Don't allow the user to install extensions from web
Tor browser for Android doesn't verify if the torbutton extension has a signature to install it. Thus, if someone sends a tampered torbutton extension to the user, they can install it.
Activity
I think for the alpha, the proposed patch is a good solution until we figure out a final one.
Trac:
Cc: N/A to sysrqb, gk
Status: new to needs_review
Thanks, this works for me on a fresh build. I am not sure why just adding the prefs does nothing, though. Applied to
tor-browser-60.1.0esr-8.0-1as commit a0620db9e7cd08e3d67a42d0c5b1067d5b3ed355.Trac:
Resolution: N/A to fixed
Keywords: N/A deleted, tbb-mobile, TorBrowserTeam201808R added
Status: needs_review to closed-
igt0, sysrqb: could anyone of you open a follow-up ticket with a plan for fixing the underlying issue better. FWIW: https://bugzilla.mozilla.org/show_bug.cgi?id=1464766 landed in esr60 and might be a thing to consider here.
-
Replying to gk:
igt0, sysrqb: could anyone of you open a follow-up ticket with a plan for fixing the underlying issue better. FWIW: https://bugzilla.mozilla.org/show_bug.cgi?id=1464766 landed in esr60 and might be a thing to consider here.
I opened #27762 (moved) for that.
mentioned in issue #27762 (moved)
mentioned in issue #28059 (moved)
mentioned in issue tpo/applications/tor-browser#27762 (closed)
