Opened 3 months ago

Closed 3 months ago

Last modified 3 months ago

#26451 closed defect (fixed)

HTTPS-Everywhere freezes the browser when entering URLS like ./a.

Reported by: gk Owned by: legind
Priority: High Milestone:
Component: HTTPS Everywhere/EFF-HTTPS Everywhere Version:
Severity: Major Keywords: TorBrowserTeam201806R
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Starting with the latest HTTPS-Everywhere update (2018.6.13) the browser freezes when URLs like ./a. are entered into the URL bar. davtur19 reported this bug via our HackerOne bug bounty program to us and suggested that this is even exploitable by web content doing things like <meta http-equiv="refresh" content="0;URL=http://./a.">

Child Tickets

Change History (5)

comment:2 Changed 3 months ago by legind

A new release, 2018.6.21 has been made. Any Tor Browser which updates add-ons from within the browser will no longer be vulnerable. A new tag has been pushed, 2018.6.21 which matches this release.

comment:3 in reply to:  2 Changed 3 months ago by arthuredelstein

Keywords: TorBrowserTeam201806R added
Status: newneeds_review

Replying to legind:

A new release, 2018.6.21 has been made. Any Tor Browser which updates add-ons from within the browser will no longer be vulnerable. A new tag has been pushed, 2018.6.21 which matches this release.

Thanks! I have a patch updating the HTTPS-E hash in our build here:
https://github.com/arthuredelstein/tor-browser-build/commits/26451

comment:4 Changed 3 months ago by gk

Resolution: fixed
Status: needs_reviewclosed

Thanks all! I merged Arthur's patch to maint-7.5 (commit 1c472c7aeff5f81b1d8e8357e37168520d14a36a and 74af3e0e1432b956c11ee95d32eb68dc968fe209) and created a -build4 tag.

comment:5 Changed 3 months ago by cypherpunks

Impressive response time tho

Note: See TracTickets for help on using tickets.