Check onion hostnames against client port flags

Check NoOnionTraffic before attaching a stream.

NoOnionTraffic refuses connections to all onion hostnames,
but permits non-onion hostnames and IP addresses.

src/or/connection_edge.c

@@ -1708,6 +1708,14 @@ connection_ap_handshake_rewrite_and_attach(entry_connection_t *conn,
     /* If we get here, it's a request for a .onion address! */
     tor_assert(!automap);
 
+    /* If .onion address requests are disabled, refuse the request */
+    if (!conn->entry_cfg.onion_traffic) {
+      log_warn(LD_APP, "Onion address %s requested from a port with .onion "
+                       "disabled", safe_str_client(socks->address));
+      connection_mark_unattached_ap(conn, END_STREAM_REASON_ENTRYPOLICY);
+      return -1;
+    }
+
     /* Check whether it's RESOLVE or RESOLVE_PTR.  We don't handle those
      * for hidden service addresses. */
     if (SOCKS_COMMAND_IS_RESOLVE(socks->command)) {