Commit 382a2895 authored by teor (Tim Wilson-Brown)'s avatar teor (Tim Wilson-Brown) Committed by David Goulet
Browse files

Check onion hostnames against client port flags

Check NoOnionTraffic before attaching a stream.

NoOnionTraffic refuses connections to all onion hostnames,
but permits non-onion hostnames and IP addresses.
parent b311f820
Loading
Loading
Loading
Loading
+8 −0
Original line number Diff line number Diff line
@@ -1708,6 +1708,14 @@ connection_ap_handshake_rewrite_and_attach(entry_connection_t *conn,
    /* If we get here, it's a request for a .onion address! */
    tor_assert(!automap);

    /* If .onion address requests are disabled, refuse the request */
    if (!conn->entry_cfg.onion_traffic) {
      log_warn(LD_APP, "Onion address %s requested from a port with .onion "
                       "disabled", safe_str_client(socks->address));
      connection_mark_unattached_ap(conn, END_STREAM_REASON_ENTRYPOLICY);
      return -1;
    }

    /* Check whether it's RESOLVE or RESOLVE_PTR.  We don't handle those
     * for hidden service addresses. */
    if (SOCKS_COMMAND_IS_RESOLVE(socks->command)) {