IP leak from Windows/macOS UI dialog with URI

It is possible for the client IP to leak from the browser and onto the network via the Windows API when prompted with Windows dialog box to select files.

Not entirely sure if this is a bug, but should at least be documented.

Steps to reproduce:

1. Visit a website that provides an upload box.
2. Instead of selecting a file, paste a URI as a file name.
3. The IP is leaked.

This may potentially work with Ctrl+O (Open File) and Ctrl+S (Save Page As).

Tested on Windows 7 and verified with Wireshark.

Trac:
Username: uileak

added TorBrowserTeam201907 component::applications/tor browser owner::arthuredelstein priority::medium reporter::uileak severity::major status::needs-revision tbb-disk-leak tbb-proxy-bypass type::defect labels

Trac:
Username: uileak
Priority: Medium to High

Trac:
Version: Tor: unspecified to N/A
Keywords: IP leak deleted, ip-leak added

Trac:
Keywords: N/A deleted, tbb-proxy-bypass added

Seems like it is undocumented (?) but well known feature for Windows Vista+

Possible workarounds (need to check if they actually works and useful):

1. To use file picker's code for old Windows See comment:8
2. To remove "File name" edit box by IFileDialogCustomize::RemoveControlItem
3. To filter user input on by OnFileOk (nsFilePicker::OnFileOk)

Trac:
Cc: N/A to gk
Severity: Normal to Major
Keywords: N/A deleted, TorBrowserTeam201601 added

More info about another OS/managers:

Gnome Open File dialog used in Ubuntu doesn't support this feature, however, the File Open dialog used in KDE is able to open HTTP URLs. I'm not sure what is the situation with support in other other desktop environments that run on Ubuntu. Just tested this in KDE - indeed, it works in KDE just fine. Nice, I didn't know about this feature.

Gtk disallows URLs by default.

To use ​file picker's code for old Windows Tested those deprecated API, it works but useless. It launches download anyway.

OS X used to allow URLs in some contexts, but now (10.11) appears to disallow URLs in open dialogs.

feature for Windows Vista+

Since Windows XP

In Soviet Mozilla file uploads you.

Reverting this should be about fix this bug?

Thus API involved leaks could be fixed in general by setting proxy per process at start. (by InternetSetOption from urlmon.dll with INTERNET_OPTION_PROXY option with defined INTERNET_PROXY_INFO structure, to /dev/null)

Thus API involved leaks could be fixed in general by setting proxy per process at start.

This approach if alone still leaves disk traces (it writes some information to IE's cache). Fix shouldn't leave any leaks. Proxy option could be helpful still for some unknown yet API-involved leaks, as proactive protection (tbb-disk-leak < tbb-proxy-bypass)

Putting stuff on the radar for February.

Trac:
Keywords: TorBrowserTeam201601 deleted, TorBrowserTeam201602 added

Trac:
Keywords: TorBrowserTeam201602 deleted, TorBrowserTeam201602 GeorgKoppen201602 added

Trac:
Keywords: TorBrowserTeam201602 GeorgKoppen201602 deleted, TorBrowserTeam201602, GeorgKoppen201603 added

Trac:
Keywords: TorBrowserTeam201602 deleted, TorBrowserTeam201603 added

Trac:
Keywords: GeorgKoppen201603 deleted, GeorgKoppen201604 added