Implement Jason Holt's SafeSocks config option. (d8195e41) · Commits · The Tor Project / Core / Tor

src/or/buffers.c

+14 −3

Original line number	Diff line number	Diff line
		@@ -897,11 +897,14 @@ fetch_from_buf_http(buf_t *buf,
		* If <b>log_sockstype</b> is non-zero, then do a notice-level log of whether
		* the connection is possibly leaking DNS requests locally or not.
		*
		* If <b>safe_socks</b> is true, then reject unsafe socks protocols.
		*
		* If returning 0 or -1, <b>req->address</b> and <b>req->port</b> are
		* undefined.
		*/
		int
		fetch_from_buf_socks(buf_t buf, socks_request_t req, int log_sockstype)
		fetch_from_buf_socks(buf_t buf, socks_request_t req,
		int log_sockstype, int safe_socks)
		{
		unsigned char len;
		char tmpbuf[INET_NTOA_BUF_LEN];
		@@ -984,8 +987,11 @@ fetch_from_buf_socks(buf_t buf, socks_request_t req, int log_sockstype)
		"themselves may leak information. Consider using Socks4A "
		"(e.g. via privoxy or socat) instead. For more information, "
		"please see http://wiki.noreply.org/noreply/TheOnionRouter/"
		"TorFAQ#SOCKSAndDNS", req->port);
		"TorFAQ#SOCKSAndDNS.%s", req->port,
		safe_socks ? " Rejecting." : "");
		// have_warned_about_unsafe_socks = 1; // (for now, warn every time)
		if (safe_socks)
		return -1;
		}
		return 1;
		case 3: /* fqdn */
		@@ -1075,8 +1081,13 @@ fetch_from_buf_socks(buf_t buf, socks_request_t req, int log_sockstype)
		"Your application (using socks4 on port %d) is giving Tor "
		"only an IP address. Applications that do DNS resolves "
		"themselves may leak information. Consider using Socks4A "
		"(e.g. via privoxy or socat) instead.", req->port);
		"(e.g. via privoxy or socat) instead. For more information, "
		"please see http://wiki.noreply.org/noreply/TheOnionRouter/"
		"TorFAQ#SOCKSAndDNS.%s", req->port,
		safe_socks ? " Rejecting." : "");
		// have_warned_about_unsafe_socks = 1; // (for now, warn every time)
		if (safe_socks)
		return -1;
		}
		if (socks4_prot == socks4a) {
		if (next+1 == buf->cur+buf->datalen) {

src/or/config.c

+1 −0

Original line number	Diff line number	Diff line
		@@ -218,6 +218,7 @@ static config_var_t _option_vars[] = {
		VAR("RunAsDaemon", BOOL, RunAsDaemon, "0"),
		VAR("RunTesting", BOOL, RunTesting, "0"),
		VAR("SafeLogging", BOOL, SafeLogging, "1"),
		VAR("SafeSocks", BOOL, SafeSocks, "0"),
		VAR("ShutdownWaitLength", INTERVAL, ShutdownWaitLength, "30 seconds"),
		VAR("SocksListenAddress", LINELIST, SocksListenAddress, NULL),
		VAR("SocksPolicy", LINELIST, SocksPolicy, NULL),

src/or/or.h

+4 −1

Original line number	Diff line number	Diff line
		@@ -1379,6 +1379,8 @@ typedef struct {
		* long do we wait before exiting? */
		int SafeLogging; /**< Boolean: are we allowed to log sensitive strings
		* such as addresses (0), or do we scrub them first (1)? */
		int SafeSocks; /**< Boolean: should we outright refuse application
		* connections that use socks4 or socks5-with-local-dns? */
		#define LOG_PROTOCOL_WARN (get_options()->ProtocolWarnings ? \
		LOG_WARN : LOG_INFO)
		int ProtocolWarnings; /**< Boolean: when other parties screw up the Tor
		@@ -1471,7 +1473,8 @@ int fetch_from_buf_http(buf_t *buf,
		char **headers_out, size_t max_headerlen,
		char *body_out, size_t body_used, size_t max_bodylen,
		int force_complete);
		int fetch_from_buf_socks(buf_t buf, socks_request_t req, int log_sockstype);
		int fetch_from_buf_socks(buf_t buf, socks_request_t req,
		int log_sockstype, int safe_socks);
		int fetch_from_buf_control0(buf_t buf, uint32_t len_out, uint16_t *type_out,
		char **body_out, int check_for_v1);
		int fetch_from_buf_line(buf_t buf, char data_out, size_t *data_len);