Author: procmem@riseup.net Date: To: tails-dev Subject: [Tails-dev] Resend: Locking down stream-events in onion-grater
Re-sending this in a human readable form:
Hi, posting this mail for input.
A couple of months ago I was looking at locking down the amount of info
leaked to Tor Browser in case it is compromised - if/when stream events
access is enabled. my thought was to have the cake and eat it too.
stream-events are needed to supported auth onions IIRC. I ran into
issues with escaping characters from Tor's output namely $ and + which
were included in an example output:
250+circuit-status=00 BUILT
$relayid~$relayid,$relayid~$relayid,$relayid~$relayid
BUILD_FLAGS=NEED_CAPACITY PURPOSE=GENERAL
TIME_CREATED=2020-09-16T00:00:00.000000
Questions:
* Can onion-grater currently deal with such characters without having to
escape them?
* Is it even possible to sanitize responses as large and varied as
stream-events output without having something leak thru or is it best to
keep it blocked for peace of mind?