Bug 40128: Allow updating Fenix allowed_addons.json (4e9e1d2a) · Commits · The Tor Project / Applications / tor-browser-build

projects/tor-browser/allowed_addons.json

0 → 100644

+3266 −0

File added.

Preview size limit exceeded, changes collapsed.

projects/tor-browser/build.android

+11 −2

Original line number	Diff line number	Diff line
		#!/bin/bash
		[% c("var/set_default_env") -%]
		ext_dir=assets/extensions
		assets_dir=assets
		ext_dir=$assets_dir/extensions
		qa_apk=[% dest_dir %]/[% c('filename') %]/tor-browser-[% c("version") %]-[% c("var/osname") %]-multi-qa.apk
		apk=$rootdir/fenix/app-[% c("var/abi") %]-*.apk

		@@ -15,8 +16,16 @@ cd /var/tmp/build
		unzip -d $ext_dir/https-everywhere $rootdir/[% c('input_files_by_name/https-everywhere') %]
		mv $rootdir/[% c('input_files_by_name/noscript') %] $ext_dir/{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi

		[% IF c("var/verify_allowed_addons") %]
		# Check that allowed_addons.json contains the right versions of NoScript and HTTPS Everywhere
		# If so, replace the default allowed_addons.json by ours in the apk assets folder.
		$rootdir/verify_allowed_addons.py "$rootdir/allowed_addons.json" "$ext_dir/{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi" "$rootdir/[% c('input_files_by_name/https-everywhere') %]"
		[% END %]

		mv $rootdir/allowed_addons.json $assets_dir/allowed_addons.json

		[% c('zip', {
		zip_src => [ '$ext_dir' ],
		zip_src => [ '$assets_dir' ],
		zip_args => '$apk',
		}) %]

projects/tor-browser/config

+5 −0

Original line number	Diff line number	Diff line
		@@ -47,6 +47,7 @@ targets:
		var:
		arch_deps:
		- apksigner
		verify_allowed_addons: 1

		input_files:
		- project: container-image
		@@ -115,3 +116,7 @@ input_files:
		enable: '[% c("var/namecoin") %]'
		- filename: namecoin.patch
		enable: '[% c("var/namecoin") %]'
		- filename: allowed_addons.json
		enable: '[% c("var/android") %]'
		- filename: verify_allowed_addons.py
		enable: '[% c("var/android") && c("var/verify_allowed_addons") %]'

projects/tor-browser/verify_allowed_addons.py

0 → 100755

+52 −0

Original line number	Diff line number	Diff line
		#!/usr/bin/env python

		import json
		import sys
		import hashlib
		import zipfile

		def find_addon(addons, addon_id):
		results = addons['results']
		for x in results:
		addon = x['addon']
		if addon['guid'] == addon_id:
		return addon
		sys.exit("Error: cannot find addon " + addon_id)

		def verify_extension_version(addons, addon_id, version):
		addon = find_addon(addons, addon_id)
		expected_version = addon['current_version']['version']
		if version != expected_version:
		sys.exit("Error: version " + version + " != " + expected_version)

		def verify_extension_hash(addons, addon_id, hash):
		addon = find_addon(addons, addon_id)
		expected_hash = addon["current_version"]["files"][0]["hash"]
		if hash != expected_hash:
		sys.exit("Error: hash " + hash + " != " + expected_hash)

		def read_extension_manifest(path):
		return json.loads(zipfile.ZipFile(path, 'r').read('manifest.json'))

		def main(argv):
		allowed_addons_path = argv[0]
		noscript_path = argv[1]
		https_everywhere_path = argv[2]

		addons = None
		with open(allowed_addons_path, 'r') as file:
		addons = json.loads(file.read())

		noscript_hash = None
		with open(noscript_path, 'rb') as file:
		noscript_hash = "sha256:" + hashlib.sha256(file.read()).hexdigest()

		noscript_version = read_extension_manifest(noscript_path)["version"]
		https_everywhere_version = read_extension_manifest(https_everywhere_path)["version"]

		verify_extension_hash(addons, '{73a6fe31-595d-460b-a920-fcc0f8843232}', noscript_hash)
		verify_extension_version(addons, '{73a6fe31-595d-460b-a920-fcc0f8843232}', noscript_version)
		verify_extension_version(addons, 'https-everywhere-eff@eff.org', https_everywhere_version)

		if __name__ == "__main__":
		main(sys.argv[1:])

tools/fetch_allowed_addons.py

0 → 100755

+43 −0

Original line number	Diff line number	Diff line
		#!/usr/bin/env python3

		import urllib.request
		import json
		import base64
		import sys

		def fetch(x):
		with urllib.request.urlopen(x) as response:
		return response.read()

		def find_addon(addons, addon_id):
		results = addons['results']
		for x in results:
		addon = x['addon']
		if addon['guid'] == addon_id:
		return addon
		sys.exit("Error: cannot find addon " + addon_id)

		def fetch_and_embed_icons(addons):
		results = addons['results']
		for x in results:
		addon = x['addon']
		icon_data = fetch(addon['icon_url'])
		addon['icon_url'] = 'data:image/png;base64,' + str(base64.b64encode(icon_data), 'utf8')

		def patch_https_everywhere(addons):
		addon = find_addon(addons, 'https-everywhere@eff.org')
		addon['guid'] = 'https-everywhere-eff@eff.org'
		addon['url'] = 'https://www.eff.org/https-everywhere'

		def main(argv):
		amo_collection = argv[0] if argv else '83a9cccfe6e24a34bd7b155ff9ee32'
		url = 'https://addons.mozilla.org/api/v4/accounts/account/mozilla/collections/' + amo_collection + '/addons/'
		data = json.loads(fetch(url))
		fetch_and_embed_icons(data)
		patch_https_everywhere(data)
		data['results'].sort(key=lambda x: x['addon']['guid'])
		find_addon(data, '{73a6fe31-595d-460b-a920-fcc0f8843232}') # Check that NoScript is present
		print(json.dumps(data, indent=2, ensure_ascii=False))

		if __name__ == "__main__":
		main(sys.argv[1:])