Opened 10 years ago

Last modified 9 years ago

#1032 closed defect (Fixed)

Proxy-excluded urls should be excluded at all by default.

Reported by: OTU Owned by:
Priority: Low Milestone:
Component: Applications/Torbutton Version: Torbutton: 1.2.1
Severity: Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

The presence of any non-proxied addresses makes it possible combined attack in the Web 2.0 with quasi remote attacker. It is better to clear all the addresses available to bypass proxy.

But a clean default setting is dangerous, according to coderman. However, under the existing mechanism in the Firefox, even desirable to keep default values in the list no_proxies_on. As example lets be supposed yaydomain is excluded, then x.yaydomain and x.yyaydomain to bypassed proxy too.

Alternative control of excluded hosts: to clear no_proxies_on, intercept of the all requests, so that except a proxy settings for strictly "yaydomain" address or completely blocking it, all others to pass without changes.

[Automatically added by flyspray2trac: Operating System: All]

Child Tickets

Change History (3)

comment:1 Changed 10 years ago by OTU

--- torbutton.js Sun Aug 9 10:55:00 2009
+++ torbutton.js.alike Thu Aug 13 10:55:08 2009
@@ -2279,7 +2279,8 @@

var torbutton_proxyservice = {

applyFilter : function(ps, uri, proxy) {

try {

  • torbutton_eclog(3, 'apply: '+uri.host+' '+uri.scheme+', '+proxy);

+ proxyhost = proxy ? 'proxy: '+proxy.host:'no proxy';
+ torbutton_eclog(3, 'apply for: '+uri.host+', '+proxyhost);

if (m_tb_prefs.getBoolPref("extensions.torbutton.tor_enabled")) {

if (uri.host == "localhost") return null;

}

@@ -2304,7 +2305,7 @@

try {
var proxyservice = Components.classes@mozilla.org/network/protocol-proxy-service;1

.getService(Components.interfaces.nsIProtocolProxyService);

  • proxyservice.unregisterFilter(this, 0);

+ proxyservice.unregisterFilter(this);

} catch (e) {

torbutton_eclog(3, 'UnregisterFilter failed:'+e);

}

comment:2 Changed 9 years ago by mikeperry

flyspray2trac: bug closed.
Applied patch. Change should appear in 1.2.5

comment:3 Changed 9 years ago by erinn

Version: 1.2.1Torbutton: 1.2.1

Updating the version from 1.2.1 to Torbutton: 1.2.1 so I can close #1743.

Note: See TracTickets for help on using tickets.