Opened 4 years ago

Closed 5 months ago

Last modified 5 months ago

#18588 closed defect (duplicate)

Downloader writes file to $TMPDIR without consent

Reported by: cypherpunks Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-disk-leak
Cc: Actual Points:
Parent ID: #7449 Points:
Reviewer: Sponsor:


I'm using hardened tor browser a6. I expected it will not store metadata of my browser usage without consent. Under the general prefs I've said "always ask me where to save files". But I ran strace and saw it was saving to $TMPDIR while the directory selector popup was visible.

OK, I said "automatically download files from now on" on an earlier dialog but to me that implied "according to my settings", and if I say "ask me" I expect it to not write anywhere other than selected. My default "download" directory is symlinked to an encrypted filesystem, but that's not even where it went by default! (And note that because I've clicked "automatically" and told Firefox to always download rather than open, a site can cause this to happen automatically by sending me certain mimetypes.)

I guess I was clever because I'd pointed $TMPDIR to a tmpfs in anticipation of stuff like this (from *other* programs, ones that aren't security-focused), and of course my swap is encrypted with a random key. But Debian doesn't have it as a default configuration (yet?).

Please don't write anything to disk until a directory is selected. Until that's done, setting $TMPDIR to $XDG_RUNTIME_DIR/tbb/ in the startup script would reduce the risks (space usage could be a problem, and $XDG_RUNTIME_DIR might be unset if the user's not using systemd).

Child Tickets

Change History (7)

comment:1 Changed 4 years ago by cypherpunks

Version is actually 6.0a4.

comment:2 Changed 4 years ago by cypherpunks

Sorry. version was 6.0a4.

comment:3 Changed 4 years ago by cypherpunks

Keywords: tbb-disk-leak added

#7449 related

comment:4 Changed 4 years ago by gk

Resolution: fixed
Status: newclosed

Duplicate of #7449.

comment:5 Changed 5 months ago by arma

Resolution: fixed
Status: closedreopened

(was never fixed, getting the right resolution in place)

comment:6 Changed 5 months ago by arma

Resolution: duplicate
Status: reopenedclosed

comment:7 Changed 5 months ago by arma

Parent ID: #7449
Note: See TracTickets for help on using tickets.