Closed Bug 1433507 Opened 3 years ago Closed 2 years ago

GIO protocols can leak the user's IP

Categories

(Core :: Networking, enhancement, P5)

enhancement

Tracking

()

RESOLVED FIXED
mozilla60
Tracking Status
firefox60 --- fixed

People

(Reporter: arthur, Assigned: arthur)

References

(Blocks 1 open bug)

Details

(Whiteboard: [tor 23044][necko-triaged])

Attachments

(1 file)

GIO is a potential proxy bypass vector. In Tor Browser we have the following patch:
https://torpat.ch/23044
And the ticket is:
https://trac.torproject.org/23044

We'd like to propose uplifting the C++ part of this patch, behind the
--enable-proxy-bypass-protection build flag.
Feel free to submit a patch for review here.
Assignee: nobody → arthuredelstein
Priority: -- → P5
Whiteboard: [tor 23044] → [tor 23044][necko-triaged]
Comment on attachment 8948837 [details] [diff] [review]
0001-Bug-1433507-Forbid-GIO-supported-protocols-by-defaul.patch

Review of attachment 8948837 [details] [diff] [review]:
-----------------------------------------------------------------

pending on how MOZ_PROXY_BYPASS_PROTECTION def is implemented, this OK for me.
Attachment #8948837 - Flags: review?(honzab.moz) → review+
Thanks. Here's the current implementation. Does this look OK to you?

https://dxr.mozilla.org/mozilla-central/rev/0ac953fcddf10132eaecdb753d72b2ba5a43c32a/toolkit/moz.configure#1215
Flags: needinfo?(honzab.moz)
looks good, thanks.
Flags: needinfo?(honzab.moz)
Thank you!
Keywords: checkin-needed
Pushed by dluca@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/848c2234cb27
Forbid GIO supported protocols by default with --proxy-bypass-protection r=mayhemer
Keywords: checkin-needed
https://hg.mozilla.org/mozilla-central/rev/848c2234cb27
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla60
You need to log in before you can comment on or make changes to this bug.