Closed Bug 1433507 Opened 8 years ago Closed 8 years ago

GIO protocols can leak the user's IP

Tracking

()

Status:

RESOLVED FIXED

Milestone:

mozilla60

Tracking Flags:

Tracking

Status

firefox60

---

fixed

People

(Reporter: arthur, Assigned: arthur)

References

(Blocks 1 open bug)

Details

(Whiteboard: [tor 23044][necko-triaged])

Attachments

(1 file)

0001-Bug-1433507-Forbid-GIO-supported-protocols-by-defaul.patch 8 years ago Arthur Edelstein [:arthur] 1.49 KB, patch	mayhemer : review+	Details \| Diff \| Splinter Review

Arthur Edelstein [:arthur]

Assignee

Description

•

8 years ago

GIO is a potential proxy bypass vector. In Tor Browser we have the following patch: https://torpat.ch/23044 And the ticket is: https://trac.torproject.org/23044 We'd like to propose uplifting the C++ part of this patch, behind the --enable-proxy-bypass-protection build flag.

Honza Bambas (:mayhemer)

Comment 1

•

8 years ago

Feel free to submit a patch for review here.

Assignee: nobody → arthuredelstein

Priority: -- → P5

Whiteboard: [tor 23044] → [tor 23044][necko-triaged]

Arthur Edelstein [:arthur]

Assignee

Comment 2

•

8 years ago

Attached patch 0001-Bug-1433507-Forbid-GIO-supported-protocols-by-defaul.patch — Details — Splinter Review

Attachment #8948837 - Flags: review?(honzab.moz)

Honza Bambas (:mayhemer)

Comment 3

•

8 years ago

Comment on attachment 8948837 [details] [diff] [review] 0001-Bug-1433507-Forbid-GIO-supported-protocols-by-defaul.patch Review of attachment 8948837 [details] [diff] [review]: ----------------------------------------------------------------- pending on how MOZ_PROXY_BYPASS_PROTECTION def is implemented, this OK for me.

Attachment #8948837 - Flags: review?(honzab.moz) → review+

Arthur Edelstein [:arthur]

Assignee

Comment 4

•

8 years ago

Thanks. Here's the current implementation. Does this look OK to you? https://dxr.mozilla.org/mozilla-central/rev/0ac953fcddf10132eaecdb753d72b2ba5a43c32a/toolkit/moz.configure#1215

Flags: needinfo?(honzab.moz)

Honza Bambas (:mayhemer)

Comment 5

•

8 years ago

looks good, thanks.

Flags: needinfo?(honzab.moz)

Arthur Edelstein [:arthur]

Assignee

Comment 6

•

8 years ago

Thank you!

Keywords: checkin-needed

Pulsebot

Comment 7

•

8 years ago

Pushed by dluca@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/848c2234cb27 Forbid GIO supported protocols by default with --proxy-bypass-protection r=mayhemer

Keywords: checkin-needed

Bogdan Tara[:bogdan_tara | bogdant]

Comment 8

•

8 years ago

bugherder

https://hg.mozilla.org/mozilla-central/rev/848c2234cb27

Status: NEW → RESOLVED

Closed: 8 years ago

status-firefox60: --- → fixed

Resolution: --- → FIXED

Target Milestone: --- → mozilla60

You need to log in before you can comment on or make changes to this bug.

Bugzilla

GIO protocols can leak the user's IP

Categories

(Core :: Networking, enhancement, P5)

Tracking

()

People

(Reporter: arthur, Assigned: arthur)

References

(Blocks 1 open bug)

Details

(Whiteboard: [tor 23044][necko-triaged])

Crash Data

Security

(public)

User Story

Attachments

(1 file)

Description

Comment 1

Comment 2

Comment 3

Comment 4

Comment 5

Comment 6

Comment 7

Comment 8

Attachment

General

Description

File Name

Content Type