Loading ChangeLog +7 −0 Original line number Diff line number Diff line Changes in version 0.1.2.19 - 2007-??-?? o Security fixes: - Exit policies now reject connections that are addressed to a relay's public (external) IP address too, unless ExitPolicyRejectPrivate is turned off. We do this because too many relays are running nearby to services that trust them based on network address. o Major bugfixes: - When the clock jumps forward a lot, do not allow the bandwidth buckets to become negative. Fixes Bug 544. Loading doc/TODO.012 +5 −5 Original line number Diff line number Diff line Loading @@ -7,12 +7,11 @@ Backport items for 0.1.2: o r11882: Avoid crash-bug 451. o r11886: Consider family as well as identity when cannibalizing circuits. - backport the osx privoxy.config changes - no need to backport the windows privoxy.config changes because they're X no need to backport the windows privoxy.config changes because they're not in SVN?? - r12339: rlim_t may be wider than unsigned long. - r12341: Work if the real open-file limit is OPEN_FILES. - r12459: Exit policies reject public IP address too o r12459: Exit policies reject public IP address too Backport for 0.1.2.x once better tested: D r11287: Reject address mappings to internal addresses. (??) Loading @@ -20,7 +19,8 @@ Backport for 0.1.2.x once better tested: o r11499, r11500, r11501: hidserv hexdigests rather than nicknames o r11829: Don't warn when cancel_pending_resolve() finds a cached failure. o r11915: just because you hup, don't publish a near-duplicate descriptor - r11994: Call routerlist_remove_old_routers() less. This will be a d r11994: Call routerlist_remove_old_routers() less. This will be a tricky backport. - r12153 and r12154: Give better warnings when we fail to mmap a descriptor store that we just wrote. doc/tor.1.in +7 −4 Original line number Diff line number Diff line Loading @@ -621,11 +621,13 @@ To specify all internal and link-local networks (including 0.0.0.0/8, 169.254.0.0/16, 127.0.0.0/8, 192.168.0.0/16, 10.0.0.0/8, and 172.16.0.0/12), you can use the "private" alias instead of an address. These addresses are rejected by default (at the beginning of your exit policy) unless you set the ExitPolicyRejectPrivate config option exit policy), along with your public IP address, unless you set the ExitPolicyRejectPrivate config option to 0. For example, once you've done that, you could allow HTTP to 127.0.0.1 and block all other connections to internal networks with "accept 127.0.0.1:80,reject private:*". See RFC 1918 and RFC 3330 for more "accept 127.0.0.1:80,reject private:*", though that may also allow connections to your own computer that are addressed to its public (external) IP address. See RFC 1918 and RFC 3330 for more details about internal and reserved IP address space. This directive can be specified multiple times so you don't have to put Loading Loading @@ -655,7 +657,8 @@ either a reject *:* or an accept *:*. Otherwise, you're _augmenting_ .LP .TP \fBExitPolicyRejectPrivate \fR\fB0\fR|\fB1\fR\fP Reject all private (local) networks at the beginning of your exit Reject all private (local) networks, along with your own public IP address, at the beginning of your exit policy. See above entry on ExitPolicy. (Default: 1) .LP .TP Loading src/or/or.h +2 −3 Original line number Diff line number Diff line Loading @@ -2600,9 +2600,8 @@ void policies_parse_from_options(or_options_t *options); int cmp_addr_policies(addr_policy_t *a, addr_policy_t *b); addr_policy_result_t compare_addr_to_addr_policy(uint32_t addr, uint16_t port, addr_policy_t *policy); int policies_parse_exit_policy(config_line_t *cfg, addr_policy_t **dest, int rejectprivate); int policies_parse_exit_policy(config_line_t *cfg, addr_policy_t **dest, int rejectprivate, const char *local_address); int exit_policy_is_general_exit(addr_policy_t *policy); int policy_is_reject_star(addr_policy_t *policy); int getinfo_helper_policies(control_connection_t *conn, Loading src/or/policies.c +9 −3 Original line number Diff line number Diff line Loading @@ -232,7 +232,7 @@ validate_addr_policies(or_options_t *options, char **msg) *msg = NULL; if (policies_parse_exit_policy(options->ExitPolicy, &addr_policy, options->ExitPolicyRejectPrivate)) options->ExitPolicyRejectPrivate, NULL)) REJECT("Error in ExitPolicy entry."); /* The rest of these calls *append* to addr_policy. So don't actually Loading Loading @@ -554,10 +554,16 @@ exit_policy_remove_redundancies(addr_policy_t **dest) */ int policies_parse_exit_policy(config_line_t *cfg, addr_policy_t **dest, int rejectprivate) int rejectprivate, const char *local_address) { if (rejectprivate) if (rejectprivate) { append_exit_policy_string(dest, "reject private:*"); if (local_address) { char buf[POLICY_BUF_LEN]; tor_snprintf(buf, sizeof(buf), "reject %s:*", local_address); append_exit_policy_string(dest, buf); } } if (parse_addr_policy(cfg, dest, -1)) return -1; append_exit_policy_string(dest, DEFAULT_EXIT_POLICY); Loading Loading
ChangeLog +7 −0 Original line number Diff line number Diff line Changes in version 0.1.2.19 - 2007-??-?? o Security fixes: - Exit policies now reject connections that are addressed to a relay's public (external) IP address too, unless ExitPolicyRejectPrivate is turned off. We do this because too many relays are running nearby to services that trust them based on network address. o Major bugfixes: - When the clock jumps forward a lot, do not allow the bandwidth buckets to become negative. Fixes Bug 544. Loading
doc/TODO.012 +5 −5 Original line number Diff line number Diff line Loading @@ -7,12 +7,11 @@ Backport items for 0.1.2: o r11882: Avoid crash-bug 451. o r11886: Consider family as well as identity when cannibalizing circuits. - backport the osx privoxy.config changes - no need to backport the windows privoxy.config changes because they're X no need to backport the windows privoxy.config changes because they're not in SVN?? - r12339: rlim_t may be wider than unsigned long. - r12341: Work if the real open-file limit is OPEN_FILES. - r12459: Exit policies reject public IP address too o r12459: Exit policies reject public IP address too Backport for 0.1.2.x once better tested: D r11287: Reject address mappings to internal addresses. (??) Loading @@ -20,7 +19,8 @@ Backport for 0.1.2.x once better tested: o r11499, r11500, r11501: hidserv hexdigests rather than nicknames o r11829: Don't warn when cancel_pending_resolve() finds a cached failure. o r11915: just because you hup, don't publish a near-duplicate descriptor - r11994: Call routerlist_remove_old_routers() less. This will be a d r11994: Call routerlist_remove_old_routers() less. This will be a tricky backport. - r12153 and r12154: Give better warnings when we fail to mmap a descriptor store that we just wrote.
doc/tor.1.in +7 −4 Original line number Diff line number Diff line Loading @@ -621,11 +621,13 @@ To specify all internal and link-local networks (including 0.0.0.0/8, 169.254.0.0/16, 127.0.0.0/8, 192.168.0.0/16, 10.0.0.0/8, and 172.16.0.0/12), you can use the "private" alias instead of an address. These addresses are rejected by default (at the beginning of your exit policy) unless you set the ExitPolicyRejectPrivate config option exit policy), along with your public IP address, unless you set the ExitPolicyRejectPrivate config option to 0. For example, once you've done that, you could allow HTTP to 127.0.0.1 and block all other connections to internal networks with "accept 127.0.0.1:80,reject private:*". See RFC 1918 and RFC 3330 for more "accept 127.0.0.1:80,reject private:*", though that may also allow connections to your own computer that are addressed to its public (external) IP address. See RFC 1918 and RFC 3330 for more details about internal and reserved IP address space. This directive can be specified multiple times so you don't have to put Loading Loading @@ -655,7 +657,8 @@ either a reject *:* or an accept *:*. Otherwise, you're _augmenting_ .LP .TP \fBExitPolicyRejectPrivate \fR\fB0\fR|\fB1\fR\fP Reject all private (local) networks at the beginning of your exit Reject all private (local) networks, along with your own public IP address, at the beginning of your exit policy. See above entry on ExitPolicy. (Default: 1) .LP .TP Loading
src/or/or.h +2 −3 Original line number Diff line number Diff line Loading @@ -2600,9 +2600,8 @@ void policies_parse_from_options(or_options_t *options); int cmp_addr_policies(addr_policy_t *a, addr_policy_t *b); addr_policy_result_t compare_addr_to_addr_policy(uint32_t addr, uint16_t port, addr_policy_t *policy); int policies_parse_exit_policy(config_line_t *cfg, addr_policy_t **dest, int rejectprivate); int policies_parse_exit_policy(config_line_t *cfg, addr_policy_t **dest, int rejectprivate, const char *local_address); int exit_policy_is_general_exit(addr_policy_t *policy); int policy_is_reject_star(addr_policy_t *policy); int getinfo_helper_policies(control_connection_t *conn, Loading
src/or/policies.c +9 −3 Original line number Diff line number Diff line Loading @@ -232,7 +232,7 @@ validate_addr_policies(or_options_t *options, char **msg) *msg = NULL; if (policies_parse_exit_policy(options->ExitPolicy, &addr_policy, options->ExitPolicyRejectPrivate)) options->ExitPolicyRejectPrivate, NULL)) REJECT("Error in ExitPolicy entry."); /* The rest of these calls *append* to addr_policy. So don't actually Loading Loading @@ -554,10 +554,16 @@ exit_policy_remove_redundancies(addr_policy_t **dest) */ int policies_parse_exit_policy(config_line_t *cfg, addr_policy_t **dest, int rejectprivate) int rejectprivate, const char *local_address) { if (rejectprivate) if (rejectprivate) { append_exit_policy_string(dest, "reject private:*"); if (local_address) { char buf[POLICY_BUF_LEN]; tor_snprintf(buf, sizeof(buf), "reject %s:*", local_address); append_exit_policy_string(dest, buf); } } if (parse_addr_policy(cfg, dest, -1)) return -1; append_exit_policy_string(dest, DEFAULT_EXIT_POLICY); Loading
