diff --git a/ChangeLog b/ChangeLog index 668c360956..d636ff6eb5 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,4 +1,10 @@ Changes in version 0.2.0.11-alpha - 2007-11-?? + o Security fixes: + - Exit policies now reject connections that are addressed to a + relay's public (external) IP address too, unless + ExitPolicyRejectPrivate is turned off. We do this because too + many relays are running nearby to services that trust them based + on network address. Changes in version 0.2.0.10-alpha - 2007-11-10 diff --git a/doc/tor.1.in b/doc/tor.1.in index 745c19f032..bf2832f67e 100644 --- a/doc/tor.1.in +++ b/doc/tor.1.in @@ -739,11 +739,13 @@ To specify all internal and link-local networks (including 0.0.0.0/8, 169.254.0.0/16, 127.0.0.0/8, 192.168.0.0/16, 10.0.0.0/8, and 172.16.0.0/12), you can use the "private" alias instead of an address. These addresses are rejected by default (at the beginning of your -exit policy) unless you set the ExitPolicyRejectPrivate config option +exit policy), along with your public IP address, unless you set the +ExitPolicyRejectPrivate config option to 0. For example, once you've done that, you could allow HTTP to 127.0.0.1 and block all other connections to internal networks with -"accept -127.0.0.1:80,reject private:*". See RFC 1918 and RFC 3330 for more +"accept 127.0.0.1:80,reject private:*", though that may also allow +connections to your own computer that are addressed to its public +(external) IP address. See RFC 1918 and RFC 3330 for more details about internal and reserved IP address space. This directive can be specified multiple times so you don't have to put @@ -773,7 +775,8 @@ either a reject *:* or an accept *:*. Otherwise, you're _augmenting_ .LP .TP \fBExitPolicyRejectPrivate \fR\fB0\fR|\fB1\fR\fP -Reject all private (local) networks at the beginning of your exit +Reject all private (local) networks, along with your own public IP +address, at the beginning of your exit policy. See above entry on ExitPolicy. (Default: 1) .LP .TP diff --git a/src/or/or.h b/src/or/or.h index 7479ec9dc2..0bded333a5 100644 --- a/src/or/or.h +++ b/src/or/or.h @@ -3356,9 +3356,8 @@ void policies_parse_from_options(or_options_t *options); int cmp_addr_policies(addr_policy_t *a, addr_policy_t *b); addr_policy_result_t compare_addr_to_addr_policy(uint32_t addr, uint16_t port, addr_policy_t *policy); -int policies_parse_exit_policy(config_line_t *cfg, - addr_policy_t **dest, - int rejectprivate); +int policies_parse_exit_policy(config_line_t *cfg, addr_policy_t **dest, + int rejectprivate, const char *local_address); int exit_policy_is_general_exit(addr_policy_t *policy); int policy_is_reject_star(addr_policy_t *policy); int getinfo_helper_policies(control_connection_t *conn, diff --git a/src/or/policies.c b/src/or/policies.c index 62b98a4762..ba3a375a1b 100644 --- a/src/or/policies.c +++ b/src/or/policies.c @@ -228,7 +228,7 @@ validate_addr_policies(or_options_t *options, char **msg) *msg = NULL; if (policies_parse_exit_policy(options->ExitPolicy, &addr_policy, - options->ExitPolicyRejectPrivate)) + options->ExitPolicyRejectPrivate, NULL)) REJECT("Error in ExitPolicy entry."); /* The rest of these calls *append* to addr_policy. So don't actually @@ -556,10 +556,16 @@ exit_policy_remove_redundancies(addr_policy_t **dest) */ int policies_parse_exit_policy(config_line_t *cfg, addr_policy_t **dest, - int rejectprivate) + int rejectprivate, const char *local_address) { - if (rejectprivate) + if (rejectprivate) { append_exit_policy_string(dest, "reject private:*"); + if (local_address) { + char buf[POLICY_BUF_LEN]; + tor_snprintf(buf, sizeof(buf), "reject %s:*", local_address); + append_exit_policy_string(dest, buf); + } + } if (parse_addr_policy(cfg, dest, -1)) return -1; append_exit_policy_string(dest, DEFAULT_EXIT_POLICY); diff --git a/src/or/router.c b/src/or/router.c index f46adeef1b..c1e8b0c92c 100644 --- a/src/or/router.c +++ b/src/or/router.c @@ -1215,7 +1215,8 @@ router_rebuild_descriptor(int force) ri->bandwidthcapacity = hibernating ? 0 : rep_hist_bandwidth_assess(); policies_parse_exit_policy(options->ExitPolicy, &ri->exit_policy, - options->ExitPolicyRejectPrivate); + options->ExitPolicyRejectPrivate, + ri->address); if (desc_routerinfo) { /* inherit values */ ri->is_valid = desc_routerinfo->is_valid; diff --git a/src/or/test.c b/src/or/test.c index bd67f5841e..448720ae53 100644 --- a/src/or/test.c +++ b/src/or/test.c @@ -2935,7 +2935,7 @@ test_policies(void) compare_addr_to_addr_policy(0xc0a80102, 2, policy)); policy2 = NULL; - test_assert(0 == policies_parse_exit_policy(NULL, &policy2, 1)); + test_assert(0 == policies_parse_exit_policy(NULL, &policy2, 1, NULL)); test_assert(policy2); test_assert(!exit_policy_is_general_exit(policy)); @@ -2955,7 +2955,7 @@ test_policies(void) line.key = (char*)"foo"; line.value = (char*)"accept *:80,reject private:*,reject *:*"; line.next = NULL; - test_assert(0 == policies_parse_exit_policy(&line, &policy, 0)); + test_assert(0 == policies_parse_exit_policy(&line, &policy, 0, NULL)); test_assert(policy); test_streq(policy->string, "accept *:80"); test_streq(policy->next->string, "reject *:*");