Package: xul-ext-torbutton Version: 1.2.5-1 Severity: important Tags: security
Hi, Context ======= I am using the default preferences for the following settings: pref("extensions.torbutton.set_uagent",true); pref("extensions.torbutton.useragent_override", "Mozilla/5.0 (Windows; U; Windows NT 6.1; LANG; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3"); What works ========== extensions.torbutton.spoof_english defaults to true in /usr/share/xul-ext/torbutton/defaults/preferences/preferences.js. In this default case, the reported User-Agent is: "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3" i.e. the LANG placeholder is correctly replaced with a standard looking locale in the torbutton_set_uagent() function. What does not work ================== When extensions.torbutton.spoof_english is set to true the reported User-Agent is: "Mozilla/5.0 (Windows; U; Windows NT 6.1; chrome://global/locale/intl.properties; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3" One can see the LANG placeholder is wrongly replaced with "chrome://global/locale/intl.properties" instead of what is expected i.e. the value of the "general.useragent.locale" preference setting. Consequences ============ This leaks usage of Torbutton for userg who have disabled the spoof_english setting. The Torbutton overridden User-Agent feature is specifically aimed at preventing such fingerprinting. This bug makes fingerprinting easier while the user thinks it has been made harder. Hence the security tag and severity important. Bye, -- System Information: Debian Release: squeeze/sid APT prefers testing APT policy: (900, 'testing') Architecture: i386 (i686) Kernel: Linux 2.6.32-5-686 (SMP w/1 CPU core) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash xul-ext-torbutton depends on no packages. Versions of packages xul-ext-torbutton recommends: ii iceweasel 3.5.11-1 Web browser based on Firefox ii polipo 1.0.4.1-1.1~squeeze a small, caching web proxy ii tor 0.2.1.26-1~squeeze+1 anonymizing overlay network for TC xul-ext-torbutton suggests no packages. -- no debconf information -- intrigeri <intrig...@boum.org> | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr-fingerprint.asc | Who wants a world in which the guarantee that we shall not | die of starvation would entail the risk of dying of boredom ? -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org