Opened 4 weeks ago

Closed 4 weeks ago

Last modified 36 hours ago

#27271 closed defect (fixed)

Don't allow the user to install extensions from web

Reported by: igt0 Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: TorBrowserTeam201808R, tbb-mobile
Cc: sysrqb, gk, dmr Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Tor browser for Android doesn't verify if the torbutton extension has a signature to install it.
Thus, if someone sends a tampered torbutton extension to the user, they can install it.

Child Tickets

Change History (10)

comment:1 Changed 4 weeks ago by igt0

Cc: sysrqb gk added
Status: newneeds_review

I think for the alpha, the proposed patch is a good solution until we figure out a final one.

https://trac.torproject.org/projects/tor/attachment/ticket/27271/0001-Bug-27271-Don-t-allow-the-user-to-install-extensions.patch

comment:2 Changed 4 weeks ago by dmr

Cc: dmr added

comment:3 Changed 4 weeks ago by gk

Cc: dmr removed

OKay, just setting the pref after start-up and restarting still allows me to install extensions. I need to make a clean build to verify that, I guess.

comment:4 Changed 4 weeks ago by gk

Cc: dmr added

comment:6 Changed 4 weeks ago by gk

Keywords: TorBrowserTeam201808R tbb-mobile added
Resolution: fixed
Status: needs_reviewclosed

Thanks, this works for me on a fresh build. I am not sure why just adding the prefs does nothing, though. Applied to tor-browser-60.1.0esr-8.0-1 as commit a0620db9e7cd08e3d67a42d0c5b1067d5b3ed355.

comment:7 Changed 4 weeks ago by gk

igt0, sysrqb: could anyone of you open a follow-up ticket with a plan for fixing the underlying issue better. FWIW: https://bugzilla.mozilla.org/show_bug.cgi?id=1464766 landed in esr60 and might be a thing to consider here.

comment:8 in reply to:  7 Changed 36 hours ago by gk

Replying to gk:

igt0, sysrqb: could anyone of you open a follow-up ticket with a plan for fixing the underlying issue better. FWIW: https://bugzilla.mozilla.org/show_bug.cgi?id=1464766 landed in esr60 and might be a thing to consider here.

I opened #27762 for that.

Note: See TracTickets for help on using tickets.