Consider demoting ".exit is disabled" log message to info

Closed (moved) Issue created 5 years ago by George Kadianakis

  /* Check for whether this is a .exit address.  By default, those are
   * disallowed when they're coming straight from the client, but you're
   * allowed to have them in MapAddress commands and so forth. */
  if (!strcmpend(socks->address, ".exit")) {
    log_warn(LD_APP, "The  \".exit\" notation is disabled in Tor due to "
             "security risks.");
    control_event_client_status(LOG_WARN, "SOCKS_BAD_HOSTNAME HOSTNAME=%s",
                                escaped(socks->address));
    out->end_reason = END_STREAM_REASON_TORPROTOCOL;
    out->should_close = 1;
    return;
  }

The above log message can be remotely triggered by websites and some people consider this a security issue: https://github.com/brave/brave-browser/issues/4629

This has also been reported to our h1 bug bounty program.

We should consider fixing this one particular instance, but I bet there is more of this lying around.

Consider demoting ".exit is disabled" log message to info

Linked items ... 0

Activity