#22170: Check uses of ch.boye.httpclientandroidlib.impl.client.* for proxy safety on Android -------------------------------------------------+------------------------- Reporter: gk | Owner: sysrqb Type: defect | Status: | needs_review Priority: High | Milestone: Component: Applications/Tor Browser | Version: Severity: Normal | Resolution: Keywords: ff52-esr, tbb-mobile, | Actual Points: TorBrowserTeam201808R | Parent ID: #21863 | Points: Reviewer: | Sponsor: -------------------------------------------------+-------------------------
Comment (by gk): Replying to [comment:22 sysrqb]: > Replying to [comment:20 sysrqb]: > > All files where Fennec uses `conn` > > > > {{{ > > $ git grep -n ch.boye.httpclientandroidlib.conn mobile/android/[bs]* > > mobile/android/base/java/org/mozilla/gecko/util/URIUtils.java:14:import ch.boye.httpclientandroidlib.conn.util.InetAddressUtils; > > }}} > > Only used for parsing a string. This class is only a utility, it doesn't create any connections. > > > {{{ > > mobile/android/services/src/main/java/org/mozilla/gecko/sync/net/BaseResource.java:44:import ch.boye.httpclientandroidlib.conn.ClientConnectionManager; > > mobile/android/services/src/main/java/org/mozilla/gecko/sync/net/BaseResource.java:45:import ch.boye.httpclientandroidlib.conn.params.ConnRoutePNames; > > mobile/android/services/src/main/java/org/mozilla/gecko/sync/net/BaseResource.java:46:import ch.boye.httpclientandroidlib.conn.scheme.PlainSocketFactory; > > mobile/android/services/src/main/java/org/mozilla/gecko/sync/net/BaseResource.java:47:import ch.boye.httpclientandroidlib.conn.scheme.Scheme; > > mobile/android/services/src/main/java/org/mozilla/gecko/sync/net/BaseResource.java:48:import ch.boye.httpclientandroidlib.conn.scheme.SchemeRegistry; > > mobile/android/services/src/main/java/org/mozilla/gecko/sync/net/BaseResource.java:49:import ch.boye.httpclientandroidlib.conn.ssl.SSLSocketFactory; > > }}} > > This is proxy-safe but only because we hard-code the default HTTP proxy. `scheme.PlainSocketFactory` and `ssl.SSLSocketFactory` are used for establishing a connection to the proxy, instead of the destination. `params.ConnRoutePNames` is used for specifying the default proxy. `scheme.Scheme`, `scheme.SchemeRegistry`, and `ClientConnectionManager` are used during instantiation of the connection manager (`ThreadSafeClientConnManager`). > > > {{{ > > mobile/android/services/src/main/java/org/mozilla/gecko/sync/net/TLSSocketFactory.java:16:import ch.boye.httpclientandroidlib.conn.ssl.SSLSocketFactory; > > }}} > > Dead class. Looks good. -- Ticket URL: <https://trac.torproject.org/projects/tor/ticket/22170#comment:30> Tor Bug Tracker & Wiki <https://trac.torproject.org/> The Tor Project: anonymity online
_______________________________________________ tor-bugs mailing list tor-bugs@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs