GitLab

Fix-committed: #7525

Refs: #7525

By default, it uses /tmp/, but we want to deny it access to there.

Will-fix: #9558

tor-browser wrapper script: avoid offering avenues to arbitrary code execution to e.g. an exploited Pidgin.

AppArmor Ux rules don't sanitize $PATH
(https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1045986), which can
lead to an exploited application (that's allowed to run this script unconfined,
e.g. Pidgin) having this script run arbitrary code, violating that application's
confinement. Let's prevent that by setting PATH to a list of directories where
only root can write.

Thanks to Ivan Bliminse for the patch.

The chroot browsers doesn't live in $HOME/.tor-browser since the
chroot browser refactoring.

Will-fix: #9138

This should be done within the xdg file used to start gpgapplet

This reverts commit b2b19983.

Unfortunately, the underlying HTTPS stack we use here fails open in those case,
so we have to check it ourselves. Currently, we check that the file exists, is
readable, is a plain file and is not empty.

This will ease development and bug-fixing quite a bit.

That's not something that we expect users to need.

$* doesn't handle arguments with e.g. embedded spaces correctly. The only safe
way to do so is "$@". We know that, but for some reason we've been cargo-culting
and copy-pasting an old buggy wrapper for years, apparently.

Will-Fix: #8603, #8830

GIT_PROXY_COMMAND is taken into account for git:// and Git over SSH, but not for
Git over HTTPS. The latter use to work when we were shipping Polipo, probably
thanks to the HTTP_PROXY environment variable and friends. Now it's broken.

Here, we're dropping usage of GIT_PROXY_COMMAND, and replacing it with a tsocks
wrapper.

Note: it would be nicer to use torsocks in this wrapper, which would work for
git:// and HTTPS, but it would break Git over SSH, since in Tails SSH has its
own ProxyCommand set to connect-socks, and then torsocks would block connections
initiated by connect-socks to the Tor SOCKS proxy, on the ground that they're
aimed at localhost and thus might be DNS requests.

... instead of hardcoding the path to the CA who signed the current certificate.
This will allow us to handle future CA transitions in a nicer way, and without
modifying this program anymore.

This is a short-term workaround that will-fix: #7450 - Tails OpenPGP Applet is
too easy to exit. A double right-click doesn't exit the applet anymore.

Also, AppArmor: allow Totem to read torsocks.conf. Technically speaking, it's
not really required, as the compiled-in defaults are the same as whatever is in
the stock torsocks.conf. But still, this avoids nasty error messages in the logs
and when running Totem from a terminal.

... Or it will be encoded twice. This fixes #7968 - "Tails OpenPGP
Applet can't clearsign text including non-ASCII characters". Only
affects clearsign, as PGP armored data is always ASCII.

Thanks to nodens for the patch!

This is yet another step on the road towards removing Polipo.

E.g. if our locale is pt, which doesn't have localized search plugins,
we'll use one of pt-PT and pt-BR.

It was a relic of the TBB 3.x times when the profile was located in
the parent directory of the TBB browser files.

Also patch Tails Greeter with the updated path. That patch should
be dropped once it's been upstreamed into Tails Greeter.

That way one only has to remember to always call firefox with
exec_firefox(), and not to set LD_LIBRARY_PATH. As an example, this
was forgotten for Tor Launcher, which also was fixed.

The libstdc++6.so we have (from Debian Wheezy) is too old.

Since there's some waiting in the NM hook it will block subsequent NM
hook unnecessarily. Also, now all I2P start-related code is in one
place which makes it easier to comprehend.

If unzip fails, the check afterwards will catch the error any way.

I had apparently got it backwards how Firefox deals with the priority
of pref files; it's the lexically first that gets priority, not the
lexically last.