Bug 40283: Workaround for the file upload bug
Merge Info
-
-
-
Immediate - patchsets for critical bug fixes or other major blocker (e.g. fixes for a 0-day exploit) OR patchsets with trivial changes which do not need testing (e.g. fixes for typos or fixes easily verified in a local developer build) -
Next Minor Stable Release - patchset that needs to be verified in nightly before backport -
Eventually - patchset that needs to be verified in alpha before backport -
No Backport - patchset for the next major stable
-
-
-
Merge to base-browser
- typically for!fixups
to patches in thebase-browser
branch, though sometimes new patches as well-
NOTE: if your changeset includes patches to both
base-browser
andtor-browser
please please make separate merge requests for each part
-
NOTE: if your changeset includes patches to both
-
-
-
Link resolved issues with appropriate Release Prep issue for changelog generation
-
Change Description
Tor was designed for whistleblowers, but without file upload it's quite difficult to blow whistles.
Why am I calling it a workaround but not a fix? Well, while I understand the mechanics of the bug, I certainly don't know the root cause. For some reason, Android media picker returns file paths with 4 slashes: file:////data/foo/bar/baz
. After stripping protocol prefix file://
, the remaining part is //data/foo/bar/baz
. From Linux standpoint, is a valid path semantically equivalent to /data/foo/bar/baz
, but Firefox validator is very strict and doesn't allow such paths to go through.
Considered alternatives:
- Fix Android to never return double slashes. It doesn't seem to be feasible, because accessing media files by opening files directly seems to be deprecated. I'm not an Android expert, might misunderstand something, but here is what I found: https://developer.android.com/reference/android/provider/MediaStore.MediaColumns.html#DATA.
- Fix Firefox validator to accept double slashes. While on Linux-based systems double slashes are equivalent to single slashes, on other platforms it might not be the case. For example on Windows it may reference a remote machine, which would be a security vulnerability. I'm not comfortable changing the shared codebase.
- Fix file upload infrastructure to not use direct file paths, but rather the new content stream API. It would be a large-scale change requiring changing Firefox APIs. Currently Firefox relies on passing file paths around, and with content streams that would no longer be file names.
I think the change I propose is simple enough and doesn't have associated security risks. I will post more details on #40283 (closed).