Opened 3 years ago

Closed 3 years ago

#11763 closed defect (fixed)

Double clicking OK button after proxy change disables all security settings

Reported by: scissors Owned by: mikeperry
Priority: Medium Milestone:
Component: TorBrowserButton Version:
Severity: Keywords: MikePerry201405R
Cc: gk Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Tested on TorBrowser 3.6 Linux and Windows.

Steps to reproduce bug:

  • Click Torbutton -> Preferences
  • Select Transparent Torification
  • Double click the OK button (to reliably reproduce bug click as many times as you can)

All security settings are now disabled. The "Are you sure you want to enable plugins?" warning pop-up will appear (unless plugins were already enabled, or you've ticked the 'Never ask me again' box). Opening up Torbutton preferences again and looking at the Security Settings tab shows that all four are disabled, about:config confirms they are disabled. The full list of disabled settings is:

  • block_disk
  • no_tor_plugins
  • resist_fingerprinting
  • resize_new_windows
  • restrict_thirdparty

The settings remain disabled even after setting the proxy mode back to 'recommended'. This bug is independent of whether a transparent proxy is actually available or not.

Because the preferences window freezes for up to several seconds after pressing OK when Transparent Torification is selected (presumably as the remote check is performed), multiple-clicking the OK button is a natural reaction. Clearly this bug is a risk as users (especially those with flash already enabled/having clicked 'Never ask me again') are unaware that these settings are being disabled and they remain disabled until manually changed back.

Child Tickets

Change History (8)

comment:1 Changed 3 years ago by gk

  • Cc gk added

comment:2 Changed 3 years ago by scissors

Spotted in the wild: mentioned in comment:14:ticket:10493

comment:3 in reply to: ↑ description Changed 3 years ago by scissors

I should also have mentioned that if you just single-click the OK button, TorButton behaves as expected: performing a remote Tor check and changing the proxy setting, implying this is likely a race bug.

comment:4 Changed 3 years ago by cypherpunks

Could be that this bug related to #11783. Double click executes the same code twice and depends race condition it breaks something. Why the torbutton functions called twice?

comment:5 Changed 3 years ago by cypherpunks

--- preferences.js
+++ preferences.js.modified
@@ -189,6 +189,7 @@
 }
 
 function torbutton_prefs_save(doc) {
+    doc.documentElement.getButton("accept").disabled = true;
     torbutton_log(2, "called prefs_save()");
     var o_torprefs = torbutton_get_prefbranch('extensions.torbutton.');
     var o_customprefs = torbutton_get_prefbranch('extensions.torbutton.custom.');

This kludge should to prevent races.

comment:6 Changed 3 years ago by gk

  • Keywords MikePerry201405 added
  • Status changed from new to needs_review

Thanks, works for me. I put this in branch bug_11763 in my public torbutton repo. And here it actually holds what I said in #11783: clicking n times on Accept executes n times the function bound to it (approximately and/or if you are fast)...

comment:7 Changed 3 years ago by gk

  • Keywords MikePerry201405R added; MikePerry201405 removed

comment:8 Changed 3 years ago by mikeperry

  • Resolution set to fixed
  • Status changed from needs_review to closed

This is merged and will appear in 3.6.2 and 4.0-alpha-1.

Note: See TracTickets for help on using tickets.