[tor-commits] [tor-browser] 10/48: Bug 13028: Prevent potential proxy bypass cases.

gitolite role git at cupani.torproject.org
Tue Sep 27 14:58:43 UTC 2022


This is an automated email from the git hooks/post-receive script.

richard pushed a commit to branch tor-browser-102.3.0esr-12.0-2
in repository tor-browser.

commit 6c13f97405147a08d455778413f1aac8d8e8bb98
Author: Mike Perry <mikeperry-git at torproject.org>
AuthorDate: Mon Sep 29 14:30:19 2014 -0700

    Bug 13028: Prevent potential proxy bypass cases.
    
    It looks like these cases should only be invoked in the NSS command line
    tools, and not the browser, but I decided to patch them anyway because there
    literally is a maze of network function pointers being passed around, and it's
    very hard to tell if some random code might not pass in the proper proxied
    versions of the networking code here by accident.
    
    Bugzilla: https://bugzilla.mozilla.org/show_bug.cgi?id=1433509
---
 security/nss/lib/certhigh/ocsp.c                             |  4 ++++
 security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_socket.c | 12 ++++++++++++
 2 files changed, 16 insertions(+)

diff --git a/security/nss/lib/certhigh/ocsp.c b/security/nss/lib/certhigh/ocsp.c
index cea8456606bf..76622614a80a 100644
--- a/security/nss/lib/certhigh/ocsp.c
+++ b/security/nss/lib/certhigh/ocsp.c
@@ -2927,6 +2927,9 @@ loser:
 static PRFileDesc *
 ocsp_ConnectToHost(const char *host, PRUint16 port)
 {
+#ifdef MOZ_PROXY_BYPASS_PROTECTION
+    return NULL;
+#else
     PRFileDesc *sock = NULL;
     PRIntervalTime timeout;
     PRNetAddr addr;
@@ -2985,6 +2988,7 @@ loser:
     if (netdbbuf != NULL)
         PORT_Free(netdbbuf);
     return NULL;
+#endif
 }
 
 /*
diff --git a/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_socket.c b/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_socket.c
index e8698376b5be..f34e102721d2 100644
--- a/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_socket.c
+++ b/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_socket.c
@@ -1322,6 +1322,9 @@ pkix_pl_Socket_Create(
         PKIX_PL_Socket **pSocket,
         void *plContext)
 {
+#ifdef MOZ_PROXY_BYPASS_PROTECTION
+        PKIX_ERROR(PKIX_PRNEWTCPSOCKETFAILED);
+#else
         PKIX_PL_Socket *socket = NULL;
 
         PKIX_ENTER(SOCKET, "pkix_pl_Socket_Create");
@@ -1369,6 +1372,7 @@ cleanup:
         }
 
         PKIX_RETURN(SOCKET);
+#endif
 }
 
 /*
@@ -1418,6 +1422,9 @@ pkix_pl_Socket_CreateByName(
         PKIX_PL_Socket **pSocket,
         void *plContext)
 {
+#ifdef MOZ_PROXY_BYPASS_PROTECTION
+        PKIX_ERROR(PKIX_PRNEWTCPSOCKETFAILED);
+#else
         PRNetAddr netAddr;
         PKIX_PL_Socket *socket = NULL;
         char *sepPtr = NULL;
@@ -1520,6 +1527,7 @@ cleanup:
         }
 
         PKIX_RETURN(SOCKET);
+#endif
 }
 
 /*
@@ -1571,6 +1579,9 @@ pkix_pl_Socket_CreateByHostAndPort(
         PKIX_PL_Socket **pSocket,
         void *plContext)
 {
+#ifdef MOZ_PROXY_BYPASS_PROTECTION
+        PKIX_ERROR(PKIX_PRNEWTCPSOCKETFAILED);
+#else
         PRNetAddr netAddr;
         PKIX_PL_Socket *socket = NULL;
         char *sepPtr = NULL;
@@ -1658,6 +1669,7 @@ cleanup:
         }
 
         PKIX_RETURN(SOCKET);
+#endif
 }
 
 /*

-- 
To stop receiving notification emails like this one, please contact
the administrator of this repository.


More information about the tor-commits mailing list