Opened 19 months ago

Last modified 21 hours ago

#18101 needs_information defect

IP leak from Windows UI dialog with URI

Reported by: uileak Owned by: arthuredelstein
Priority: Very High Milestone:
Component: Applications/Tor Browser Version:
Severity: Major Keywords: tbb-proxy-bypass, ip-leak, TorBrowserTeam201708R
Cc: gk Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

It is possible for the client IP to leak from the browser and onto the network via the Windows API when prompted with Windows dialog box to select files.

Not entirely sure if this is a bug, but should at least be documented.

Steps to reproduce:

  1. Visit a website that provides an upload box.
  2. Instead of selecting a file, paste a URI as a file name.
  3. The IP is leaked.

This may potentially work with Ctrl+O (Open File) and Ctrl+S (Save Page As).

Tested on Windows 7 and verified with Wireshark.

Child Tickets

Change History (48)

comment:1 Changed 19 months ago by uileak

Priority: MediumHigh

comment:2 Changed 19 months ago by cypherpunks

Keywords: ip-leak added; IP leak removed
Version: Tor: unspecified

comment:3 Changed 19 months ago by cypherpunks

Keywords: tbb-proxy-bypass added

comment:4 Changed 19 months ago by cypherpunks

Seems like it is undocumented (?) but well known feature for Windows Vista+

Possible workarounds (need to check if they actually works and useful):

  1. To use file picker's code for old Windows See comment:8
  2. To remove "File name" edit box by IFileDialogCustomize::RemoveControlItem
  3. To filter user input on by OnFileOk (nsFilePicker::OnFileOk)
Last edited 19 months ago by cypherpunks (previous) (diff)

comment:5 Changed 19 months ago by gk

Cc: gk added
Keywords: TorBrowserTeam201601 added
Severity: NormalMajor

comment:6 Changed 19 months ago by cypherpunks

More info about another OS/managers:

Gnome Open File dialog used in Ubuntu doesn't support this feature, however, the File Open dialog used in KDE is able to open HTTP URLs. I'm not sure what is the situation with support in other other desktop environments that run on Ubuntu.
Just tested this in KDE - indeed, it works in KDE just fine. Nice, I didn't know about this feature.

comment:7 Changed 19 months ago by cypherpunks

Gtk disallows URLs by default.

comment:8 Changed 19 months ago by cypherpunks

To use ​file picker's code for old Windows

Tested those deprecated API, it works but useless. It launches download anyway.

comment:9 Changed 19 months ago by teor

OS X used to allow URLs in some contexts, but now (10.11) appears to disallow URLs in open dialogs.

comment:10 Changed 19 months ago by cypherpunks

feature for Windows Vista+

Since Windows XP

comment:11 Changed 19 months ago by cypherpunks

In Soviet Mozilla file uploads you.

comment:12 Changed 19 months ago by cypherpunks

Reverting this should be about fix this bug?

comment:13 Changed 19 months ago by cypherpunks

Thus API involved leaks could be fixed in general by setting proxy per process at start. (by InternetSetOption from urlmon.dll with INTERNET_OPTION_PROXY option with defined INTERNET_PROXY_INFO structure, to /dev/null)

comment:14 Changed 19 months ago by cypherpunks

Thus API involved leaks could be fixed in general by setting proxy per process at start.

This approach if alone still leaves disk traces (it writes some information to IE's cache). Fix shouldn't leave any leaks. Proxy option could be helpful still for some unknown yet API-involved leaks, as proactive protection (tbb-disk-leak < tbb-proxy-bypass)

comment:15 Changed 19 months ago by gk

Keywords: TorBrowserTeam201602 added; TorBrowserTeam201601 removed

Putting stuff on the radar for February.

comment:16 Changed 19 months ago by gk

Keywords: GeorgKoppen201602 added

comment:17 Changed 18 months ago by gk

Keywords: GeorgKoppen201603 added; GeorgKoppen201602 removed

comment:18 Changed 18 months ago by gk

Keywords: TorBrowserTeam201603 added; TorBrowserTeam201602 removed

comment:19 Changed 17 months ago by gk

Keywords: GeorgKoppen201604 added; GeorgKoppen201603 removed

comment:20 Changed 17 months ago by gk

Keywords: TorBrowserTeam201604 added; TorBrowserTeam201603 removed

comment:21 Changed 16 months ago by gk

Keywords: TorBrowserTeam201605 added; TorBrowserTeam201604 removed

Moving tickets

comment:22 Changed 16 months ago by gk

Keywords: GeorgKoppen201605 added; GeorgKoppen201604 removed

Moving things for me to May.

comment:23 Changed 15 months ago by gk

Keywords: GeorgKoppen201606 added; GeorgKoppen201605 removed

comment:24 Changed 15 months ago by gk

Keywords: TorBrowserTeam201606 added; TorBrowserTeam201605 removed

comment:25 Changed 15 months ago by gk

Owner: changed from tbb-team to gk
Status: newassigned

comment:26 Changed 14 months ago by gk

Keywords: GeorgKoppen201607 added; GeorgKoppen201606 removed

Moving my tickets

comment:27 Changed 14 months ago by gk

Keywords: TorBrowserTeam201607 added; TorBrowserTeam201606 removed

comment:28 Changed 13 months ago by gk

Keywords: TorBrowserTeam201608 added; TorBrowserTeam201607 removed

Moving items to August 2016.

comment:29 Changed 13 months ago by gk

Keywords: GeorgKoppen201608 added; GeorgKoppen201607 removed

Moving my tickets as well.

comment:30 Changed 12 months ago by gk

Keywords: GeorgKoppen201609 added; GeorgKoppen201608 removed

Moving my tickets

comment:31 Changed 12 months ago by gk

Keywords: TorBrowserTeam201609 added; TorBrowserTeam201608 removed

Tickets for September.

comment:32 Changed 11 months ago by gk

Keywords: GeorgKoppen201610 added; GeorgKoppen201609 removed

Moving my tickets

comment:33 Changed 11 months ago by gk

Keywords: TorBrowserTeam201610 added; TorBrowserTeam201609 removed

Moving tickets to October.

comment:34 Changed 10 months ago by gk

Keywords: GeorgKoppen201611 added; GeorgKoppen201610 removed

Moving my tickets to November.

comment:35 Changed 10 months ago by gk

Keywords: TorBrowserTeam201611 added; TorBrowserTeam201610 removed

Moving tickets over to November.

comment:36 Changed 9 months ago by gk

Keywords: GeorgKoppen201612 added; GeorgKoppen201611 removed

Moving my tickets

comment:37 Changed 8 months ago by gk

Keywords: GeorgKoppen201701 added; GeorgKoppen201612 removed

comment:38 Changed 8 months ago by gk

Keywords: TorBrowserTeam201701 added; TorBrowserTeam201611 removed

comment:39 Changed 7 months ago by gk

Keywords: TorBrowserTeam201702 added; TorBrowserTeam201701 removed

Moving our tickets to Feb 2017.

comment:40 Changed 7 months ago by gk

Keywords: GeorgKoppen201702 added; GeorgKoppen201701 removed

Moving my tickets as well

comment:41 Changed 6 months ago by elisebenine

could it be something related to browser's File API? noticed the same on http://internetvergelijken.nl/ today.

comment:42 Changed 2 weeks ago by gk

Keywords: TorBrowserTeam201708 GeorgKoppen201708 added; TorBrowserTeam201702 GeorgKoppen201702 removed
Priority: HighVery High

comment:43 Changed 2 weeks ago by arthuredelstein

Keywords: GeorgKoppen201708 removed
Owner: changed from gk to arthuredelstein

comment:45 Changed 3 days ago by arthuredelstein

Here's a patch that blocks the use of remote URLs in the open file dialog on Windows:

https://github.com/arthuredelstein/tor-browser/commit/18101

(It essentially reverses the change in https://bugzilla.mozilla.org/show_bug.cgi?id=711654.)

comment:46 Changed 3 days ago by arthuredelstein

Keywords: TorBrowserTeam201708R added; TorBrowserTeam201708 removed
Status: assignedneeds_review

comment:47 Changed 3 days ago by arthuredelstein

I should mention, in the patch in comment:46, I use perfmon /res to confirm that no network requests were made. Without the patch, in unpatched Tor Browser, I see a network request corresponding to the remote URL entered in the open dialog box.

comment:48 Changed 21 hours ago by gk

Status: needs_reviewneeds_information

Arthur: What do we want to do for XP (see comment:10)? And could you verify that other Tor Browser platforms are unaffected? comment:7 seems to point this out for Linux. See comment:9 for macOS.

Note: See TracTickets for help on using tickets.