Tor bundle: Special characters not escaped in proxy password

First of all, the proxy password (if any) is stored plain-text in the torc file (\Browser\TorBrowser\Data\Tor\torrc)......

Using the pound character "#" inside the proxy password (line HTTPSProxyAuthenticator) will not save anything which is after the pound character (including the character). Some companies have a strict policy regarding passwords therefore it is required to use such characters (unfortunately I managed to get to this character as well, forced by the password expiry policy + old password policy).

This is also reproducible with version 7.5 (2018-01-23 build) of Tor bundle.

Currently I am unable to use Tor on my PC with my user+password.

Is there an easy fix? Are there some escape characters?

Trac:
Username: ro0ter

added TorBrowserTeam201802R component::applications/tor launcher owner::brade priority::medium reporter::ro0ter resolution::fixed severity::major status::closed tbb-backported type::defect labels

some log excerpt caused by wrong proxy password:

1/30/2018 15:26:35 PM.700 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections. 1/30/2018 15:26:35 PM.700 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections. 1/30/2018 15:26:35 PM.700 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections. 1/30/2018 15:26:35 PM.700 [NOTICE] Opening Socks listener on xx.xx.xx.xx:xxx 1/30/2018 15:26:36 PM.600 [NOTICE] Bootstrapped 5%: Connecting to directory server 1/30/2018 15:26:36 PM.600 [NOTICE] Bootstrapped 10%: Finishing handshake with directory server 1/30/2018 15:26:36 PM.800 [WARN] The https proxy sent back an unexpected status code 407 ("Proxy Authentication Required"). Closing. 1/30/2018 15:26:36 PM.800 [WARN] Proxy Client: unable to connect to xx.xx.xx.xx:xxx 1/30/2018 15:26:37 PM.600 [WARN] The https proxy sent back an unexpected status code 407 ("Proxy Authentication Required"). Closing. 1/30/2018 15:26:37 PM.600 [WARN] Proxy Client: unable to connect to xx.xx.xx.xx:xxx 1/30/2018 15:26:37 PM.700 [WARN] The https proxy sent back an unexpected status code 407 ("Proxy Authentication Required"). Closing.

[ ... ]

1/30/2018 15:27:36 PM.900 [WARN] Proxy Client: unable to connect to xx.xx.xx.xx:xxx 1/30/2018 15:27:46 PM.900 [WARN] The https proxy sent back an unexpected status code 407 ("Proxy Authentication Required"). Closing. 1/30/2018 15:27:46 PM.900 [WARN] Proxy Client: unable to connect to xx.xx.xx.xx:xxx

Trac:
Username: ro0ter
Component: - Select a component to Applications/Tor Browser
Owner: N/A to tbb-team

How are you configuring the proxy? Are you changing the torrc file directly? I am asking as Tor Browser lets you configure your HTTP proxy directly during start-up.

Trac:
Status: new to needs_information

I am using the start-up dialog.

I also tried changing the torrc file directly, but after startup and editing configuration, the password gets truncated in the same place..

For instance, authentication "usr:!2#pas$word" becomes "usr:!2".......

Trac:
Username: ro0ter

really, just do this test:

1. start tor, click cancel in the initial dialog (be fast if you have direct connection)
2. click configure, type some ip/port for the proxy and add a user and a password (the password must contain the pound/hashtag character)
3. save the proxy settings by allowing it to connect agian
4. close tor
5. inspect the configuration file.......

Trac:
Username: ro0ter

If you look at the torrc spec (https://gitweb.torproject.org/tor.git/tree/doc/torrc_format.txt) then you'll see that # is only used for comments right now. So, this seems to be a Tor core bug.

Trac:
Cc: N/A to mcs, brade
Status: needs_information to new
Component: Applications/Tor Browser to Core Tor/Tor

Please classify this defect as required.

Looking forward for its fix...

Thank you!

NOTE: it would be nice if neither the user nor the password are stored in clear text... Hint: xtea?

Trac:
Username: ro0ter

R.e. how to handle the '#' character, here is a question for the network team: how should Tor Launcher encode '#" characters when it issues a SETCONF command? Maybe \23 or enclose the value in double quotes?

Using a QuotedString: https://gitweb.torproject.org/torspec.git/tree/control-spec.txt#n90

If "#" doesn't work, let us know, we might have a bug.

Looking at

const kSafeCharRE = /^[\x21\x23-\x7E]*$/;

in _strEscape() we should try to see if that's a TorLauncher bug first, I guess.

Trac:
Component: Core Tor/Tor to Applications/Tor Launcher

Trac:
Owner: tbb-team to brade
Status: new to assigned
Cc: mcs, brade to mcs

Here is a fix: https://gitweb.torproject.org/user/brade/tor-launcher.git/commit/?h=bug25089-01&id=fa8590a497b492f6da62bbf7009735a17e17ec21

ro0ter, you can work around this bug by editing the torrc file that is part of your Tor Browser installation. You will want to ensure that your torrc includes lines that look like the following: HTTPSProxy 1.2.3.4:80 HTTPSProxyAuthenticator "mcs:secret#1" The HTTPSProxy value should be host:port and the value for HTTPSProxyAuthenticator should be "username:password".

Note that if you later use our GUI to make changes, your manual changes will be overwritten.

Trac:
Status: assigned to needs_review
Keywords: N/A deleted, TorBrowserTeam201802R added

Thanks. Merge to master (commit fa8590a497b492f6da62bbf7009735a17e17ec21). I think the change is small enough that we'll include it directly in the next stable as well.

Trac:
Resolution: N/A to fixed
Status: needs_review to closed

mcs, I cant make it work since the tor launcher detects my change and does not agree... Id rather not attach a screenshot, not useful, but here`s the text:

:: Connect to Tor :: Tor|Browser

You have configured Tor bridges or you have entered local proxy settings. To make a direct connection to the Tor network, these settings must be removed.

[ < Back ] [ Remove Settings and Connect ]

For assistance, visit torproject.org/about/contact.html#support

                  [ Exit ]

Trac:
Username: ro0ter

One more question: what about password containing both double quotes and pound?

Trac:
Username: ro0ter

Replying to ro0ter:

mcs, I cant make it work since the tor launcher detects my change and does not agree... Id rather not attach a screenshot, not useful, but here`s the text: ...

I forgot that you will be prompted (since you have not previously connected). To avoid the prompt, set extensions.torlauncher.prompt_at_startup to false by ensuring that the following line in present in your prefs.js file: user_pref("extensions.torlauncher.prompt_at_startup", false); The prefs.js file is located in your browser profile. The path is `Browser\TorBrowser\Data\Browser\profile.default\prefs.js.

Replying to ro0ter:

One more question: what about password containing both double quotes and pound? Our code already knew how to escape double quotes. You can use \" to include them in your torrc, e.g., HTTPSProxyAuthenticator "mcs:secret"quote"#1"

The extensions.torlauncher.prompt_at_startup inside the prefs.js file is what I was missing, thank you mcs :)

I hereby validate the fix as well, now I won't have to ask colleagues for their proxy usr/pwd anymore :)

Good work! Thank you very much!

Trac:
Username: ro0ter

Trac:
Keywords: N/A deleted, tbb-backport added

That's commit fa8590a497b492f6da62bbf7009735a17e17ec21 on maint-0.2.14 and will be available in 7.5.1.

Trac:
Keywords: tbb-backport deleted, tbb-backported added

closed

moved to tpo/applications/tor-launcher#25089 (closed)