Refuse to make direct connections to private OR addresses

Refuse connection requests to private OR addresses unless
ExtendAllowPrivateAddresses is set. Previously, tor would
connect, then refuse to send any cells to a private address.

Fixes bugs 17674 and 8976; bugfix on b7c172c9 (28 Aug 2012)
Original bug 6710, released in 0.2.3.21-rc and an 0.2.2 maint
release.

Patch by "teor".

doc/tor.1.txt

@@ -1898,9 +1898,11 @@ is non-zero):
     (Default: 1)
 
 [[ExtendAllowPrivateAddresses]] **ExtendAllowPrivateAddresses** **0**|**1**::
-    When this option is enabled, Tor routers allow EXTEND request to
-    localhost, RFC1918 addresses, and so on. This can create security issues;
-    you should probably leave it off. (Default: 0)
+    When this option is enabled, Tor will connect to localhost, RFC1918
+    addresses, and so on. In particular, Tor will make direct connections, and
+    Tor routers allow EXTEND requests, to these private addresses. This can
+    create security issues; you should probably leave it off.
+    (Default: 0)
 
 [[MaxMemInQueues]] **MaxMemInQueues**  __N__ **bytes**|**KB**|**MB**|**GB**::
     This option configures a threshold above which Tor will assume that it

src/or/circuitbuild.c

@@ -498,6 +498,14 @@ circuit_handle_first_hop(origin_circuit_t *circ)
   tor_assert(firsthop);
   tor_assert(firsthop->extend_info);
 
+  /* XX/teor - does tor ever need build a circuit directly to itself? */
+  if (tor_addr_is_internal(&firsthop->extend_info->addr, 0) &&
+      !get_options()->ExtendAllowPrivateAddresses) {
+    log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
+           "Client asked me to connect directly to a private address");
+    return -END_CIRC_REASON_TORPROTOCOL;
+  }
+
   /* now see if we're already connected to the first OR in 'route' */
   log_debug(LD_CIRC,"Looking for firsthop '%s'",
             fmt_addrport(&firsthop->extend_info->addr,