Opened 6 years ago

Last modified 7 months ago

#3974 new enhancement

Disable flash's "allow cookies" pref somehow

Reported by: erinn Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords:
Cc: mikeperry, ioerror, sjmurdoch, erinn, shondoit@… Actual Points:
Parent ID: #7008 Points:
Reviewer: Sponsor:

Description

This is more of an exploratory topic than a demand.

Mike and I have been investigating the safeness of using flash on various platforms for TBB and during the tests on Windows found out that all of the Flash LSOs (i.e., supercookies) are stored in %APPDATA%\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\ on Windows and ~/.macromedia/Flash_Player/macromedia.com/support/flashplayer/sys/ on Linux.

In the testing on Linux, we discovered that it was possible to create an opt-out LSO called settings.sol which would prevent the creation of other Flash cookies (you can recreate one yourself by going to http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager03.html). It's easy to put this on Linux since we reset $HOME in the Linux TBB, and it is probably also easy to do it for OSX since we do the same thing there.

Mike wrote a patch for the Windows TBB launcher (see here: https://gitweb.torproject.org/mikeperry/torbrowser.git/shortlog/refs/heads/appdata-haxx).

However, in my investigations, I also discovered some Qt functionality that might do what we want in a saner cross-platform way:

http://doc.trolltech.com/4.6/qsettings.html#setPath
http://doc.trolltech.com/4.6/qdesktopservices.html#storageLocation

Would it be crazy to try resetting this? If it works it would prevent all sorts of data from being written to the wrong place. Is it already in use? I looked through MainWindow.cpp a bit, but not extensively, so this may be redundant.

Child Tickets

Attachments (1)

appdata.patch (482 bytes) - added by chiiph 6 years ago.
Add APPDATA env var

Download all attachments as: .zip

Change History (20)

comment:1 Changed 6 years ago by erinn

  • Cc mikeperry added

comment:2 Changed 6 years ago by mikeperry

  • Cc ioerror sjmurdoch added

ioerror: Can you take a quick look at my version of this? You name is on the file that I hacked + the git blame. My main concern about my approach is the effective current working directory of the exe if it is called as a shortcut or something similar. Based on the existing code, it looks as if the CWD should be the TBB folder regardless, but just in case...

sjmurdoch: adding you, too. Erinn thinks you might have had a hand in this beast.

My version is at:
https://gitweb.torproject.org/mikeperry/torbrowser.git/blob/886a26e5c850231012d537ffdec8f035b45dbe9a:/src/RelativeLink/RelativeLink.c

comment:3 Changed 6 years ago by mikeperry

Turns out that MacOS also has the same problem: flash does NOT respect $HOME. It manages to find the home directory and write to it regardless of the value of $HOME.

So perhaps we do want the vidalia+qt solution here (if the qt stuff will actually work on both MacOS and Windows).

comment:4 follow-up: Changed 6 years ago by chiiph

If flash doesn't respect $HOME or whatever env var it's supposed to use, how is qt or vidalia suppose to help here? It seems to me that the problem is flash, and we should be looking at a way of sandboxing it or something.

Or may be I'm not understanding the issue right.

comment:5 in reply to: ↑ 4 ; follow-up: Changed 6 years ago by mikeperry

Replying to chiiph:

If flash doesn't respect $HOME or whatever env var it's supposed to use, how is qt or vidalia suppose to help here? It seems to me that the problem is flash, and we should be looking at a way of sandboxing it or something.

Well yeah, the Qt route is the hail mary play of "test and/or read the Qt source code to see if they solved the problem some other way for MacOS". For example, the portable apps forums are filled with posts of people saying that on windows you can set $APPDATA (ie $HOME+"/Data", more or less) and it will work. However, it appears that some apps can query the kernel/runtime for an alternate version of appdata using SHGetFolderPath(). This appears to be fixable by calling SHSetFolderPath(), as I did in my windows launcher patch. http://msdn.microsoft.com/en-us/library/bb762247(v=VS.85).aspx

So the next step is determining if the Qt people know something we don't about MacOS. If they do, then we should clearly use them for both platforms. If they don't, then we should figure an alternate hack for MacOS and use both independently.

comment:6 in reply to: ↑ 5 ; follow-up: Changed 6 years ago by rransom

Replying to mikeperry:

However, it appears that some apps can query the kernel/runtime for an alternate version of appdata using SHGetFolderPath(). This appears to be fixable by calling SHSetFolderPath(), as I did in my windows launcher patch. http://msdn.microsoft.com/en-us/library/bb762247(v=VS.85).aspx

According to that page, SHSetFolderPath writes the new path into the system registry permanently for all programs to use.

comment:7 in reply to: ↑ 6 Changed 6 years ago by mikeperry

Replying to rransom:

Replying to mikeperry:

However, it appears that some apps can query the kernel/runtime for an alternate version of appdata using SHGetFolderPath(). This appears to be fixable by calling SHSetFolderPath(), as I did in my windows launcher patch. http://msdn.microsoft.com/en-us/library/bb762247(v=VS.85).aspx

According to that page, SHSetFolderPath writes the new path into the system registry permanently for all programs to use.

I hate everything. Good catch.

Then it's either Qt to the rescue here, too, or we do something ugly like drop in a DLL that implements SHGetFolderPathW and ShGetFolderPath and returns our cwd + data...

I really want this fucker to not store LSOs before we allow people enable it. I mean, that's the least it could do. Fucking piece of garbage.

comment:8 Changed 6 years ago by mikeperry

  • Milestone set to TorBrowserBundle 2.2.x-stable

Setting the milestone because I really want to get flash at least safe enough for people to selectively enable on trusted sites on at least Windows and Linux in the 2.2.x release. I'm still not convinced that this is impossible. $APPDATA may work by itself, we still have not tested it on Windows. Or maybe the Qt people have insight. If all of that fails, then we try DLL injection. It's just one system call. I refuse to let it stop us.

Changed 6 years ago by chiiph

Add APPDATA env var

comment:9 Changed 6 years ago by chiiph

There's a patch for vidalia to make it set APPDATA to $pwd/Data, you can easily change it to set any env to any arbitrary value.

comment:10 Changed 5 years ago by mikeperry

Any windows users want to test this patch? Otherwise we need to wait on TBB 2.3.x before we have any testing TBB builds that would include it.

comment:11 Changed 5 years ago by mikeperry

  • Cc erinn added

Erinn - Can we not make this block on waiting for 2.3.x builds? There seems no reason for it to do so. We should test it in a random Windows build, see if it works, and then apply it in a 2.2.x release if it does, so we can move forward on testing+deploying a LSO-free click-to-play flash.

comment:12 Changed 5 years ago by Shondoit

  • Cc shondoit@… added

comment:13 Changed 5 years ago by Shondoit

Unfortunately ciiph's patch does not work.
All it does is change the Process Environment Variable, however, SHGetFolderPath does not use this variable, but uses the registry: "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"

I did find an interesting read on API hooks, injections, etc. which contains quite some information. - http://codeproject.com/KB/system/hooksys.aspx

comment:14 Changed 5 years ago by mikeperry

  • Component changed from Vidalia to Tor Browser
  • Owner changed from chiiph to mikeperry
  • Summary changed from set %APPDATA% in Vidalia for TBB to Disable flash's "allow cookies" pref somehow

comment:15 Changed 4 years ago by arma

  • Parent ID set to #7008

comment:16 Changed 4 years ago by mikeperry

There's another file other than settings.sol called mms.cfg we could use, but it seems even more system-wide than settings.sol. I bet Flash also uses a registry key on Windows to determine its location.

http://www.ghacks.net/2010/09/07/enforce-global-flash-player-security-and-privacy-settings/

comment:17 Changed 3 years ago by erinn

  • Keywords tbb-firefox-patch added

comment:18 Changed 3 years ago by erinn

  • Component changed from Firefox Patch Issues to Tor Browser
  • Owner changed from mikeperry to tbb-team

comment:19 Changed 7 months ago by bugzilla

  • Keywords tbb-firefox-patch removed
  • Milestone TorBrowserBundle 2.2.x-stable deleted
  • Severity set to Normal

This is more of an exploratory topic

Switch from "Allow" to "Ask" or "Block" in Flash Player Settings Manager and even Delete All after it. What else to explore?

Note: See TracTickets for help on using tickets.