#20772: src="data:<;base64 images rendered when "Show images"="Blocked"
--------------------------------------+------------------------------
Reporter: cypherpunks | Owner: tbb-team
Type: defect | Status: needs_review
Priority: High | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Critical | Resolution:
Keywords: | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
--------------------------------------+------------------------------
Changes (by cypherpunks):
* status: new => needs_review
* priority: Medium => High
* severity: Normal => Critical
Comment:
In light of all the past attacks on images, the length of time zero days
can exist, the increased security focus of TBB compared to Firefox, the
fact that Mozilla have all but markrd this WONTFIX (despite patches being
provided, and the fact that soon it will be legal to hack everyone on
Earth without restriction, might you possibly reconsider leaving this to
Mozilla?
Even if all you say is "pull requests welcome", that's far better than
"WONTFIX". The patches in the Mozilla bug you linked to probably work as-
is in TBB, but compiling a custom TBB would stand out eay to much. I beg
you, please consider including one of the patches from
https://bugzilla.mozilla.org/show_bug.cgi?id=331257
Systems are routinely compromised by images; http://search.us-
cert.gov/search?utf8=%E2%9C%93&input-form=advanced&affiliate=us-cert
&query-or=JPEG+GIF+PNG+BMP&per-page=10&filter=off&x=31&y=9 therefor
raising priority. Please forgive my stubborness on this, it just seems
extremely dangerous.
I can't compile it to test but the patches in the Mozilla thread lokely
just need a brief review and merge, I hope.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/20772#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs
