Home Explore Help
Sign In
piros
/
tor
3
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

ClientDNSRejectInternalAddresses in non-default networks

Once again allow the flag to be set, unless the default network is used.
Thanks to nickm for a suggestion for the workaround to a test failure.
Sebastian Hahn 6 years ago
parent
e491c05f96
commit
d3fee8b823
4 changed files with 15 additions and 5 deletions
Split View Show Diff Stats
  1. 5 0
      changes/ticket21031
  2. 3 3
      doc/tor.1.txt
  3. 4 0
      src/or/config.c
  4. 3 2
      src/test/test_options.c

+ 5 - 0
changes/ticket21031
View File 

@@ -0,0 +1,5 @@
 
+  o New/reanimated features
 
+   - The ClientDNSRejectInternalAddresses flag can once again be set in
 
+     non-default tor networks. This also remves a deprecation of this
 
+     flag in 0.2.9.2-alpha. Closes ticket 21031.
 
+

+ 3 - 3
doc/tor.1.txt
View File 

@@ -1443,12 +1443,12 @@ The following options are useful only for clients (that is, if
 
 [[ClientDNSRejectInternalAddresses]] **ClientDNSRejectInternalAddresses** **0**|**1**::
 
     If true, Tor does not believe any anonymously retrieved DNS answer that
 
     tells it that an address resolves to an internal address (like 127.0.0.1 or
 
-    192.168.0.1). This option prevents certain browser-based attacks; don't
 
-    turn it off unless you know what you're doing. (Default: 1)
 
+    192.168.0.1). This option prevents certain browser-based attacks; it
 
+    is not allowed to be set on the default network. (Default: 1)
 
 
 [[ClientRejectInternalAddresses]] **ClientRejectInternalAddresses** **0**|**1**::
 
     If true, Tor does not try to fulfill requests to connect to an internal
 
-    address (like 127.0.0.1 or 192.168.0.1) __unless a exit node is
 
+    address (like 127.0.0.1 or 192.168.0.1) __unless an exit node is
 
     specifically requested__ (for example, via a .exit hostname, or a
 
     controller request).  If true, multicast DNS hostnames for machines on the
 
     local network (of the form *.local) are also rejected.  (Default: 1)

+ 4 - 0
src/or/config.c
View File 

@@ -4216,6 +4216,10 @@ options_validate(or_options_t *old_options, or_options_t *options,
 
   CHECK_DEFAULT(TestingLinkKeySlop);
 
 #undef CHECK_DEFAULT
 
 
+  if (!options->ClientDNSRejectInternalAddresses &&
 
+      !(options->DirAuthorities ||
 
+        (options->AlternateDirAuthority && options->AlternateBridgeAuthority)))
 
+    REJECT("ClientDNSRejectInternalAddresses used for default network.");
 
   if (options->SigningKeyLifetime < options->TestingSigningKeySlop*2)
 
     REJECT("SigningKeyLifetime is too short.");
 
   if (options->TestingLinkCertLifetime < options->TestingAuthKeySlop*2)

+ 3 - 2
src/test/test_options.c
View File 

@@ -398,11 +398,12 @@ fixed_get_uname(void)
 
   "V3AuthVoteDelay 20\n"                                                \
 
   "V3AuthDistDelay 20\n"                                                \
 
   "V3AuthNIntervalsValid 3\n"                                           \
 
-  "ClientUseIPv4 1\n"                                                     \
 
+  "ClientUseIPv4 1\n"                                                   \
 
   "VirtualAddrNetworkIPv4 127.192.0.0/10\n"                             \
 
   "VirtualAddrNetworkIPv6 [FE80::]/10\n"                                \
 
   "UseEntryGuards 1\n"                                                  \
 
-  "Schedulers Vanilla\n"
 
+  "Schedulers Vanilla\n"                                                \
 
+  "ClientDNSRejectInternalAddresses 1\n"
 
 
 typedef struct {
 
   or_options_t *old_opt;