Opened 4 years ago

Last modified 4 years ago

#18340 new enhancement

Make sure the controller password used in Torbutton is conforming to the spec

Reported by: gk Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-torbutton
Cc: arthuredelstein Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

var auth_cmd = "AUTHENTICATE "+m_tb_control_pass+"\r\n";

is basically just taking m_tb_control_pass and passing it along to tor. We should do some checks that it is actually conforming to the spec (it must be comprised of HEXIDIGITs or be a QuotedString).

Child Tickets

Change History (1)

comment:1 Changed 4 years ago by gk

Cc: arthuredelstein added

And, FWIW, this has implications for code concerning the circuit display as well as the password used is just passed on to it.

Note: See TracTickets for help on using tickets.