TorBrowser creates temp files in Linux /tmp & Windows %temp% and OSX(various places) during the file downloads dialog & when using internal browser video player
- Open a webpage with downloadable links (http://arxiv.org/abs/1207.5216 for example).
- Select file to download (pdf for example: http://arxiv.org/pdf/1207.5216v2).
- See the dialog:
External application is needed to handlewith two buttons:launchandcancel. - Only launch is available to start download. Select it.
- Second dialog asks to open with
/usr/bin/xpdf (default)orSave. - Don't press
Saveimmediately. See in a terminal random name of file, sometimes with a part of contents: {{{ ls -la /tmp $ file /tmp/oeXvw4D+.pdf.part /tmp/oeXvw4D+.pdf.part: PDF document, version 1.5 }}} Tbb ignoredtor-browser_en-US/tmpand use system /tmp - After pressing
Savefile removed from /tmp.
This behaviour potentially affects users local anonimity with unencrypted and non-attached to memory system /tmp dirs; and affects users with portable TorBrowser versions. Partially downloaded files will saved in /tmp in the cases of TBB crushes or not completely erased. Will be preferably to isolate TorBrowser activity in user local catalogs only.
Trac:
Username: unknown
Activity
Trac:
Cc: N/A to g.koppen@jondos.de
A simple patch to the start script seems to be adequate solution:
--- start-tor-browser 2012-11-21 07:41:14.000000000 +0000 +++ start-tor-browser.test 2012-11-22 13:33:59.699580680 +0000 @@ -205,6 +205,9 @@ export LDPATH export LD_LIBRARY_PATH +TEMP="${HOME}/tmp/" +export TEMP + if [ "$debug" -eq 1 ]; then printf "\nStarting Vidalia now\n" cd "${HOME}"Trac:
Username: unknown
Actually, I think the two or three dialogs that we and Firefox throw up in the face of the user before saving a downloaded file satisfy the "at user option" bit of that goal. Changing the TEMP env var seems like a good plan to me.
But, how about a patch that works on all three platforms, though? Does that mean we should patch Vidalia, or can we set the equivalent env vars in the start exe/start app for Win+MacOS?
Trac:
Status: new to needs_revision-
According to Design Document of the TorBrowser. "The browser MUST NOT write any information that is derived from or that reveals browsing activity to the disk, or store it in memory beyond the duration of one browsing session, unless the user has explicitly opted to store their browsing history information to disk."
I can confirm this bug and the above principle are violated in windows 7 64bit by following steps 1-4, with the firefox 24 & tor browser bundle 3.5.1 and it has a related solution. Ensure the enviroment has the TEMP/TMP enviromental variable are set properly for each os to point to a relative directory and that the application honors that setting, and failing that, do not use api calls that create temp files that do not adhere to those enviromental variables. For my computer TEMP=C:\Users\tortestuser\AppData\Local\Temp according to Process Hacker, and that is where the files are created.
I have attached a picture (tor.png) with visual proof of the problem.
Edit: I also tested a batch file with the lines:
SET TEMP=T:\TEMP "Start Tor Browser.exe"
And it succefully changed the enviroment variables used by tor.exe and firefox, but they were completely ignored and files continued to be saved to the %appdata%\temp folder, and mp4 videos to %AppData%\Temp\mozilla-temp-files\
So a fix needs to ensure both files downloaded and vidoes played in the browser are saved to the proper area.
Trac:
Username: tortestuser -
Trac:
Username: tortestuser
Summary: TorBrowser creates temp files in Linux /tmp & Windows %temp% during the file downloads dialog & when using internal browser video player to TorBrowser creates temp files in Linux /tmp & Windows %temp% and OSX(various places) during the file downloads dialog & when using internal browser video player
Priority: normal to major -
Trac:
Cc: g.koppen@jondos.de to gk -
#18588 (moved) is a duplicate.
-
When downloading using browser.altClickSave function no temp file is created in TBB or Firefox. Perhaps this function could be used in all file downloads in some way.
browser.altClickSave function can only be used on direct links. It is not enabled by default in TBB (or Firefox). You have to enable it in about:config.
Trac:
Username: loxia_01 -
We got a report from Scott Ainsile on our HackerOne platform that this is still happening on a Ubuntu 16.04.4 system:
I noticed that a lot of the artefacts originate from Twitter and Tumblr and are MPEG-4 Part 14 digital multimedia container format and WebM audiovisual media file format artefacts.Trac:
Status: needs_revision to assigned
Owner: mikeperry to tbb-team 
#32857 (moved) is a duplicate
Trac:
Cc: gk, brade, mcs to gk, brade, mcs, g4vin0learyCan the severity of this issue at least be upped, as this breaks one of the most fundamental design goals [1] of the Tor Browser Bundle, namely:
4.3. Disk Avoidance Design Goal: The User Agent MUST (at user option) prevent all disk records of browser activityTo be clear, the problem is even more severe than the issue description suggests, because the temporary file is already saved before the user chooses an option in the "Download an external file type?" dialog. This means that any clicking of an ordinary link can cause something to be (temporarily) stored on the hard-drive of an unsuspecting user.
This ticket's severity is not "Normal". A solution should be sought independently of Firefox fixing this for private browsing mode.
[1] https://2019.www.torproject.org/projects/torbrowser/design/#disk-avoidance
Relevant Firefox ticket: https://bugzilla.mozilla.org/show_bug.cgi?id=1546969
mentioned in issue #11254 (moved)
mentioned in issue #17935 (moved)
mentioned in issue #18588 (moved)
mentioned in issue #25773 (moved)
mentioned in issue #32857 (moved)
mentioned in issue #32857 (moved)
moved to tpo/applications/tor-browser#7449
mentioned in issue tpo/applications/tor-browser#25773 (closed)
