Draft: hardening(proxy): check port against relay pattern (!381) · Merge requests · The Tor Project / Anti-censorship / Pluggable Transports / Snowflake

Closed WofWca requested to merge WofWca/snowflake:proxy-reject-arbitrary-relay-ports into main 6 months ago

Sep 02, 2024

hardening(proxy): check port against relay pattern · 8c3db389

WofWca authored 6 months ago

So that the broker cannot tell the proxy to connect to arbitrary ports
of the Snowflake server machine.

This is a breaking change for proxy users who set
`allowed-relay-hostname-pattern` explicitly, because
we renamed that parameter name in this commit.
For library users this is not breaking.

This does not affect the current production setup of Snowflake.

This is especially useful when `AllowedRelayHostPattern` is lax,
i.e. when the proxy is able to connect to arbitrary
(or more or less arbitrary) hosts. See
[Dedicated Snowflake server port as a way to tell if host allows Snowflake connections](#40166)

8c3db389

Draft: hardening(proxy): check port against relay pattern

Merge request reports

Activity