Opened 8 years ago

Closed 8 years ago

#4517 closed defect (fixed)

drag-n-drop bypasses tor on Unity

Reported by: cypherpunks Owned by: mikeperry
Priority: Very High Milestone:
Component: Firefox Patch Issues Version:
Severity: Keywords: MikePerryIteration20111211
Cc: g.koppen@…, rransom, aagbsn Actual Points: 8
Parent ID: Points: 8
Reviewer: Sponsor:

Description

Requests for drag-and-drop thumbnails in Tor Browser is not sent through the Tor network, but instead plain-text HTTP request.

How to reproduce:

  • Download and start Tor Browser Bundle version 2.2.34-2 (current, this one)
  • Start up Wireshark and start logging your network interactively
  • Using the Tor Browser, visit "www.gnome.org" (or any other HTTP site)
  • See Wireshark sending all traffic encrypted to various Tor nodes
  • When the site have loaded, drag the big image on the site
  • See Wireshark logging a DNS request for "www.gnome.org" with reply
  • See Wireshark logging a HTTP HEAD request for

"/wp-content/uploads/2011/09/gnome-3.2.png" on host "www.gnome.org",
sending this directly unencrypted to the IP returned from the DNS request.

Child Tickets

Attachments (2)

torbutton-1.4.4.1+bug4517.xpi (779.8 KB) - added by mikeperry 8 years ago.
Potential fix
torbutton-1.4.4.1+bug4517-2.xpi (780.2 KB) - added by mikeperry 8 years ago.
Try 2

Download all attachments as: .zip

Change History (20)

comment:1 Changed 8 years ago by rransom

Cc: erinn ioerror phobos Sebastian added
Priority: normalblocker
Status: newneeds_information

I can't reproduce this with TBB for Linux. I tried dragging the image over TBB-Firefox, Nautilus, and Emacs (GNU Emacs with the Lucid interface), and dropping the image on TBB-Firefox, and didn't see any DNS or HTTP traffic.

Which OS are you using? Did you drag the image over a program other than TBB-Firefox?

comment:2 in reply to:  1 ; Changed 8 years ago by cypherpunks

Replying to rransom:

I can't reproduce this with TBB for Linux. I tried dragging the image over TBB-Firefox, Nautilus, and Emacs (GNU Emacs with the Lucid interface), and dropping the image on TBB-Firefox, and didn't see any DNS or HTTP traffic.

Which OS are you using? Did you drag the image over a program other than TBB-Firefox?

OS: Ubuntu 11.10, with all updates installed.
Tor Browser Bundle was installed by unpacking to a new clean folder. And I have verified the signature.
32-bit version of everything.

And no, merely beginning to drag the image makes it send the DNS and HTTP request, before I get to drag it anywhere or drop it.

comment:3 in reply to:  2 ; Changed 8 years ago by aagbsn

I can partially confirm this behavior

Replying to cypherpunks:

Replying to rransom:

I can't reproduce this with TBB for Linux. I tried dragging the image over TBB-Firefox, Nautilus, and Emacs (GNU Emacs with the Lucid interface), and dropping the image on TBB-Firefox, and didn't see any DNS or HTTP traffic.

Which OS are you using? Did you drag the image over a program other than TBB-Firefox?

OS: Ubuntu 11.10, with all updates installed.

Ubuntu 11.10 64-bit. Not all updates are installed.

Tor Browser Bundle was installed by unpacking to a new clean folder. And I have verified the signature.
32-bit version of everything.

64-bit version here.

And no, merely beginning to drag the image makes it send the DNS and HTTP request, before I get to drag it anywhere or drop it.

I have to drag the pic to the desktop before the DNS and HTTP request occur. I noticed that dragging the pic to a text console copies the image URL.

comment:4 in reply to:  3 ; Changed 8 years ago by aagbsn

Replying to aagbsn:

I can partially confirm this behavior

Replying to cypherpunks:

Replying to rransom:

I can't reproduce this with TBB for Linux. I tried dragging the image over TBB-Firefox, Nautilus, and Emacs (GNU Emacs with the Lucid interface), and dropping the image on TBB-Firefox, and didn't see any DNS or HTTP traffic.

Which OS are you using? Did you drag the image over a program other than TBB-Firefox?

OS: Ubuntu 11.10, with all updates installed.

Ubuntu 11.10 64-bit. Not all updates are installed.

I updated and tried again.

Tor Browser Bundle was installed by unpacking to a new clean folder. And I have verified the signature.
32-bit version of everything.

64-bit version here.

And no, merely beginning to drag the image makes it send the DNS and HTTP request, before I get to drag it anywhere or drop it.

I have to drag the pic to the desktop before the DNS and HTTP request occur. I noticed that dragging the pic to a text console copies the image URL.

I tried dragging and hovering the image over a few different applications (terminals, wireshark, firefox, file browser, and the desktop) and was not able to recreate this issue by just hovering.

I tested with images-as-links as well as plain images (e.g. right-click and select 'view image', then try to drag that somewhere)

Can you confirm that these steps should reproduce the issue?

comment:5 Changed 8 years ago by gk

Cc: g.koppen@… added

comment:6 in reply to:  4 ; Changed 8 years ago by cypherpunks

Replying to aagbsn:

Replying to aagbsn:

I can partially confirm this behavior

Replying to cypherpunks:

Replying to rransom:

I can't reproduce this with TBB for Linux. I tried dragging the image over TBB-Firefox, Nautilus, and Emacs (GNU Emacs with the Lucid interface), and dropping the image on TBB-Firefox, and didn't see any DNS or HTTP traffic.

Which OS are you using? Did you drag the image over a program other than TBB-Firefox?

OS: Ubuntu 11.10, with all updates installed.

Ubuntu 11.10 64-bit. Not all updates are installed.

I updated and tried again.

Tor Browser Bundle was installed by unpacking to a new clean folder. And I have verified the signature.
32-bit version of everything.

64-bit version here.

And no, merely beginning to drag the image makes it send the DNS and HTTP request, before I get to drag it anywhere or drop it.

I have to drag the pic to the desktop before the DNS and HTTP request occur. I noticed that dragging the pic to a text console copies the image URL.

I tried dragging and hovering the image over a few different applications (terminals, wireshark, firefox, file browser, and the desktop) and was not able to recreate this issue by just hovering.

I tested with images-as-links as well as plain images (e.g. right-click and select 'view image', then try to drag that somewhere)

Can you confirm that these steps should reproduce the issue?

I tried switching to "Ubuntu 2D" during the log in and repeated the steps, but this time no DNS or HTTP request was made. I switched back to the normal Ubuntu desktop (unity) and now both DNS and HTTP request was made as soon as I begun dragging the image.

Apparently it depends on which window manager or other applications that are running.

comment:7 in reply to:  6 Changed 8 years ago by aagbsn

Replying to cypherpunks:

I tried switching to "Ubuntu 2D" during the log in and repeated the steps, but this time no DNS or HTTP request was made. I switched back to the normal Ubuntu desktop (unity) and now both DNS and HTTP request was made as soon as I begun dragging the image.

Apparently it depends on which window manager or other applications that are running.

Yep. I can confirm this is the case. I installed VirtualBox extensions (to get 3d support) and can verify that as soon as I drag a picture, the dns+http request bypasses Tor.

comment:8 Changed 8 years ago by mikeperry

There also appears to be an issue where you can also get proxy bypass even without using Unity when you release the dragged image into any non-Tor apps that decide to treat it as a url and download it. At least on my system.

Does this mean we should break these urls? Turn them into tor:// and tors:// urls? Or remove Drag and Drop entirely? Something tells me Unity might be dumb enough to still do a non-tor DNS query even without a valid scheme...

comment:9 in reply to:  8 Changed 8 years ago by aagbsn

Replying to mikeperry:

There also appears to be an issue where you can also get proxy bypass even without using Unity when you release the dragged image into any non-Tor apps that decide to treat it as a url and download it. At least on my system.

Does this mean we should break these urls? Turn them into tor:// and tors:// urls? Or remove Drag and Drop entirely? Something tells me Unity might be dumb enough to still do a non-tor DNS query even without a valid scheme...

What about other url types? ftp://?
Can drag-n-drop be proxied by rewriting the URL to file:// in the browser cache?

comment:10 Changed 8 years ago by mikeperry

We don't use a disk cache by default..

Btw, do either of you guys have any ubuntu system addons installed? I am wondering how it is that unity is intercepting the drag event before the image is dropped anywhere... This could be a symptom of #2255 for the Unity crowd.

comment:11 in reply to:  10 Changed 8 years ago by cypherpunks

Replying to mikeperry:

We don't use a disk cache by default..

Btw, do either of you guys have any ubuntu system addons installed? I am wondering how it is that unity is intercepting the drag event before the image is dropped anywhere... This could be a symptom of #2255 for the Unity crowd.

If you mean system wide browser add-ons/plugins, nothing installed besides what is in the default installation. Also, no plugins and only the extensions "HTTPS Everywhere", "Torbutton" and "NoScript" show up in Tools->Add-ons.

Isn't it the window manager that handles all drag requests? For example when you drag something all the application launcher icons change color depending on if they accept the object dragged or not.

comment:12 Changed 8 years ago by mikeperry

Cc: erinn ioerror phobos Sebastian removed
Keywords: MikePerryIteration20111211 added
Points: 8
Priority: blockercritical
Status: needs_informationaccepted

This is at best going to require XPCOM hooks, at worst it will require a patch to Firefox..

comment:13 Changed 8 years ago by mikeperry

Cc: rransom added

Ok.. some good news and some bad news..

Good news is I can intercept this in XPCOM and pop up a dialog before the drag begins.

The bad news is that if you click OK on the dialog, you lose the object you were dragging.. Unless you use the keyboard to accept the dialog...

Does this mean we just disable drag and drop entirely and call it a day?

comment:14 Changed 8 years ago by mikeperry

Summary: drag-n-drop bypasses tordrag-n-drop bypasses tor on Unity

Out of curiosity, can any Ubuntu Unity users please tell me if proxy bypass happens when you drag a normal url? The codepaths appear to be the same in XPCOM.

Changed 8 years ago by mikeperry

Potential fix

comment:15 Changed 8 years ago by mikeperry

Cc: aagbsn added

Ok, after banging on this for a while, it seems that most methods of disabling image drag and drop also break the ability to move tabs around, and to drag links between TBB tabs and windows.

However, it looks that if we override the aActionType parameter to always be 0, we can still allow in-Firefox drags while blocking drags to other apps. Hurray!

The question is, does Unity give us the reach-around and manage to find the url still?

Can anyone who has a Unity setup please test the attached XPI with wireshark and image+url dragging?

comment:16 Changed 8 years ago by aagbsn

You're not going to like this, but Unity 3D does reach around this fix.

Changed 8 years ago by mikeperry

Try 2

comment:17 Changed 8 years ago by aagbsn

mikeperry saves the day. this one doesn't leak when I test image+url dragging. nice job!

comment:18 Changed 8 years ago by mikeperry

Actual Points: 8
Resolution: fixed
Status: acceptedclosed
Note: See TracTickets for help on using tickets.