Startseite Erkunden Hilfe
Anmelden
sengler
/
tor-parallel-relay-conn
1
0
Fork 0
Dateien Issues 0 Pull-Requests 0 Wiki
Quellcode durchsuchen

r11938@Kushana: nickm | 2007-01-11 11:02:28 -0500
Check addresses for rfc953-saneness at exit too, and give a PROTOCOL_WARN when they fail. Also provide a mechanism to override this, so blossom can have its @@##$$^.whatever.exit hostnames if it wants.


svn:r9336

Nick Mathewson vor 18 Jahren
Ursprung
3dfeaaaf6e
Commit
c1b5f53679
7 geänderte Dateien mit 47 neuen und 10 gelöschten Zeilen
Gesamtansicht Diff-Statistik anzeigen
  1. 6 0
      ChangeLog
  2. 7 1
      doc/tor.1.in
  3. 3 1
      src/or/config.c
  4. 13 6
      src/or/connection_edge.c
  5. 1 1
      src/or/control.c
  6. 14 0
      src/or/dns.c
  7. 3 1
      src/or/or.h

+ 6 - 0
ChangeLog
Datei anzeigen 

@@ -1,4 +1,10 @@
 
 Changes in version 0.1.2.7-alpha - 2007-??-??
 
 Changes in version 0.1.2.7-alpha - 2007-??-??
 
+
 
+ o Minor features:
 
+    - Check for addresses with invalid characters at the exit as well as at
 
+      the client, and warn less verbosely when they fail.  You can override
 
+      this by setting ServerDNSAllowNonRFC953Addresses to 1.
 
+
 
  o Major bugfixes:
 
  o Major bugfixes:
 
     - Fix a crash bug in the presence of DNS hijacking  (reported by Andrew
 
     - Fix a crash bug in the presence of DNS hijacking  (reported by Andrew
 
       Del Vecchio).
 
       Del Vecchio).

+ 7 - 1
doc/tor.1.in
Datei anzeigen 

@@ -501,7 +501,7 @@ When a controller asks for a virtual (unused) address with the
 
 .LP
 
 .LP
 
 .TP
 
 .TP
 
 \fBAllowNonRFC953Hostnames \fR\fB0\fR|\fB1\fR\fP
 
 \fBAllowNonRFC953Hostnames \fR\fB0\fR|\fB1\fR\fP
 
-When this option is enabled, Tor blocks hostnames containing illegal
 
+When this option is disabled, Tor blocks hostnames containing illegal
 
 characters (like @ and :) rather than sending them to an exit node to be
 
 characters (like @ and :) rather than sending them to an exit node to be
 
 resolved.  This helps trap accidental attempts to resolve URLs and so on.
 
 resolved.  This helps trap accidental attempts to resolve URLs and so on.
 
 (Default: 0)
 
 (Default: 0)
 
@@ -717,6 +717,12 @@ addresses aren't getting redirected.  If they are, then our DNS is
 
 completely useless, and we'll reset our exit policy to "reject *:*".
 
 completely useless, and we'll reset our exit policy to "reject *:*".
 
 (Defaults to "www.google.com, www.mit.edu, www.yahoo.com,
 
 (Defaults to "www.google.com, www.mit.edu, www.yahoo.com,
 
 www.slashdot.org".)
 
 www.slashdot.org".)
 
+\fBServerDNSAllowNonRFC953Hostnames \fR\fB0\fR|\fB1\fR\fP
 
+When this option is disabled, Tor does not try to resolve hostnames
 
+containing illegal characters (like @ and :) rather than sending them to an
 
+exit node to be resolved.  This helps trap accidental attempts to resolve
 
+URLs and so on.
 
+(Default: 0)
 
 
 
 .SH DIRECTORY SERVER OPTIONS
 
 .SH DIRECTORY SERVER OPTIONS
 
 .PP
 
 .PP

+ 3 - 1
src/or/config.c
Datei anzeigen 

@@ -230,6 +230,8 @@ static config_var_t _option_vars[] = {
 
   VAR("RunTesting",          BOOL,     RunTesting,           "0"),
 
   VAR("RunTesting",          BOOL,     RunTesting,           "0"),
 
   VAR("SafeLogging",         BOOL,     SafeLogging,          "1"),
 
   VAR("SafeLogging",         BOOL,     SafeLogging,          "1"),
 
   VAR("SafeSocks",           BOOL,     SafeSocks,            "0"),
 
   VAR("SafeSocks",           BOOL,     SafeSocks,            "0"),
 
+  VAR("ServerDNSAllowNonRFC953Hostnames", BOOL,
 
+                                         ServerDNSAllowNonRFC953Hostnames, "0"),
 
   VAR("ServerDNSDetectHijacking",BOOL,   ServerDNSDetectHijacking,"1"),
 
   VAR("ServerDNSDetectHijacking",BOOL,   ServerDNSDetectHijacking,"1"),
 
   VAR("ServerDNSResolvConfFile", STRING, ServerDNSResolvConfFile, NULL),
 
   VAR("ServerDNSResolvConfFile", STRING, ServerDNSResolvConfFile, NULL),
 
   VAR("ServerDNSSearchDomains",  BOOL,   ServerDNSSearchDomains,  "0"),
 
   VAR("ServerDNSSearchDomains",  BOOL,   ServerDNSSearchDomains,  "0"),
 
@@ -3116,7 +3118,7 @@ config_register_addressmaps(or_options_t *options)
 
     if (smartlist_len(elts) >= 2) {
 
     if (smartlist_len(elts) >= 2) {
 
       from = smartlist_get(elts,0);
 
       from = smartlist_get(elts,0);
 
       to = smartlist_get(elts,1);
 
       to = smartlist_get(elts,1);
 
-      if (address_is_invalid_destination(to)) {
 
+      if (address_is_invalid_destination(to, 1)) {
 
         log_warn(LD_CONFIG,
 
         log_warn(LD_CONFIG,
 
                  "Skipping invalid argument '%s' to MapAddress", to);
 
                  "Skipping invalid argument '%s' to MapAddress", to);
 
       } else {
 
       } else {

+ 13 - 6
src/or/connection_edge.c
Datei anzeigen 

@@ -1082,14 +1082,21 @@ addressmap_register_virtual_address(int type, char *new_address)
 
   return *addrp;
 
   return *addrp;
 
 }
 
 }
 
 
 
-/** Return 1 if <b>address</b> has funny characters in it like
 
+/** Return 1 if <b>address</b> has funny characters in it like colons. Return
 
- * colons. Return 0 if it's fine.
 
+ * 0 if it's fine, or if we're configured to allow it anyway.  <b>client</b>
 
+ * should be true if we're using this address as a client; false if we're
 
+ * using it as a server.
 
  */
 
  */
 
 int
 
 int
 
-address_is_invalid_destination(const char *address)
 
+address_is_invalid_destination(const char *address, int client)
 
 {
 
 {
 
-  if (get_options()->AllowNonRFC953Hostnames)
 
+  if (client) {
 
-    return 0;
 
+    if (get_options()->AllowNonRFC953Hostnames)
 
+      return 0;
 
+  } else {
 
+    if (get_options()->ServerDNSAllowNonRFC953Hostnames)
 
+      return 0;
 
+  }
 
 
 
   while (*address) {
 
   while (*address) {
 
     if (TOR_ISALNUM(*address) ||
 
     if (TOR_ISALNUM(*address) ||
 
@@ -1234,7 +1241,7 @@ connection_ap_handshake_rewrite_and_attach(edge_connection_t *conn,
 
   if (addresstype != ONION_HOSTNAME) {
 
   if (addresstype != ONION_HOSTNAME) {
 
     /* not a hidden-service request (i.e. normal or .exit) */
 
     /* not a hidden-service request (i.e. normal or .exit) */
 
 
 
-    if (address_is_invalid_destination(socks->address)) {
 
+    if (address_is_invalid_destination(socks->address, 1)) {
 
       log_warn(LD_APP,
 
       log_warn(LD_APP,
 
                "Destination '%s' seems to be an invalid hostname. Failing.",
 
                "Destination '%s' seems to be an invalid hostname. Failing.",
 
                safe_str(socks->address));
 
                safe_str(socks->address));

+ 1 - 1
src/or/control.c
Datei anzeigen 

@@ -1350,7 +1350,7 @@ handle_control_mapaddress(control_connection_t *conn, uint32_t len,
 
       const char *to = smartlist_get(elts,1);
 
       const char *to = smartlist_get(elts,1);
 
       size_t anslen = strlen(line)+512;
 
       size_t anslen = strlen(line)+512;
 
       char *ans = tor_malloc(anslen);
 
       char *ans = tor_malloc(anslen);
 
-      if (address_is_invalid_destination(to)) {
 
+      if (address_is_invalid_destination(to, 1)) {
 
         if (!v0) {
 
         if (!v0) {
 
           tor_snprintf(ans, anslen,
 
           tor_snprintf(ans, anslen,
 
             "512-syntax error: invalid address '%s'", to);
 
             "512-syntax error: invalid address '%s'", to);

+ 14 - 0
src/or/dns.c
Datei anzeigen 

@@ -584,6 +584,20 @@ dns_resolve(edge_connection_t *exitconn, or_circuit_t *oncirc)
 
       send_resolved_cell(exitconn, oncirc, RESOLVED_TYPE_IPV4);
 
       send_resolved_cell(exitconn, oncirc, RESOLVED_TYPE_IPV4);
 
     return 1;
 
     return 1;
 
   }
 
   }
 
+  if (address_is_invalid_destination(exitconn->_base.address, 0)) {
 
+    log(LOG_PROTOCOL_WARN, LD_EXIT,
 
+        "Rejecting invalid destination address %s",
 
+        escaped_safe_str(exitconn->_base.address));
 
+    if (is_resolve)
 
+      send_resolved_cell(exitconn, oncirc, RESOLVED_TYPE_ERROR);
 
+    /* XXXX012 send error in connect case? -NM */
 
+    circ = circuit_get_by_edge_conn(exitconn);
 
+    if (circ)
 
+      circuit_detach_stream(circ, exitconn);
 
+    if (!exitconn->_base.marked_for_close)
 
+      connection_free(TO_CONN(exitconn));
 
+    return -1;
 
+  }
 
 
 
   /* then take this opportunity to see if there are any expired
 
   /* then take this opportunity to see if there are any expired
 
    * resolves in the hash table. */
 
    * resolves in the hash table. */

+ 3 - 1
src/or/or.h
Datei anzeigen 

@@ -1671,6 +1671,8 @@ typedef struct {
 
                                * support BEGIN_DIR, when possible. */
 
                                * support BEGIN_DIR, when possible. */
 
   int AllowNonRFC953Hostnames; /**< If true, we allow connections to hostnames
 
   int AllowNonRFC953Hostnames; /**< If true, we allow connections to hostnames
 
                                 * with weird characters. */
 
                                 * with weird characters. */
 
+ /** If true, we try resolving hostnames with weird characters. */
 
+  int ServerDNSAllowNonRFC953Hostnames;
 
 } or_options_t;
 
 } or_options_t;
 
 
 
 /** Persistent state for an onion router, as saved to disk. */
 
 /** Persistent state for an onion router, as saved to disk. */
 
@@ -2094,7 +2096,7 @@ int connection_ap_detach_retriable(edge_connection_t *conn,
 
                                    int reason);
 
                                    int reason);
 
 int connection_ap_process_transparent(edge_connection_t *conn);
 
 int connection_ap_process_transparent(edge_connection_t *conn);
 
 
 
-int address_is_invalid_destination(const char *address);
 
+int address_is_invalid_destination(const char *address, int client);
 
 
 
 void addressmap_init(void);
 
 void addressmap_init(void);
 
 void addressmap_clean(time_t now);
 
 void addressmap_clean(time_t now);