#21625: Review networking code for Firefox 52 -------------------------------------------------+------------------------- Reporter: gk | Owner: | mikeperry Type: task | Status: | assigned Priority: Very High | Milestone: Component: Applications/Tor Browser | Version: Severity: Critical | Resolution: Keywords: TorBrowserTeam201703, ff52-esr, | Actual Points: tbb-7.0-must | Parent ID: | Points: Reviewer: | Sponsor: -------------------------------------------------+-------------------------
Comment (by mikeperry): Stuff we should patch/disable: * FlyWeb (dom/flyweb/FlyWebService.cpp) - This is a mechanism for contacting local devices and interacting with them. It may not be fully implemented, but networking code is definitely here. Disable it. * dom/presentation/* and nsNetworkInfoService::ListNetworkAddresses - the Presentation API (for remote displays - https://developer.mozilla.org/en- US/docs/Web/API/Presentation_API). This needs to be disabled even if proxied, because it does ICE-style IP address discovery and advertisement. * ./dom/presentation/provider/MulticastDNSDeviceProvider.cpp - used by the Presentation API to announce itself (and maybe other stuff?). Make sure it gets disabled. * The Rust URL parser (third_party/rust/url/src/host.rs) has a to_socket_addrs and ToSocketAddrs methods. These should be patched out for safety and to remind us later, I think. * netwerk/dns/mdns/libmdns/fallback/MulticastDNS.jsm - more mDNS stuff that should be disabled. Android stuff that definitely leaks that we should fix (missing proxy params to HttpUrlConnection - these need to use the buildHttpConnection helper to get a proxy): * mobile/android/base/java/org/mozilla/gecko/feeds/FeedFetcher.java * mobile/android/base/java/org/mozilla/gecko/media/GeckoMediaDrmBridgeV21.java * mobile/android/base/java/org/mozilla/gecko/search/SearchEngineManager.java * mobile/android/thirdparty/com/keepsafe/switchboard/SwitchBoard.java That's it for the stuff that definitely needs patching. I'll post the other sets as soon as I can. -- Ticket URL: <https://trac.torproject.org/projects/tor/ticket/21625#comment:3> Tor Bug Tracker & Wiki <https://trac.torproject.org/> The Tor Project: anonymity online _______________________________________________ tor-bugs mailing list tor-bugs@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs