mirror of
https://gitlab.torproject.org/tpo/core/tor.git
synced 2024-11-10 13:13:44 +01:00
Implement Jason Holt's SafeSocks config option.
Also put a URL in the warning message for unsafe socks4 use -- previously we'd only had the URL for unsafe socks5 use. Oops. svn:r6190
This commit is contained in:
parent
77b00edd27
commit
d8195e4128
@ -897,11 +897,14 @@ fetch_from_buf_http(buf_t *buf,
|
||||
* If <b>log_sockstype</b> is non-zero, then do a notice-level log of whether
|
||||
* the connection is possibly leaking DNS requests locally or not.
|
||||
*
|
||||
* If <b>safe_socks</b> is true, then reject unsafe socks protocols.
|
||||
*
|
||||
* If returning 0 or -1, <b>req->address</b> and <b>req->port</b> are
|
||||
* undefined.
|
||||
*/
|
||||
int
|
||||
fetch_from_buf_socks(buf_t *buf, socks_request_t *req, int log_sockstype)
|
||||
fetch_from_buf_socks(buf_t *buf, socks_request_t *req,
|
||||
int log_sockstype, int safe_socks)
|
||||
{
|
||||
unsigned char len;
|
||||
char tmpbuf[INET_NTOA_BUF_LEN];
|
||||
@ -984,8 +987,11 @@ fetch_from_buf_socks(buf_t *buf, socks_request_t *req, int log_sockstype)
|
||||
"themselves may leak information. Consider using Socks4A "
|
||||
"(e.g. via privoxy or socat) instead. For more information, "
|
||||
"please see http://wiki.noreply.org/noreply/TheOnionRouter/"
|
||||
"TorFAQ#SOCKSAndDNS", req->port);
|
||||
"TorFAQ#SOCKSAndDNS.%s", req->port,
|
||||
safe_socks ? " Rejecting." : "");
|
||||
// have_warned_about_unsafe_socks = 1; // (for now, warn every time)
|
||||
if (safe_socks)
|
||||
return -1;
|
||||
}
|
||||
return 1;
|
||||
case 3: /* fqdn */
|
||||
@ -1075,8 +1081,13 @@ fetch_from_buf_socks(buf_t *buf, socks_request_t *req, int log_sockstype)
|
||||
"Your application (using socks4 on port %d) is giving Tor "
|
||||
"only an IP address. Applications that do DNS resolves "
|
||||
"themselves may leak information. Consider using Socks4A "
|
||||
"(e.g. via privoxy or socat) instead.", req->port);
|
||||
"(e.g. via privoxy or socat) instead. For more information, "
|
||||
"please see http://wiki.noreply.org/noreply/TheOnionRouter/"
|
||||
"TorFAQ#SOCKSAndDNS.%s", req->port,
|
||||
safe_socks ? " Rejecting." : "");
|
||||
// have_warned_about_unsafe_socks = 1; // (for now, warn every time)
|
||||
if (safe_socks)
|
||||
return -1;
|
||||
}
|
||||
if (socks4_prot == socks4a) {
|
||||
if (next+1 == buf->cur+buf->datalen) {
|
||||
|
@ -218,6 +218,7 @@ static config_var_t _option_vars[] = {
|
||||
VAR("RunAsDaemon", BOOL, RunAsDaemon, "0"),
|
||||
VAR("RunTesting", BOOL, RunTesting, "0"),
|
||||
VAR("SafeLogging", BOOL, SafeLogging, "1"),
|
||||
VAR("SafeSocks", BOOL, SafeSocks, "0"),
|
||||
VAR("ShutdownWaitLength", INTERVAL, ShutdownWaitLength, "30 seconds"),
|
||||
VAR("SocksListenAddress", LINELIST, SocksListenAddress, NULL),
|
||||
VAR("SocksPolicy", LINELIST, SocksPolicy, NULL),
|
||||
|
@ -1379,6 +1379,8 @@ typedef struct {
|
||||
* long do we wait before exiting? */
|
||||
int SafeLogging; /**< Boolean: are we allowed to log sensitive strings
|
||||
* such as addresses (0), or do we scrub them first (1)? */
|
||||
int SafeSocks; /**< Boolean: should we outright refuse application
|
||||
* connections that use socks4 or socks5-with-local-dns? */
|
||||
#define LOG_PROTOCOL_WARN (get_options()->ProtocolWarnings ? \
|
||||
LOG_WARN : LOG_INFO)
|
||||
int ProtocolWarnings; /**< Boolean: when other parties screw up the Tor
|
||||
@ -1471,7 +1473,8 @@ int fetch_from_buf_http(buf_t *buf,
|
||||
char **headers_out, size_t max_headerlen,
|
||||
char **body_out, size_t *body_used, size_t max_bodylen,
|
||||
int force_complete);
|
||||
int fetch_from_buf_socks(buf_t *buf, socks_request_t *req, int log_sockstype);
|
||||
int fetch_from_buf_socks(buf_t *buf, socks_request_t *req,
|
||||
int log_sockstype, int safe_socks);
|
||||
int fetch_from_buf_control0(buf_t *buf, uint32_t *len_out, uint16_t *type_out,
|
||||
char **body_out, int check_for_v1);
|
||||
int fetch_from_buf_line(buf_t *buf, char *data_out, size_t *data_len);
|
||||
|
Loading…
Reference in New Issue
Block a user