Commit 10fdb9ee authored by Sebastian Hahn's avatar Sebastian Hahn
Browse files

Add option to not warn when getting an IP instead of hostname

parent faf51fa5
o Minor features:
- Allow disabling the warning that occurs whenever Tor receives only
an IP address instead of a hostname. Setups that do DNS locally over
Tor are fine, and we shouldn't spam the logs in that case.
......@@ -632,6 +632,12 @@ The following options are useful only for clients (that is, if
helps to determine whether an application using Tor is possibly leaking
DNS requests. (Default: 0)
**WarnUnsafeSocks** **0**|**1**::
When this option is enabled, Tor will warn whenever a request is
received that only contains an IP address instead of a hostname. Allowing
applications to do DNS resolves themselves is usually a bad idea and
can leak your location to attackers. (Default: 1)
**VirtualAddrNetwork** __Address__/__bits__::
When a controller asks for a virtual (unused) address with the MAPADDRESS
command, Tor picks an unassigned address from this range. (Default:
......
......@@ -1402,19 +1402,21 @@ fetch_from_buf_socks(buf_t *buf, socks_request_t *req,
if (req->command != SOCKS_COMMAND_RESOLVE_PTR &&
!addressmap_have_mapping(req->address,0) &&
!have_warned_about_unsafe_socks) {
log_warn(LD_APP,
"Your application (using socks5 to port %d) is giving "
"Tor only an IP address. Applications that do DNS resolves "
"themselves may leak information. Consider using Socks4A "
"(e.g. via privoxy or socat) instead. For more information, "
"please see https://wiki.torproject.org/TheOnionRouter/"
"TorFAQ#SOCKSAndDNS.%s", req->port,
safe_socks ? " Rejecting." : "");
/*have_warned_about_unsafe_socks = 1;*/
if (get_options()->WarnUnsafeSocks) {
log_warn(LD_APP,
"Your application (using socks5 to port %d) is giving "
"Tor only an IP address. Applications that do DNS resolves "
"themselves may leak information. Consider using Socks4A "
"(e.g. via privoxy or socat) instead. For more information, "
"please see https://wiki.torproject.org/TheOnionRouter/"
"TorFAQ#SOCKSAndDNS.%s", req->port,
safe_socks ? " Rejecting." : "");
/*have_warned_about_unsafe_socks = 1;*/
/*(for now, warn every time)*/
control_event_client_status(LOG_WARN,
"DANGEROUS_SOCKS PROTOCOL=SOCKS5 ADDRESS=%s:%d",
req->address, req->port);
}
if (safe_socks)
return -1;
}
......@@ -1516,7 +1518,8 @@ fetch_from_buf_socks(buf_t *buf, socks_request_t *req,
if (socks4_prot != socks4a &&
!addressmap_have_mapping(tmpbuf,0) &&
!have_warned_about_unsafe_socks) {
log_warn(LD_APP,
if (get_options()->WarnUnsafeSocks) {
log_warn(LD_APP,
"Your application (using socks4 to port %d) is giving Tor "
"only an IP address. Applications that do DNS resolves "
"themselves may leak information. Consider using Socks4A "
......@@ -1524,10 +1527,12 @@ fetch_from_buf_socks(buf_t *buf, socks_request_t *req,
"please see https://wiki.torproject.org/TheOnionRouter/"
"TorFAQ#SOCKSAndDNS.%s", req->port,
safe_socks ? " Rejecting." : "");
/*have_warned_about_unsafe_socks = 1;*/ /*(for now, warn every time)*/
control_event_client_status(LOG_WARN,
/*have_warned_about_unsafe_socks = 1;*/
/*(for now, warn every time)*/
control_event_client_status(LOG_WARN,
"DANGEROUS_SOCKS PROTOCOL=SOCKS4 ADDRESS=%s:%d",
tmpbuf, req->port);
}
if (safe_socks)
return -1;
}
......
......@@ -280,6 +280,7 @@ static config_var_t _option_vars[] = {
V(NatdListenAddress, LINELIST, NULL),
V(NatdPort, UINT, "0"),
V(Nickname, STRING, NULL),
V(WarnUnsafeSocks, BOOL, "1"),
V(NoPublish, BOOL, "0"),
VAR("NodeFamily", LINELIST, NodeFamilies, NULL),
V(NumCpus, UINT, "1"),
......
......@@ -2701,6 +2701,10 @@ typedef struct {
* selection. */
int AllowDotExit;
/** If true, we will warn if a user gives us only an IP address
* instead of a hostname. */
int WarnUnsafeSocks;
/** If true, the user wants us to collect statistics on clients
* requesting network statuses from us as directory. */
int DirReqStatistics;
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment