arthuredelstein / tor-browser Public

Firefox uses the current stack frame address and the stack size as a sort of heuristic for various things in the javascript engine. The js::GetNativeStackBaseImpl() function is used to get the base stack address (ie the address from which the stack grows, so this can be either the first or last memory address of the stack memory space depending on the CPU architecture). On Linux, this function is implemented using the pthreads APIs. For non-main threads, the queried thread info is stored in memory. The main thread does not have this information on hand, so it gets the stack memory range via the /proc/self/maps file ( see glibc's pthread_get_attr_np.c ). Fortunately (per discussions with the firefox devs in #jsapi) the base address only needs to be approximation. In reality, environment variables, args, and other things are stored in space between the end/beginning of the mapped stack memory and the 'top' of the stack space used by stack frames. We can get the top of this usable stack from __libc_stack_end, which is a void* set by glibc during program initialization. Non-main threads still get their stack-base through the usual pthreads APIs. This patch integrates the latest jsnativestack.cpp from mozilla- central, and creates a specific implementation of js::GetNativeStackBaseImpl() for non-android Linux using the described __libc_stack_end read.

On systems where H.264 is not available or no HWA, VP9 is preferred. But in Tor Browser 7.0 all youtube videos are degraded to VP8. This behaviour can be turned off by setting media.benchmark.vp9.threshold to 0. All clients will get better experience and lower traffic, beause TBB doesn't use "Use hardware acceleration when available".

The plugin-container process can thrash/crash due to increasing memory consumption after our workaround for bug 24052. The patch provided by a cypherpunk (big thanks!) deals with that as far as the Developer Tools are concerned.

Many fonts have issues with their vertical metrics. they are used to influence the height of ascenders and depth of descenders. Gecko uses it to calculate the line height (font height + ascender + descender), however because of that idiosyncratic behavior across multiple operating systems, it can be used to identify the user's OS. The solution proposed in the patch uses a default factor to be multiplied with the font size, simulating the concept of ascender and descender. This way all operating systems will have the same line height only and only if the frame is outside the chrome.

This is the second part of the workaround for https://bugzilla.mozilla.org/show_bug.cgi?id=1412081.

…n name) from O/S ifdef'd out offending code in each platform based on existance of TOR_BROWSER_VERSION and return empty string instead.

Patch written by Neill Miller

Only ship the pdfjs extension.

In the past the ClearKey system had not been compiled when specifying --disable-eme. But that changed and it is even bundled nowadays (see: Mozilla's bug 1300654). We don't want to ship it right now as the use case for it is not really visible while the code had security vulnerabilities in the past.

In Mozilla bug 1324780, support for building with glib 2.28 (the version available in CentOS 6) was added. However we are building on Debian Wheezy which has glib 2.32. We fix that by backing out all glib > 2.28 code paths.

This is due to an improper implementation of the WebSocket spec by Mozilla. "There MUST be no more than one connection in a CONNECTING state. If multiple connections to the same IP address are attempted simultaneously, the client MUST serialize them so that there is no more than one connection at a time running through the following steps. If the client cannot determine the IP address of the remote host (for example, because all communication is being done through a proxy server that performs DNS queries itself), then the client MUST assume for the purposes of this step that each host name refers to a distinct remote host," https://tools.ietf.org/html/rfc6455#page-15 They implmented the first paragraph, but not the second... While we're at it, we also prevent the DNS service from being used to look up anything other than IP addresses if socks_remote_dns is set to true, so this bug can't turn up in other components or due to 3rd party addons.

Mozilla introduced extension signing as a way to make it harder for an attacker to get a malicious add-on running in a user's browser. See: https://blog.mozilla.org/addons/2015/02/10/extension-signing-safer-experience and https://blog.mozilla.org/addons/2016/01/22/add-on-signing-update/ for some background information. In ESR45 this feature is enabled by default and we exempt both our own extensions and EFF's HTTPS-Everywhere from this requirement.

remove Amazon, eBay, bing eBay and Amazon don't treat Tor users very well. Accounts often get locked and payments reversed. Also: Bug 16322: Update DuckDuckGo search engine We are replacing the clearnet URL with an onion service one (thanks to a patch by a cypherpunk) and are removing the duplicated DDG search engine. Duplicating DDG happend due to bug 1061736 where Mozilla included DDG itself into Firefox. Interestingly, this caused breaking the DDG search if JavaScript is disabled as the Mozilla engine, which gets loaded earlier, does not use the html version of the search page. Moreover, the Mozilla engine tracked where the users were searching from by adding a respective parameter to the search query. We got rid of that feature as well. Also: This fixes bug 20809: the DuckDuckGo team has changed its server-side code in a way that lets users with JavaScript enabled use the default landing page while those without JavaScript available get redirected directly to the non-JS page. We adapt the search engine URLs accordingly.

We make the certificate for the secondary key the new primary one, and add the certificate for the new key as the secondary one. This is the 2018 MAR signing key update. Also Bug 20589: Adding new MAR signing key We make the certificate for the secondary key the new primary one, partly due to #15532 and add the certificate for the new key as the secondary one. Also Bug 18008: Create a new MAR Signing key This is part of our plan to rotate the main key used for signing MAR files about once a year to make. This is a defense in depth measure as there is no official way for revoking MAR signing keys.

Avoid errors inside UpdatePing.handleUpdateSuccess() when telemetry is disabled.

This is a partial revert of commit f1241db. Revert the nsUpdateService.js changes from Mozilla Bug 862173 "don't verify mar file hash when using mar signing to verify the mar file (lessens main thread I/O)." Changes to the tests were not reverted; the tests have been changed significantly and we do not run automated updater tests for Tor Browser at this time. We kept the addition to the AppConstants API in case other JS code references it in the future.

Revert most changes from Mozilla Bug 1373267 "Remove hashFunction and hashValue attributes from nsIUpdatePatch and code related to these attributes." Changes to the tests were not reverted; the tests have been changed significantly and we do not run automated updater tests for Tor Browser at this time.

Add an --enable-tor-browser-data-outside-app-dir configure option. When this is enabled, all user data is stored in a directory named TorBrowser-Data which is located next to the application directory. The first time an updated browser is opened, migrate the existing browser profile, Tor data directory contents, and UpdateInfo to the TorBrowser-Data directory. If migration of the browser profile fails, an error alert is displayed and the browser is started using a new profile. Display an informative error messages if the TorBrowser-Data directory cannot be created due to an "access denied" or a "read only volume" error. Add support for installing "override" preferences within the user's browser profile. All .js files in distribution/preferences (on Mac OS, Contents/Resources/distribution/preferences) will be copied to the preferences directory within the user's browser profile when the profile is created and each time Tor Browser is updated. This mechanism will be used to install the extension-overrides.js file into the profile. On Mac OS, add support for the --invisible command line option which is used by the meek-http-helper to avoid showing an icon for the helper browser on the dock.

When macOS opens a document or selects a default browser, it sometimes uses the CFBundleSignature. Changing from the Firefox MOZB signature to a different signature TORB allows macOS to distinguish between Firefox and Tor Browser.

Add a chrome mochitest that verifies that a key pinning error is generated when the updater is configured to use one of the "bad pin" servers that are predefined by the test framework. Note that this test is affected by bug 18087, which means that security.nocertdb must be set to false before running this test.

libraries) Effectively revert "Bug 1159090 - Only append library path for updater if it is a unique value. r=rstrong"

Unless the -osint command line flag is used, the browser now defaults to the equivalent of -no-remote. There is a new -allow-remote flag that may be used to restore the original (Firefox-like) default behavior.

…tive. This should eliminate our need to rely on a wrapper script that sets /Users/arthur and launches Firefox with -profile.

By setting the URL to "" we make sure that already installed system addons get deleted as well.

When handling an external URI or downloading a file, invoke Torbutton's external app blocker component (which will present a download warning dialog unless the user has checked the "Automatically download files from now on" box). For e10s compatibility, avoid using a modal dialog and instead use a callback interface (nsIHelperAppWarningLauncher) to allow Torbutton to indicate the user's desire to cancel or continue each request. Other bugs fixed: Bug 21766: Crash with e10s enabled while trying to download a file Bug 21886: Download is stalled in non-e10s mode Bug 22471: Downloading files via the PDF viewer download button is broken Bug 22472: Fix FTP downloads when external helper app dialog is shown Bug 22610: Avoid crashes when canceling external helper app downloads Bug 22618: Downloading pdf file via file:/// is stalling

There should be no need to remove the OS X support introduced in https://bugzilla.mozilla.org/show_bug.cgi?id=1225726 as enabling this is governed by a preference (which is actually set to `false`). However, we remove it at build time as well (defense in depth). This is basically a backout of the relevant passages of https://hg.mozilla.org/mozilla-central/rev/6bfb430de85d, https://hg.mozilla.org/mozilla-central/rev/609b337bf7ab and https://hg.mozilla.org/mozilla-central/rev/8e092ec5fbbd. Fixed bug 21861 (Disable additional mDNS code to avoid proxy bypasses) as well.

Instead of using the local computer's IP address within symlink-based profile lock signatures, always use 127.0.0.1.

arthuredelstein / tor-browser Public

Commits on Jun 1, 2018