mirror of
https://gitlab.torproject.org/tpo/core/tor.git
synced 2024-11-24 04:13:28 +01:00
Disable extending to private/internal addresses by default
This is important, since otherwise an attacker can use timing info to probe the internal network. Also, add an option (ExtendAllowPrivateAddresses) so that TestingTorNetwork won't break. Fix for bug 6710; bugfix on all released versions of Tor.
This commit is contained in:
parent
ce4add498f
commit
b7c172c9ec
7
changes/bug6710
Normal file
7
changes/bug6710
Normal file
@ -0,0 +1,7 @@
|
||||
o Major bugfixes (security):
|
||||
- Reject any attempt to extend to an internal address. Without
|
||||
this fix, a router could be used to probe addresses on an
|
||||
internal network to see whether they were accepting
|
||||
connections. Fix for bug 6710; bugfix on all released versions
|
||||
of Tor.
|
||||
|
@ -1470,6 +1470,11 @@ is non-zero):
|
||||
its extra-info documents that it uploads to the directory authorities.
|
||||
(Default: 1)
|
||||
|
||||
**ExtendAllowPrivateAddresses** **0**|**1**::
|
||||
When this option is enabled, Tor routers allow EXTEND request to
|
||||
localhost, RFC1918 addresses, and so on. This can create security issues;
|
||||
you should probably leave it off. (Default: 0)
|
||||
|
||||
DIRECTORY SERVER OPTIONS
|
||||
------------------------
|
||||
|
||||
@ -1795,6 +1800,7 @@ The following options are used for running a testing Tor network.
|
||||
ClientRejectInternalAddresses 0
|
||||
CountPrivateBandwidth 1
|
||||
ExitPolicyRejectPrivate 0
|
||||
ExtendAllowPrivateAddresses 1
|
||||
V3AuthVotingInterval 5 minutes
|
||||
V3AuthVoteDelay 20 seconds
|
||||
V3AuthDistDelay 20 seconds
|
||||
|
@ -2432,6 +2432,13 @@ circuit_extend(cell_t *cell, circuit_t *circ)
|
||||
return -1;
|
||||
}
|
||||
|
||||
if (tor_addr_is_internal(&n_addr, 0) &&
|
||||
!get_options()->ExtendAllowPrivateAddresses) {
|
||||
log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
|
||||
"Client asked me to extend to a private address");
|
||||
return -1;
|
||||
}
|
||||
|
||||
/* Check if they asked us for 0000..0000. We support using
|
||||
* an empty fingerprint for the first hop (e.g. for a bridge relay),
|
||||
* but we don't want to let people send us extend cells for empty
|
||||
|
@ -276,6 +276,7 @@ static config_var_t _option_vars[] = {
|
||||
V(ExitPolicy, LINELIST, NULL),
|
||||
V(ExitPolicyRejectPrivate, BOOL, "1"),
|
||||
V(ExitPortStatistics, BOOL, "0"),
|
||||
V(ExtendAllowPrivateAddresses, BOOL, "0"),
|
||||
V(ExtraInfoStatistics, BOOL, "1"),
|
||||
|
||||
#if defined (WINCE)
|
||||
@ -473,6 +474,7 @@ static const config_var_t testing_tor_network_defaults[] = {
|
||||
V(ClientRejectInternalAddresses, BOOL, "0"),
|
||||
V(CountPrivateBandwidth, BOOL, "1"),
|
||||
V(ExitPolicyRejectPrivate, BOOL, "0"),
|
||||
V(ExtendAllowPrivateAddresses, BOOL, "1"),
|
||||
V(V3AuthVotingInterval, INTERVAL, "5 minutes"),
|
||||
V(V3AuthVoteDelay, INTERVAL, "20 seconds"),
|
||||
V(V3AuthDistDelay, INTERVAL, "20 seconds"),
|
||||
|
@ -3029,8 +3029,10 @@ typedef struct {
|
||||
config_line_t *RecommendedVersions;
|
||||
config_line_t *RecommendedClientVersions;
|
||||
config_line_t *RecommendedServerVersions;
|
||||
/** Whether dirservers refuse router descriptors with private IPs. */
|
||||
/** Whether dirservers allow router descriptors with private IPs. */
|
||||
int DirAllowPrivateAddresses;
|
||||
/** Whether routers accept EXTEND cells to routers with private IPs. */
|
||||
int ExtendAllowPrivateAddresses;
|
||||
char *User; /**< Name of user to run Tor as. */
|
||||
char *Group; /**< Name of group to run Tor as. */
|
||||
config_line_t *ORPort_lines; /**< Ports to listen on for OR connections. */
|
||||
|
Loading…
Reference in New Issue
Block a user