Add option to not warn when getting an IP instead of hostname

2024-09-20 13:06:20 +02:00 · 2010-06-03 12:52:34 +02:00 · 2010-06-03 12:52:34 +02:00 · 10fdb9ee0a
commit 10fdb9ee0a
parent faf51fa52a
5 changed files with 33 additions and 12 deletions
--- a/changes/nohostnamewarn
+++ b/changes/nohostnamewarn
@ -0,0 +1,5 @@
+  o Minor features:
+    - Allow disabling the warning that occurs whenever Tor receives only
+      an IP address instead of a hostname. Setups that do DNS locally over
+      Tor are fine, and we shouldn't spam the logs in that case.
+
--- a/doc/tor.1.txt
+++ b/doc/tor.1.txt
@ -632,6 +632,12 @@ The following options are useful only for clients (that is, if
    helps to determine whether an application using Tor is possibly leaking
    DNS requests. (Default: 0)

+**WarnUnsafeSocks** **0**|**1**::
+    When this option is enabled, Tor will warn whenever a request is
+    received that only contains an IP address instead of a hostname. Allowing
+    applications to do DNS resolves themselves is usually a bad idea and
+    can leak your location to attackers. (Default: 1)
+
 **VirtualAddrNetwork** __Address__/__bits__::
    When a controller asks for a virtual (unused) address with the MAPADDRESS
    command, Tor picks an unassigned address from this range. (Default:
--- a/src/or/buffers.c
+++ b/src/or/buffers.c
@ -1402,19 +1402,21 @@ fetch_from_buf_socks(buf_t *buf, socks_request_t *req,
          if (req->command != SOCKS_COMMAND_RESOLVE_PTR &&
              !addressmap_have_mapping(req->address,0) &&
              !have_warned_about_unsafe_socks) {
-            log_warn(LD_APP,
-                "Your application (using socks5 to port %d) is giving "
-                "Tor only an IP address. Applications that do DNS resolves "
-                "themselves may leak information. Consider using Socks4A "
-                "(e.g. via privoxy or socat) instead. For more information, "
-                "please see https://wiki.torproject.org/TheOnionRouter/"
-                "TorFAQ#SOCKSAndDNS.%s", req->port,
-                safe_socks ? " Rejecting." : "");
-            /*have_warned_about_unsafe_socks = 1;*/
+            if (get_options()->WarnUnsafeSocks) {
+              log_warn(LD_APP,
+                  "Your application (using socks5 to port %d) is giving "
+                  "Tor only an IP address. Applications that do DNS resolves "
+                  "themselves may leak information. Consider using Socks4A "
+                  "(e.g. via privoxy or socat) instead. For more information, "
+                  "please see https://wiki.torproject.org/TheOnionRouter/"
+                  "TorFAQ#SOCKSAndDNS.%s", req->port,
+                  safe_socks ? " Rejecting." : "");
+              /*have_warned_about_unsafe_socks = 1;*/
                                      /*(for now, warn every time)*/
            control_event_client_status(LOG_WARN,
                          "DANGEROUS_SOCKS PROTOCOL=SOCKS5 ADDRESS=%s:%d",
                          req->address, req->port);
+            }
            if (safe_socks)
              return -1;
          }
@ -1516,7 +1518,8 @@ fetch_from_buf_socks(buf_t *buf, socks_request_t *req,
      if (socks4_prot != socks4a &&
          !addressmap_have_mapping(tmpbuf,0) &&
          !have_warned_about_unsafe_socks) {
-        log_warn(LD_APP,
+        if (get_options()->WarnUnsafeSocks) {
+          log_warn(LD_APP,
                 "Your application (using socks4 to port %d) is giving Tor "
                 "only an IP address. Applications that do DNS resolves "
                 "themselves may leak information. Consider using Socks4A "
@ -1524,10 +1527,12 @@ fetch_from_buf_socks(buf_t *buf, socks_request_t *req,
                 "please see https://wiki.torproject.org/TheOnionRouter/"
                 "TorFAQ#SOCKSAndDNS.%s", req->port,
                 safe_socks ? " Rejecting." : "");
-        /*have_warned_about_unsafe_socks = 1;*/  /*(for now, warn every time)*/
-        control_event_client_status(LOG_WARN,
+          /*have_warned_about_unsafe_socks = 1;*/
+          /*(for now, warn every time)*/
+          control_event_client_status(LOG_WARN,
                        "DANGEROUS_SOCKS PROTOCOL=SOCKS4 ADDRESS=%s:%d",
                        tmpbuf, req->port);
+        }
        if (safe_socks)
          return -1;
      }
--- a/src/or/config.c
+++ b/src/or/config.c
@ -280,6 +280,7 @@ static config_var_t _option_vars[] = {
  V(NatdListenAddress,           LINELIST, NULL),
  V(NatdPort,                    UINT,     "0"),
  V(Nickname,                    STRING,   NULL),
+  V(WarnUnsafeSocks,              BOOL,     "1"),
  V(NoPublish,                   BOOL,     "0"),
  VAR("NodeFamily",              LINELIST, NodeFamilies,         NULL),
  V(NumCpus,                     UINT,     "1"),
--- a/src/or/or.h
+++ b/src/or/or.h
@ -2701,6 +2701,10 @@ typedef struct {
   * selection. */
  int AllowDotExit;

+  /** If true, we will warn if a user gives us only an IP address
+   * instead of a hostname. */
+  int WarnUnsafeSocks;
+
  /** If true, the user wants us to collect statistics on clients
   * requesting network statuses from us as directory. */
  int DirReqStatistics;