Draft: hardening(proxy): check port against relay pattern (!381) · Merge requests · The Tor Project / Anti-censorship / Pluggable Transports / Snowflake

WofWca requested to merge WofWca/snowflake:proxy-reject-arbitrary-relay-ports into main Sep 01, 2024

So that the broker cannot tell the proxy to connect to arbitrary ports of the Snowflake server machine.

This does not affect the current production setup of Snowflake.

This is a breaking change for proxy users who set allowed-relay-hostname-pattern explicitly, because we renamed that parameter name in this commit.
For library users this is not breaking.

This is especially useful when AllowedRelayHostPattern is lax, i.e. when the proxy is able to connect to arbitrary (or more or less arbitrary) hosts. See Dedicated Snowflake server port as a way to tell if host allows Snowflake connections

I tested the proxy with the default arguments. It works fine.

Edited Sep 02, 2024 by WofWca

Draft: hardening(proxy): check port against relay pattern

Merge request reports