:
  * Bug 22829: Remove default obfs4 bridge riemann.
  * Bug 22853: Something in SelfRando is totally brain damaged.
+ * Bug 22899: `about:addons`'s "Get Addons" pane is unsafe and should be
+              treated as such.
  * Bug 22901: Clarify/expand on the warnings for all the config settings.
 
 Changes in version 0.0.9 - 2017-07-03:
diff --git a/src/cmd/sandboxed-tor-browser/internal/tor/surrogate.go b/src/cmd/sandboxed-tor-browser/internal/tor/surrogate.go
index b26019a..1d99431 100644
--- a/src/cmd/sandboxed-tor-browser/internal/tor/surrogate.go
+++ b/src/cmd/sandboxed-tor-browser/internal/tor/surrogate.go
@@ -35,6 +35,7 @@ import (
 
 	"cmd/sandboxed-tor-browser/internal/socks5"
 	"cmd/sandboxed-tor-browser/internal/ui/config"
+	. "cmd/sandboxed-tor-browser/internal/utils"
 )
 
 const (
@@ -60,6 +61,8 @@ const (
 
 	// These responses are entirely synthetic so they don't matter.
 	socksAddr = "127.0.0.1:9150"
+
+	aboutAddonsUnsafeHost = "discovery.addons.mozilla.org"
 )
 
 func copyLoop(upConn, downConn net.Conn) {
@@ -137,6 +140,8 @@ type socksProxy struct {
 	sNet, sAddr string
 	tag         string
 
+	allowAboutAddons bool
+
 	l net.Listener
 }
 
@@ -188,6 +193,18 @@ func (p *socksProxy) handleConn(conn net.Conn) {
 		return
 	}
 
+	// Disallow `about:addons` unless the extensions directory is volatile,
+	// because regardless of what Mozilla PR says about respecting privacy,
+	// loading Google Analytics in a page that gets loaded as an IFRAME as
+	// part of an `about:` internal page, is anything but.
+	if host, _ := req.Addr.HostPort(); strings.ToLower(host) == aboutAddonsUnsafeHost {
+		if !p.allowAboutAddons {
+			Debugf("sandbox: Rejecting request to `%s`", aboutAddonsUnsafeHost)
+			req.Reply(socks5.ReplyConnectionNotAllowed)
+			return
+		}
+	}
+
 	// Append our isolation tag.
 	if err := p.rewriteTag(conn, req); err != nil {
 		req.Reply(socks5.ReplyGeneralFailure)
@@ -245,6 +262,7 @@ func launchSocksProxy(cfg *config.Config, tor *Tor) (*socksProxy, error) {
 	if err != nil {
 		return nil, err
 	}
+	p.allowAboutAddons = cfg.Sandbox.VolatileExtensionsDir
 
 	go p.acceptLoop()
 

