Commit f02fd6c3 authored by Nick Mathewson's avatar Nick Mathewson 🎨
Browse files

Remove AllowDotExit.

It's been deprecated since 0.2.9.2-alpha.  Closes ticket 23426.
parent 8421756d
o Removed features:
- The AllowDotExit option has been removed as unsafe. It has
been deprecated since 0.2.9.2-alpha. Closes ticket 23426.
......@@ -924,7 +924,7 @@ The following options are useful only for clients (that is, if
The ExcludeNodes option overrides this option: any node listed in both
ExitNodes and ExcludeNodes is treated as excluded. +
+
The .exit address notation, if enabled via AllowDotExit, overrides
The .exit address notation, if enabled via MapAddress, overrides
this option.
[[EntryNodes]] **EntryNodes** __node__,__node__,__...__::
......@@ -1328,12 +1328,6 @@ The following options are useful only for clients (that is, if
resolved. This helps trap accidental attempts to resolve URLs and so on.
(Default: 0)
[[AllowDotExit]] **AllowDotExit** **0**|**1**::
If enabled, we convert "www.google.com.foo.exit" addresses on the
SocksPort/TransPort/NATDPort into "www.google.com" addresses that exit from
the node "foo". Disabled by default since attacking websites and exit
relays can use it to manipulate your path selection. (Default: 0)
[[HTTPTunnelPort]] **HTTPTunnelPort** \['address':]__port__|**auto** [_isolation flags_]::
Open this port to listen for proxy connections using the "HTTP CONNECT"
protocol instead of SOCKS. Set this to 0
......
......@@ -206,7 +206,7 @@ static config_var_t option_vars_[] = {
VAR("AccountingRule", STRING, AccountingRule_option, "max"),
V(AccountingStart, STRING, NULL),
V(Address, STRING, NULL),
V(AllowDotExit, BOOL, "0"),
OBSOLETE("AllowDotExit"),
OBSOLETE("AllowInvalidNodes"),
V(AllowNonRFC953Hostnames, BOOL, "0"),
OBSOLETE("AllowSingleHopCircuits"),
......@@ -671,8 +671,6 @@ static const config_var_t testing_tor_network_defaults[] = {
static const config_deprecation_t option_deprecation_notes_[] = {
/* Deprecated since 0.2.9.2-alpha... */
{ "AllowDotExit", "Unrestricted use of the .exit notation can be used for "
"a wide variety of application-level attacks." },
{ "ClientDNSRejectInternalAddresses", "Turning this on makes your client "
"easier to fingerprint, and may open you to esoteric attacks." },
/* End of options deprecated since 0.2.9.2-alpha. */
......
......@@ -1235,10 +1235,9 @@ connection_ap_handshake_rewrite(entry_connection_t *conn,
/* Check for whether this is a .exit address. By default, those are
* disallowed when they're coming straight from the client, but you're
* allowed to have them in MapAddress commands and so forth. */
if (!strcmpend(socks->address, ".exit") && !options->AllowDotExit) {
if (!strcmpend(socks->address, ".exit")) {
log_warn(LD_APP, "The \".exit\" notation is disabled in Tor due to "
"security risks. Set AllowDotExit in your torrc to enable "
"it (at your own risk).");
"security risks.");
control_event_client_status(LOG_WARN, "SOCKS_BAD_HOSTNAME HOSTNAME=%s",
escaped(socks->address));
out->end_reason = END_STREAM_REASON_TORPROTOCOL;
......@@ -1653,23 +1652,23 @@ connection_ap_handshake_rewrite_and_attach(entry_connection_t *conn,
const node_t *node = NULL;
/* If this .exit was added by an AUTOMAP, then it came straight from
* a user. Make sure that options->AllowDotExit permits that! */
if (exit_source == ADDRMAPSRC_AUTOMAP && !options->AllowDotExit) {
/* Whoops; this one is stale. It must have gotten added earlier,
* when AllowDotExit was on. */
log_warn(LD_APP,"Stale automapped address for '%s.exit', with "
"AllowDotExit disabled. Refusing.",
* a user. That's not safe. */
if (exit_source == ADDRMAPSRC_AUTOMAP) {
/* Whoops; this one is stale. It must have gotten added earlier?
* (Probably this is not possible, since AllowDotExit no longer
* exists.) */
log_warn(LD_APP,"Stale automapped address for '%s.exit'. Refusing.",
safe_str_client(socks->address));
control_event_client_status(LOG_WARN, "SOCKS_BAD_HOSTNAME HOSTNAME=%s",
escaped(socks->address));
connection_mark_unattached_ap(conn, END_STREAM_REASON_TORPROTOCOL);
tor_assert_nonfatal_unreached();
return -1;
}
/* Double-check to make sure there are no .exits coming from
* impossible/weird sources. */
if (exit_source == ADDRMAPSRC_DNS ||
(exit_source == ADDRMAPSRC_NONE && !options->AllowDotExit)) {
if (exit_source == ADDRMAPSRC_DNS || exit_source == ADDRMAPSRC_NONE) {
/* It shouldn't be possible to get a .exit address from any of these
* sources. */
log_warn(LD_BUG,"Address '%s.exit', with impossible source for the "
......
......@@ -4160,13 +4160,6 @@ typedef struct {
* if we are a cache). For authorities, this is always true. */
int DownloadExtraInfo;
/** If true, we convert "www.google.com.foo.exit" addresses on the
* socks/trans/natd ports into "www.google.com" addresses that
* exit from the node "foo". Disabled by default since attacking
* websites and exit relays can use it to manipulate your path
* selection. */
int AllowDotExit;
/** If true, we're configured to collect statistics on clients
* requesting network statuses from us as directory. */
int DirReqStatistics_option;
......
......@@ -76,7 +76,6 @@ test_entryconn_rewrite_bad_dotexit(void *arg)
entry_connection_t *ec = arg;
rewrite_result_t rr;
get_options_mutable()->AllowDotExit = 0;
tt_assert(ec->socks_request);
strlcpy(ec->socks_request->address, "www.TORproject.org.foo.exit",
sizeof(ec->socks_request->address));
......@@ -480,7 +479,7 @@ test_entryconn_rewrite_reject_internal_reverse(void *arg)
;
}
/* Rewrite into .exit because of virtual address mapping */
/* Rewrite into .exit because of virtual address mapping. */
static void
test_entryconn_rewrite_automap_exit(void *arg)
{
......@@ -491,43 +490,21 @@ test_entryconn_rewrite_automap_exit(void *arg)
ec2 = entry_connection_new(CONN_TYPE_AP, AF_INET);
get_options_mutable()->AutomapHostsOnResolve = 1;
get_options_mutable()->AllowDotExit = 1;
smartlist_add_strdup(get_options_mutable()->AutomapHostsSuffixes,
".EXIT");
parse_virtual_addr_network("127.1.0.0/16", AF_INET, 0, &msg);
/* Automap this on resolve. */
/* Try to automap this on resolve. */
strlcpy(ec->socks_request->address, "website.example.exit",
sizeof(ec->socks_request->address));
ec->socks_request->command = SOCKS_COMMAND_RESOLVE;
connection_ap_handshake_rewrite(ec, &rr);
tt_int_op(rr.automap, OP_EQ, 1);
tt_int_op(rr.should_close, OP_EQ, 0);
tt_int_op(rr.end_reason, OP_EQ, 0);
tt_i64_op(rr.map_expires, OP_EQ, TIME_MAX);
tt_int_op(rr.exit_source, OP_EQ, ADDRMAPSRC_NONE);
tt_str_op(rr.orig_address, OP_EQ, "website.example.exit");
tt_str_op(ec->original_dest_address, OP_EQ, "website.example.exit");
tt_assert(!strcmpstart(ec->socks_request->address,"127.1."));
/* Connect to it and make sure we get the original address back. */
strlcpy(ec2->socks_request->address, ec->socks_request->address,
sizeof(ec2->socks_request->address));
ec2->socks_request->command = SOCKS_COMMAND_CONNECT;
connection_ap_handshake_rewrite(ec2, &rr);
/* Make sure it isn't allowed -- there is no longer an AllowDotExit
* option. */
tt_int_op(rr.automap, OP_EQ, 0);
tt_int_op(rr.should_close, OP_EQ, 0);
tt_int_op(rr.end_reason, OP_EQ, 0);
tt_i64_op(rr.map_expires, OP_EQ, TIME_MAX);
tt_int_op(rr.exit_source, OP_EQ, ADDRMAPSRC_AUTOMAP);
tt_str_op(rr.orig_address, OP_EQ, ec->socks_request->address);
tt_str_op(ec2->original_dest_address, OP_EQ, ec->socks_request->address);
tt_str_op(ec2->socks_request->address, OP_EQ, "website.example.exit");
tt_int_op(rr.should_close, OP_EQ, 1);
tt_int_op(rr.end_reason, OP_EQ, END_STREAM_REASON_TORPROTOCOL);
done:
connection_free_(ENTRY_TO_CONN(ec2));
......@@ -577,7 +554,6 @@ test_entryconn_rewrite_mapaddress_automap_onion(void *arg)
ec4 = entry_connection_new(CONN_TYPE_AP, AF_INET);
get_options_mutable()->AutomapHostsOnResolve = 1;
get_options_mutable()->AllowDotExit = 1;
smartlist_add_strdup(get_options_mutable()->AutomapHostsSuffixes,
".onion");
parse_virtual_addr_network("192.168.0.0/16", AF_INET, 0, &msg);
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment