Merge branch 'bug2000_nm_022' into maint-0.2.2

522c204a · Nick Mathewson · 29c46814 · da3a6e72 · 522c204a · 522c204a
Commit 522c204a authored 14 years ago by Nick Mathewson
--- a/changes/bug2000
+++ b/changes/bug2000
+  o Minor bugfixes:
+    - Rate-limit the "your application is giving Tor only an IP address"
+      warning. Fixes bug 2000; bugfix on 0.0.8pre2.
--- a/src/or/buffers.c
+++ b/src/or/buffers.c
@@ -1299,6 +1299,39 @@ fetch_from_buf_http(buf_t *buf,
  return 1;
 }

+/**
+ * Wait this many seconds before warning the user about using SOCKS unsafely
+ * again (requires that WarnUnsafeSocks is turned on). */
+#define SOCKS_WARN_INTERVAL 5
+
+/** Warn that the user application has made an unsafe socks request using
+ * protocol <b>socks_protocol</b> on port <b>port</b>.  Don't warn more than
+ * once per SOCKS_WARN_INTERVAL, unless <b>safe_socks</b> is set. */
+static void
+log_unsafe_socks_warning(int socks_protocol, uint16_t port, int safe_socks)
+{
+  static ratelim_t socks_ratelim = RATELIM_INIT(SOCKS_WARN_INTERVAL);
+
+  or_options_t *options = get_options();
+  char *m = NULL;
+  if (! options->WarnUnsafeSocks)
+    return;
+  if (safe_socks || (m = rate_limit_log(&socks_ratelim, approx_time()))) {
+    log_warn(LD_APP,
+             "Your application (using socks%d to port %d) is giving "
+             "Tor only an IP address. Applications that do DNS resolves "
+             "themselves may leak information. Consider using Socks4A "
+             "(e.g. via privoxy or socat) instead. For more information, "
+             "please see https://wiki.torproject.org/TheOnionRouter/"
+             "TorFAQ#SOCKSAndDNS.%s%s",
+             socks_protocol,
+             (int)port,
+             safe_socks ? " Rejecting." : "",
+             m ? m : "");
+    tor_free(m);
+  }
+}
+
 /** There is a (possibly incomplete) socks handshake on <b>buf</b>, of one
 * of the forms
 *  - socks4: "socksheader username\\0"
@@ -1337,10 +1370,6 @@ fetch_from_buf_socks(buf_t *buf, socks_request_t *req,
  char *next, *startaddr;
  struct in_addr in;

-  /* If the user connects with socks4 or the wrong variant of socks5,
-   * then log a warning to let him know that it might be unwise. */
-  static int have_warned_about_unsafe_socks = 0;
-
  if (buf->datalen < 2) /* version and another byte */
    return 0;

@@ -1420,23 +1449,11 @@ fetch_from_buf_socks(buf_t *buf, socks_request_t *req,
          req->port = ntohs(get_uint16(buf->head->data+4+addrlen));
          buf_remove_from_front(buf, 6+addrlen);
          if (req->command != SOCKS_COMMAND_RESOLVE_PTR &&
-              !addressmap_have_mapping(req->address,0) &&
-              !have_warned_about_unsafe_socks) {
-            if (get_options()->WarnUnsafeSocks) {
-              log_warn(LD_APP,
-                  "Your application (using socks5 to port %d) is giving "
-                  "Tor only an IP address. Applications that do DNS resolves "
-                  "themselves may leak information. Consider using Socks4A "
-                  "(e.g. via privoxy or socat) instead. For more information, "
-                  "please see https://wiki.torproject.org/TheOnionRouter/"
-                  "TorFAQ#SOCKSAndDNS.%s", req->port,
-                  safe_socks ? " Rejecting." : "");
-              /*have_warned_about_unsafe_socks = 1;*/
-                                      /*(for now, warn every time)*/
+              !addressmap_have_mapping(req->address,0)) {
+            log_unsafe_socks_warning(5, req->port, safe_socks);
            control_event_client_status(LOG_WARN,
                          "DANGEROUS_SOCKS PROTOCOL=SOCKS5 ADDRESS=%s:%d",
                          req->address, req->port);
-            }
            if (safe_socks)
              return -1;
          }
@@ -1536,23 +1553,9 @@ fetch_from_buf_socks(buf_t *buf, socks_request_t *req,

      startaddr = NULL;
      if (socks4_prot != socks4a &&
-          !addressmap_have_mapping(tmpbuf,0) &&
-          !have_warned_about_unsafe_socks) {
-        if (get_options()->WarnUnsafeSocks) {
-          log_warn(LD_APP,
-                 "Your application (using socks4 to port %d) is giving Tor "
-                 "only an IP address. Applications that do DNS resolves "
-                 "themselves may leak information. Consider using Socks4A "
-                 "(e.g. via privoxy or socat) instead. For more information, "
-                 "please see https://wiki.torproject.org/TheOnionRouter/"
-                 "TorFAQ#SOCKSAndDNS.%s", req->port,
-                 safe_socks ? " Rejecting." : "");
-          /*have_warned_about_unsafe_socks = 1;*/
-          /*(for now, warn every time)*/
-          control_event_client_status(LOG_WARN,
-                        "DANGEROUS_SOCKS PROTOCOL=SOCKS4 ADDRESS=%s:%d",
-                        tmpbuf, req->port);
-        }
+          !addressmap_have_mapping(tmpbuf,0)) {
+        log_unsafe_socks_warning(4, req->port, safe_socks);
+
        if (safe_socks)
          return -1;
      }