Opened 7 years ago

Closed 7 years ago

#15276 closed defect (fixed)

Release Notification plugin only uses HTTP; proxy bypass

Reported by: ioerror Owned by: nwalp
Milestone: 2.10.7 Component: plugins
Version: 2.10.6 Keywords: security proxy
Cc:

Description

Summary

The release notification plugin only uses HTTP; it also appears to bypass the proxy settings by leaking a DNS query to the local network.

Steps to reproduce

Enable "Tor/Privacy? proxy" and configure it to use Tor. Enable Release Notification plugin.

Shortly after in the debug log, I see the following:

(18:36:06) dnsquery: Performing DNS lookup for pidgin.im
(18:36:06) prefs: /plugins/gtk/relnot/last_check changed, scheduling save.
(18:36:06) prefs: /pidgin/plugins/loaded changed, scheduling save.
(18:36:07) plugins: Unloading plugin Release Notification
(18:36:07) prefs: /pidgin/plugins/loaded changed, scheduling save.
(18:36:10) dnsquery: IP resolved for pidgin.im
(18:36:10) proxy: Attempting connection to 74.63.8.88
(18:36:10) proxy: Connecting to pidgin.im:80 with no proxy
(18:36:10) proxy: Connection in progress
(18:36:10) proxy: Connecting to pidgin.im:80.
(18:36:10) proxy: Connected to pidgin.im:80.
(18:36:10) util: request constructed
(18:36:10) util: Response headers: 'HTTP/1.0 200 OK
X-Powered-By: PHP/5.3.3-7+squeeze9
Content-Type: text/plain
Content-Length: 0
Connection: close
Date: Thu, 23 Aug 2012 01:36:10 GMT
Server: lighttpd/1.4.28

Expected results

I expect SSL/TLS to be used when checking for updates; an attacker may simply deny these HTTP requests and deny me critical updates. Furthermore, I expected my proxy to be used and for DNS leaks to not occur.

Actual results

HTTP is used. Apparently, DNS queries are leaked and the configured proxy is bypassed.

Regression

None as far as I can tell.

Notes

The "Tor/Privacy? Proxy" bug is #11110

Change History (5)

comment:1 Changed 7 years ago by bleeter

  • Keywords proxy added
  • Owner set to nwalp

relnot.c has your name on it, Mr nwalp. Care to take a peek at the proxy thing? I believe there was some discussion on IRC between datallah and rekkanoryo regarding the HTTP thing, but that'll take some behind the scenes work.

ioerror, please try and keep it to one problem per ticket. the proxy thing can probably be easily fixed in code. the other will likely take some backend work.

comment:2 Changed 7 years ago by ioerror

If it uses the proxy, it should fix the DNS issue.

comment:3 Changed 7 years ago by datallah

I can't recreate this; when I have my Pidgin overall settings (not just account-specific settings) set up to use a "Tor/Privacy (SOCKS5)" Proxy type (or even just a regular SOCKS5 proxy), it'll do the DNS and connect through the proxy and not directly.

https://pidgin.im now has a SSL certificate installed, so it's probably possible to just switch the URL to check over SSL without any other changes.

comment:7 Changed 7 years ago by Daniel Atallah <datallah@…>

(In [15591913dd85]):
Use https to check for updates in the Release Notification plugin. Refs #15276

  • The one potential concern with this is that it cripples the functionality if libpurple doesn't have SSL support, but really if that's the case, then a number of protocols won't work.

comment:8 Changed 7 years ago by datallah

  • Milestone set to 2.10.7
  • Resolution set to fixed
  • Status changed from new to closed

Everything that I can see that's problematic here has been addressed; if there is some scenario where the proxy is still being bypassed when it is set up correctly, please post a comment and we can reopen this.

Note: See TracTickets for help on using tickets.
All information, including names and email addresses, entered onto this website or sent to mailing lists affiliated with this website will be public. Do not post confidential information, especially passwords!