Copying large text from web console leaks to /tmp
Categories
(Core :: Widget, enhancement, P3)
Tracking
()
People
(Reporter: arthur, Unassigned)
References
Details
(Whiteboard: [tor 21830])
Attachments
(2 files, 1 obsolete file)
5.34 KB,
patch
|
Details | Diff | Splinter Review | |
59 bytes,
text/x-review-board-request
|
jdm
:
review+
|
Details |
Reporter | ||
Updated•7 years ago
|
Reporter | ||
Comment 1•7 years ago
|
||
Reporter | ||
Comment 2•7 years ago
|
||
Comment 3•7 years ago
|
||
Reporter | ||
Comment 4•7 years ago
|
||
Reporter | ||
Updated•7 years ago
|
Comment 6•7 years ago
|
||
bugherder |
Comment 7•7 years ago
|
||
Comment 8•7 years ago
|
||
Reporter | ||
Comment 9•7 years ago
|
||
Comment 10•7 years ago
|
||
Reporter | ||
Comment 11•7 years ago
|
||
Comment 12•7 years ago
|
||
Updated•7 years ago
|
Comment hidden (mozreview-request) |
Updated•7 years ago
|
Comment 14•7 years ago
|
||
mozreview-review |
Comment 15•7 years ago
|
||
Comment 16•7 years ago
|
||
bugherder |
Updated•6 years ago
|
Comment 17•6 years ago
|
||
The leave-open keyword is there and there is no activity for 6 months.
:jimm, maybe it's time to close this bug?
Updated•6 years ago
|
Comment 19•5 years ago
|
||
I could not reproduce the /tmp leaks in PBM with current Firefox versions (>=67), but still there are several places initializing nsTransferables with null context, so the possibility of the /tmp leaks might still open. Do you think it would be fine to set mPrivateData again to true (reverting the revert) now, or are the regressions still an issue?
Comment 20•5 years ago
|
||
Regressions are still an issue. We're already avoiding the clipboard cache in content processes because of https://hg.mozilla.org/mozilla-central/rev/7a7f203680a8, but the parent process is still creating clipboard files. The proper way to fix this issue is described in bug 1396224. And when that bug is fixed, changing the default (whether true or false) shouldn't matter any more. I'll take a quick look at that bug, since it seems that nobody else would work on it otherwise.
How are you testing that there are no /tmp leaks? Did you watch the creation and removing of file (descriptors) in /tmp
?
Just checking whether there are files in /tmp
is not a complete test, because the file is created, and immediately deleted after getting a file handle, starting from the fix to bug 335545. Although you won't see files, data can still be written to the disk, which is a privacy risk for Tor.
Here is an example when I put text on the PRIMARY clipboard (i.e. follow comment 7, but put data on the clipboard by selecting the text).
$ inotifywait -m /tmp/
Setting up watches.
Watches established.
/tmp/ CREATE mozilla-temp-1322242136
/tmp/ OPEN mozilla-temp-1322242136
/tmp/ CLOSE_WRITE,CLOSE mozilla-temp-1322242136
/tmp/ OPEN mozilla-temp-1322242136
/tmp/ DELETE mozilla-temp-1322242136
/tmp/ MODIFY mozilla-temp-1322242136
/tmp/ CREATE mozilla-temp-430423343
/tmp/ OPEN mozilla-temp-430423343
/tmp/ CLOSE_WRITE,CLOSE mozilla-temp-430423343
/tmp/ OPEN mozilla-temp-430423343
/tmp/ DELETE mozilla-temp-430423343
/tmp/ MODIFY mozilla-temp-430423343
(when I release the clipboard)
/tmp/ CLOSE_WRITE,CLOSE mozilla-temp-1322242136
/tmp/ CLOSE_WRITE,CLOSE mozilla-temp-430423343
Comment 21•5 years ago
|
||
True, I did not check with inotify
, so then the change I saw w.r.t. to previous versions was that now temp files are deleted and kept open. Thanks for taking a look at bug 335545, that one should allow us to drop this patch for Tor Browser.
Comment 22•5 years ago
|
||
Sorry, I meant bug 1396224 :)
Comment 23•5 years ago
|
||
I can still reproduce this after bug 1396224 was fixed, so I think this should not be a duplicate of that one.
An easy way to reproduce is to do the same steps as in bug 1396224 to create and open the big file, then open Web Console
, select the <html>
element and copy the internal HTML.
Updated•5 years ago
|
Comment 24•5 years ago
|
||
The issue from comment 23 happens because the string is copied without considering the context of the invocation, and consequently the (default) non-private context is used to copy the string: https://searchfox.org/mozilla-central/rev/da855d65d1fbdd714190cab2c46130f7422f3699/widget/nsClipboardHelper.cpp#71
Which is called via copyLongHTMLString
in devtools/client/inspector/markup/markup.js
(there are many other callers of .copyString(
and a few callers of .copyStringToClipboard(
with the same problem.)
An easy way to fix this leakage is by calling trans->SetIsPrivateData(true);
in nsClipboardHelper.cpp
after trans->Init(nullptr)
. The upside of this is that this bug is fixed; the downside is that long strings that are copied with this helper are fully kept in memory (instead of cached to the disk) until the item is removed from the clipboard.
A more involved way to fix this is to somehow pass the privatebrowsing state to the clipboard helper function.
Comment 25•3 years ago
|
||
The bug assignee didn't login in Bugzilla in the last 7 months and this bug has priority 'P2'.
:spohl, could you have a look please?
For more information, please visit auto_nag documentation.
Comment 26•3 years ago
|
||
Rob, could you clarify if there is still a need to keep this bug open today?
Comment 27•3 years ago
|
||
Assuming that Tor doesn't want to persist any unnecessary/private state to disk, there is still a bug.
See comment 20 for verification steps using inotifywait
,
and see comment 24 for Searchfox search links to affected code (e.g. the copy link to clipboard functionality at https://searchfox.org/mozilla-central/rev/2c4522f76b23b024d9f29e140d41042853874c07/browser/base/content/nsContextMenu.js#1964-1967 ).
The referenced code in nsClipboardHelper.cpp in comment 24 has been updated by bug 1730194 to include a conditional call to trans->SetIsPrivateData(true);
, which partly matches with what I suggested there. Before resolving this bug, that condition should be expanded to ensure that no clipboard data is persisted to disk on Tor (again, this assumes that a goal of Tor is to avoid writing such data to disk).
Description
•