#33962: Uplift patch for 5741 (dns leak protection)
-------------------------------------------------+-------------------------
Reporter: acat | Owner: tbb-
| team
Type: task | Status:
| needs_review
Priority: Medium | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: ReleaseTrainMigration | Actual Points:
TorBrowserTeam202005R |
Parent ID: | Points:
Reviewer: | Sponsor:
| Sponsor58
-------------------------------------------------+-------------------------
Comment (by gk):
Replying to [comment:2 acat]:
> I adapted the patch from #5741 to try to upstream it. You can find it in
https://github.com/acatarineu/tor-browser/commit/33962
(f27d3258eb3ca2a86774342248184c8111546dab).
>
> I know we briefly discussed about having this behind the `--enable-
proxy-bypass-protection`, but I think there *might* be chances for this to
be upstreamed as it is now, and be useful for Firefox (it wouldn't be for
sure if it's behind the proxy bypass flag).
>
> I did a couple of changes with respect to the original patch. The main
one is that the patch I attached is checking that both `network.proxy.type
= MANUAL` and `network.proxy.socks_remote_dns = true`, while the current
patch only checks `network.proxy.socks_remote_dns = true`. I think this
change is needed to avoid blocking DNS when we should not, for example in
a situation where a user sets up a SOCKS proxy (enabling DNS through
socks), and then switches back to 'No proxy', in `about:preferences`. I
think the patch with these changes is safe enough for Firefox, in the
sense that it should not result in undesired breakage.
>
> The question is whether is also safe for us, in terms of proxy bypass
protection. My assumption is yes, as the only additional change is that we
also check for `network.proxy.type`, and we don't support changing this in
Tor Browser. But I think it's a good idea for this to be reviewed before
trying to push the patch to Firefox. I added this to 202005, but please
feel free to re-prioritize.
Hrm. I wonder if it would be smarter to open a bug at bugzilla in the mean
time (I don't see one filed as child of
https://bugzilla.mozilla.org/show_bug.cgi?id=1433504) and get feedback
about what would be acceptable for Mozilla and then write a patch that
would fix this bug, too). I mean we could go through the review process
here and maybe merge your patch to our tree just to write yet another
patch which Mozilla would accept. I have some hope, though, we can avoid
the first part and save us some time. :) What do you think?
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/33962#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs
