Merge remote branch 'origin/maint-0.2.2'

Conflicts: src/or/buffers.c
2024-09-21 05:26:20 +02:00 · 2010-11-15 15:37:23 -05:00 · 2010-11-15 15:37:23 -05:00 · 9399b885cd
commit 9399b885cd
parent ba1b7a1ce1 522c204ac9
2 changed files with 41 additions and 35 deletions
--- a/changes/bug2000
+++ b/changes/bug2000
@ -0,0 +1,3 @@
+  o Minor bugfixes:
+    - Rate-limit the "your application is giving Tor only an IP address"
+      warning. Fixes bug 2000; bugfix on 0.0.8pre2.
--- a/src/or/buffers.c
+++ b/src/or/buffers.c
@ -1438,6 +1438,39 @@ fetch_from_evbuffer_http(struct evbuffer *buf,
 }
 #endif

+/**
+ * Wait this many seconds before warning the user about using SOCKS unsafely
+ * again (requires that WarnUnsafeSocks is turned on). */
+#define SOCKS_WARN_INTERVAL 5
+
+/** Warn that the user application has made an unsafe socks request using
+ * protocol <b>socks_protocol</b> on port <b>port</b>.  Don't warn more than
+ * once per SOCKS_WARN_INTERVAL, unless <b>safe_socks</b> is set. */
+static void
+log_unsafe_socks_warning(int socks_protocol, uint16_t port, int safe_socks)
+{
+  static ratelim_t socks_ratelim = RATELIM_INIT(SOCKS_WARN_INTERVAL);
+
+  or_options_t *options = get_options();
+  char *m = NULL;
+  if (! options->WarnUnsafeSocks)
+    return;
+  if (safe_socks || (m = rate_limit_log(&socks_ratelim, approx_time()))) {
+    log_warn(LD_APP,
+             "Your application (using socks%d to port %d) is giving "
+             "Tor only an IP address. Applications that do DNS resolves "
+             "themselves may leak information. Consider using Socks4A "
+             "(e.g. via privoxy or socat) instead. For more information, "
+             "please see https://wiki.torproject.org/TheOnionRouter/"
+             "TorFAQ#SOCKSAndDNS.%s%s",
+             socks_protocol,
+             (int)port,
+             safe_socks ? " Rejecting." : "",
+             m ? m : "");
+    tor_free(m);
+  }
+}
+
 /** There is a (possibly incomplete) socks handshake on <b>buf</b>, of one
 * of the forms
 *  - socks4: "socksheader username\\0"
@ -1598,10 +1631,6 @@ parse_socks(const char *data, size_t datalen, socks_request_t *req,
  char *next, *startaddr;
  struct in_addr in;

-  /* If the user connects with socks4 or the wrong variant of socks5,
-   * then log a warning to let him know that it might be unwise. */
-  static int have_warned_about_unsafe_socks = 0;
-
  socksver = *data;

  switch (socksver) { /* which version of socks? */
@ -1679,23 +1708,11 @@ parse_socks(const char *data, size_t datalen, socks_request_t *req,
          req->port = ntohs(get_uint16(data+4+addrlen));
          *drain_out = 6+addrlen;
          if (req->command != SOCKS_COMMAND_RESOLVE_PTR &&
-              !addressmap_have_mapping(req->address,0) &&
-              !have_warned_about_unsafe_socks) {
-            if (get_options()->WarnUnsafeSocks) {
-              log_warn(LD_APP,
-                  "Your application (using socks5 to port %d) is giving "
-                  "Tor only an IP address. Applications that do DNS resolves "
-                  "themselves may leak information. Consider using Socks4A "
-                  "(e.g. via privoxy or socat) instead. For more information, "
-                  "please see https://wiki.torproject.org/TheOnionRouter/"
-                  "TorFAQ#SOCKSAndDNS.%s", req->port,
-                  safe_socks ? " Rejecting." : "");
-              /*have_warned_about_unsafe_socks = 1;*/
-                                      /*(for now, warn every time)*/
+              !addressmap_have_mapping(req->address,0)) {
+            log_unsafe_socks_warning(5, req->port, safe_socks);
            control_event_client_status(LOG_WARN,
                          "DANGEROUS_SOCKS PROTOCOL=SOCKS5 ADDRESS=%s:%d",
                          req->address, req->port);
-            }
            if (safe_socks)
              return -1;
          }
@ -1798,23 +1815,9 @@ parse_socks(const char *data, size_t datalen, socks_request_t *req,

      startaddr = NULL;
      if (socks4_prot != socks4a &&
-          !addressmap_have_mapping(tmpbuf,0) &&
-          !have_warned_about_unsafe_socks) {
-        if (get_options()->WarnUnsafeSocks) {
-          log_warn(LD_APP,
-                 "Your application (using socks4 to port %d) is giving Tor "
-                 "only an IP address. Applications that do DNS resolves "
-                 "themselves may leak information. Consider using Socks4A "
-                 "(e.g. via privoxy or socat) instead. For more information, "
-                 "please see https://wiki.torproject.org/TheOnionRouter/"
-                 "TorFAQ#SOCKSAndDNS.%s", req->port,
-                 safe_socks ? " Rejecting." : "");
-          /*have_warned_about_unsafe_socks = 1;*/
-          /*(for now, warn every time)*/
-          control_event_client_status(LOG_WARN,
-                        "DANGEROUS_SOCKS PROTOCOL=SOCKS4 ADDRESS=%s:%d",
-                        tmpbuf, req->port);
-        }
+          !addressmap_have_mapping(tmpbuf,0)) {
+        log_unsafe_socks_warning(4, req->port, safe_socks);
+
        if (safe_socks)
          return -1;
      }