Bug #9048
The Tor Browser's AppArmor confinement can be bypassed via "Recently Used" files
100%
Description
Steps to reproduce:
- Make GNOME aware of some recently used file, e.g. create a document in Gedit and save it in
$HOME
or anywhere the Tor Browser shouldn’t be allowed in - Go to some website where you can upload files (the original bug reporter used http://pomf.se)
- In the File Upload dialog, go to Recently Used and select the file (hovering over it will display its full path, indicating that it indeed is outside of the directories the Tor Browser should be allowed to look into)
- Verify that the actual data was uploaded
- Ouch!
Reported by whitanne on #tails.
Subtasks
History
#1 Updated by anonym 2015-03-14 02:34:17
- Assignee set to intrigeri
intrigeri, will you take this one?
#3 Updated by intrigeri 2015-03-17 10:50:05
- Assignee changed from intrigeri to anonym
- QA Check set to Info Needed
I cannot reproduce that with ~/foo.txt
nor with ~/Desktop/bar.txt
. In both cases, I see that access was denied in the AppArmor logs, and the file isn’t uploaded. OTOH, if I save the same file is ~/Tor Browser/
, then I can successfully upload it.
So I suspect that the bug reporter “by chance” picked a filename that is whitelisted, e.g. a config file that some abstraction we load allows access to.
anonym, did you reproduce this yourself? If so, how exactly?
#4 Updated by anonym 2015-03-17 11:55:52
- Assignee changed from anonym to intrigeri
intrigeri wrote:
> anonym, did you reproduce this yourself? If so, how exactly?
I did, but now I can’t. I think I must have been confused. Perhaps I was confused that the metadata (filename + size) was leaked to the webpage, and forgot to make sure that the file data actually was uploaded.
I guess we can reject this one.
#5 Updated by intrigeri 2015-03-17 12:06:59
- Status changed from Confirmed to Rejected
- % Done changed from 0 to 100
- QA Check deleted (
Info Needed)
#6 Updated by BitingBird 2015-03-22 11:58:20
- Target version changed from Tails_1.3.2 to Tails_1.3.1