Consider demoting ".exit is disabled" log message to info
/* Check for whether this is a .exit address. By default, those are
* disallowed when they're coming straight from the client, but you're
* allowed to have them in MapAddress commands and so forth. */
if (!strcmpend(socks->address, ".exit")) {
log_warn(LD_APP, "The \".exit\" notation is disabled in Tor due to "
"security risks.");
control_event_client_status(LOG_WARN, "SOCKS_BAD_HOSTNAME HOSTNAME=%s",
escaped(socks->address));
out->end_reason = END_STREAM_REASON_TORPROTOCOL;
out->should_close = 1;
return;
}
The above log message can be remotely triggered by websites and some people consider this a security issue: https://github.com/brave/brave-browser/issues/4629
This has also been reported to our h1 bug bounty program.
We should consider fixing this one particular instance, but I bet there is more of this lying around.