Opened 7 years ago

Closed 6 years ago

#10530 closed defect (fixed)

TBB on Linux leaks info to terminal

Reported by: runa Owned by: jsha
Priority: High Milestone:
Component: HTTPS Everywhere/EFF-HTTPS Everywhere Version:
Severity: Keywords:
Cc: gk Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


A Reddit user wrote this post saying TBB is leaking information about the sites a user is trying to visit (i.e. unresolved domains) to the terminal.

Below are steps to reproduce, according to the post. I have not tested this myself.

  1. Visit an invalid domain, such as or a .onion URL.
  1. Click "Try Again".
  1. Change the tab and change back.

The following messages appears in the terminal:

(about:neterror?e=connectionFailure&u=http%3A// Could not check applicable rules for about:neterror?e=connectionFailure&u=http%3A//

Child Tickets

Change History (6)

comment:1 Changed 7 years ago by gk

Cc: gk added

comment:2 Changed 7 years ago by gk

Component: Tor bundles/installationEFF-HTTPS Everywhere
Owner: changed from erinn to pde

pde: Is there a reason for that (additional) dump() call in https_everywhereLog()? If so, can we at least sanitize the string?

comment:3 Changed 6 years ago by zyan

Status: newneeds_information

This may be caused by, in which case it will get fixed in the next release.

comment:4 Changed 6 years ago by jsha

The dump call is very useful when debugging the extension in a restart cycle. That said, it probably makes sense to put it behind a pref that's only enabled in test mode. I'll do that.

comment:5 Changed 6 years ago by jsha

Owner: changed from pde to jsha
Status: needs_informationassigned

comment:6 Changed 6 years ago by jsha

Resolution: fixed
Status: assignedclosed

Fixed in master by 5197662ba1060f40eddb803b61ea9363f4730ccd.

Note: See TracTickets for help on using tickets.