nihilist/tor
1
0
Fork 0
mirror of https://gitlab.torproject.org/tpo/core/tor.git synced 2024-09-20 21:16:22 +02:00
Code Issues Packages Projects Releases Wiki Activity

Implement Jason Holt's SafeSocks config option.

Browse Source 
Also put a URL in the warning message for unsafe socks4 use --
previously we'd only had the URL for unsafe socks5 use. Oops.


svn:r6190
This commit is contained in:
Roger Dingledine 2006-03-19 01:44:53 +00:00
parent 77b00edd27
commit d8195e4128
3 changed files with 19 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
src/or/buffers.c
View File

@ -897,11 +897,14 @@ fetch_from_buf_http(buf_t *buf,
* If <b>log_sockstype</b> is non-zero, then do a notice-level log of whether
* the connection is possibly leaking DNS requests locally or not.
*
* If <b>safe_socks</b> is true, then reject unsafe socks protocols.
*
* If returning 0 or -1, <b>req->address</b> and <b>req->port</b> are
* undefined.
*/
int
fetch_from_buf_socks(buf_t *buf, socks_request_t *req, int log_sockstype)
fetch_from_buf_socks(buf_t *buf, socks_request_t *req,
int log_sockstype, int safe_socks)
{
unsigned char len;
char tmpbuf[INET_NTOA_BUF_LEN];
@ -984,8 +987,11 @@ fetch_from_buf_socks(buf_t *buf, socks_request_t *req, int log_sockstype)
"themselves may leak information. Consider using Socks4A "
"(e.g. via privoxy or socat) instead. For more information, "
"please see http://wiki.noreply.org/noreply/TheOnionRouter/"
"TorFAQ#SOCKSAndDNS", req->port);
"TorFAQ#SOCKSAndDNS.%s", req->port,
safe_socks ? " Rejecting." : "");
// have_warned_about_unsafe_socks = 1; // (for now, warn every time)
if (safe_socks)
return -1;
}
return 1;
case 3: /* fqdn */
@ -1075,8 +1081,13 @@ fetch_from_buf_socks(buf_t *buf, socks_request_t *req, int log_sockstype)
"Your application (using socks4 on port %d) is giving Tor "
"only an IP address. Applications that do DNS resolves "
"themselves may leak information. Consider using Socks4A "
"(e.g. via privoxy or socat) instead.", req->port);
"(e.g. via privoxy or socat) instead. For more information, "
"please see http://wiki.noreply.org/noreply/TheOnionRouter/"
"TorFAQ#SOCKSAndDNS.%s", req->port,
safe_socks ? " Rejecting." : "");
// have_warned_about_unsafe_socks = 1; // (for now, warn every time)
if (safe_socks)
return -1;
}
if (socks4_prot == socks4a) {
if (next+1 == buf->cur+buf->datalen) {

1
src/or/config.c
View File

@ -218,6 +218,7 @@ static config_var_t _option_vars[] = {
VAR("RunAsDaemon", BOOL, RunAsDaemon, "0"),
VAR("RunTesting", BOOL, RunTesting, "0"),
VAR("SafeLogging", BOOL, SafeLogging, "1"),
VAR("SafeSocks", BOOL, SafeSocks, "0"),
VAR("ShutdownWaitLength", INTERVAL, ShutdownWaitLength, "30 seconds"),
VAR("SocksListenAddress", LINELIST, SocksListenAddress, NULL),
VAR("SocksPolicy", LINELIST, SocksPolicy, NULL),

5
src/or/or.h
View File

@ -1379,6 +1379,8 @@ typedef struct {
* long do we wait before exiting? */
int SafeLogging; /**< Boolean: are we allowed to log sensitive strings
* such as addresses (0), or do we scrub them first (1)? */
int SafeSocks; /**< Boolean: should we outright refuse application
* connections that use socks4 or socks5-with-local-dns? */
#define LOG_PROTOCOL_WARN (get_options()->ProtocolWarnings ? \
LOG_WARN : LOG_INFO)
int ProtocolWarnings; /**< Boolean: when other parties screw up the Tor
@ -1471,7 +1473,8 @@ int fetch_from_buf_http(buf_t *buf,
char **headers_out, size_t max_headerlen,
char **body_out, size_t *body_used, size_t max_bodylen,
int force_complete);
int fetch_from_buf_socks(buf_t *buf, socks_request_t *req, int log_sockstype);
int fetch_from_buf_socks(buf_t *buf, socks_request_t *req,
int log_sockstype, int safe_socks);
int fetch_from_buf_control0(buf_t *buf, uint32_t *len_out, uint16_t *type_out,
char **body_out, int check_for_v1);
int fetch_from_buf_line(buf_t *buf, char *data_out, size_t *data_len);