tor-commits September 2019

tor-commits@lists.torproject.org

21 participants
2044 discussions

[tor-browser/tor-browser-68.1.0esr-9.0-2] Bug 467035 - Avoid leaking browser language via DTD r=Gijs, bzbarsky
by gk＠torproject.org 16 Sep '19

16 Sep '19

commit 2fe57c62af9706be45fc2085796a9398c3b10763 Author: Alex Catarineu <acat(a)torproject.org> Date: Mon Jul 8 10:47:05 2019 +0000 Bug 467035 - Avoid leaking browser language via DTD r=Gijs,bzbarsky Differential Revision: https://phabricator.services.mozilla.com/D34187 --HG-- extra : moz-landing-system : lando --- .../browser_misused_characters_in_strings.js | 1 + .../test/mochitest/formautofill/mochitest.ini | 1 + dom/base/DOMParser.cpp | 11 +++++- dom/base/DOMParser.h | 8 +++- dom/base/Document.cpp | 39 ++----------------- dom/base/Document.h | 10 +++++ dom/base/nsContentUtils.cpp | 28 ++++++++++++++ dom/base/nsContentUtils.h | 7 ++++ dom/security/nsContentSecurityManager.cpp | 16 +++++++- dom/tests/mochitest/bugs/mochitest.ini | 1 + dom/tests/mochitest/bugs/test_bug467035.html | 45 ++++++++++++++++++++++ dom/webidl/DOMParser.webidl | 5 +++ parser/htmlparser/nsExpatDriver.cpp | 6 ++- testing/marionette/l10n.js | 6 ++- .../firefox/firefox_puppeteer/api/l10n.py | 1 + toolkit/content/widgets/datetimebox.js | 1 + toolkit/content/widgets/pluginProblem.js | 1 + toolkit/content/widgets/videocontrols.js | 4 ++ 18 files changed, 150 insertions(+), 41 deletions(-) diff --git a/browser/base/content/test/static/browser_misused_characters_in_strings.js b/browser/base/content/test/static/browser_misused_characters_in_strings.js index eb17e92c7b59..4b1d9a75d3bb 100644 --- a/browser/base/content/test/static/browser_misused_characters_in_strings.js +++ b/browser/base/content/test/static/browser_misused_characters_in_strings.js @@ -272,6 +272,7 @@ add_task(async function checkAllTheFluents() { {} ); let domParser = new DOMParser(); + domParser.forceEnableDTD(); for (let uri of uris) { let rawContents = await fetchFile(uri.spec); let resource = FluentResource.fromString(rawContents); diff --git a/browser/components/payments/test/mochitest/formautofill/mochitest.ini b/browser/components/payments/test/mochitest/formautofill/mochitest.ini index c58cdb9eefb3..9740f9e3e88f 100644 --- a/browser/components/payments/test/mochitest/formautofill/mochitest.ini +++ b/browser/components/payments/test/mochitest/formautofill/mochitest.ini @@ -6,4 +6,5 @@ support-files = ../../../../../../browser/extensions/formautofill/content/editCreditCard.xhtml ../../../../../../browser/extensions/formautofill/content/editAddress.xhtml +skip-if = true # Bug 1446164 [test_editCreditCard.html] diff --git a/dom/base/DOMParser.cpp b/dom/base/DOMParser.cpp index 6f0d30fd75a7..3f12ef8d7c69 100644 --- a/dom/base/DOMParser.cpp +++ b/dom/base/DOMParser.cpp @@ -33,7 +33,8 @@ DOMParser::DOMParser(nsIGlobalObject* aOwner, nsIPrincipal* aDocPrincipal, mPrincipal(aDocPrincipal), mDocumentURI(aDocumentURI), mBaseURI(aBaseURI), - mForceEnableXULXBL(false) { + mForceEnableXULXBL(false), + mForceEnableDTD(false) { MOZ_ASSERT(aDocPrincipal); MOZ_ASSERT(aDocumentURI); } @@ -69,6 +70,10 @@ already_AddRefed<Document> DOMParser::ParseFromString(const nsAString& aStr, document->ForceEnableXULXBL(); } + if (mForceEnableDTD) { + document->ForceSkipDTDSecurityChecks(); + } + nsresult rv = nsContentUtils::ParseDocumentHTML(aStr, document, false); if (NS_WARN_IF(NS_FAILED(rv))) { aRv.Throw(rv); @@ -183,6 +188,10 @@ already_AddRefed<Document> DOMParser::ParseFromStream(nsIInputStream* aStream, document->ForceEnableXULXBL(); } + if (mForceEnableDTD) { + document->ForceSkipDTDSecurityChecks(); + } + // Have to pass false for reset here, else the reset will remove // our event listener. Should that listener addition move to later // than this call? diff --git a/dom/base/DOMParser.h b/dom/base/DOMParser.h index 0a2db0ef4e2b..9a6545ad7f33 100644 --- a/dom/base/DOMParser.h +++ b/dom/base/DOMParser.h @@ -53,7 +53,12 @@ class DOMParser final : public nsISupports, public nsWrapperCache { SupportedType aType, ErrorResult& aRv); - void ForceEnableXULXBL() { mForceEnableXULXBL = true; } + void ForceEnableXULXBL() { + mForceEnableXULXBL = true; + ForceEnableDTD(); + } + + void ForceEnableDTD() { mForceEnableDTD = true; } nsIGlobalObject* GetParentObject() const { return mOwner; } @@ -78,6 +83,7 @@ class DOMParser final : public nsISupports, public nsWrapperCache { nsCOMPtr<nsIURI> mBaseURI; bool mForceEnableXULXBL; + bool mForceEnableDTD; }; } // namespace dom diff --git a/dom/base/Document.cpp b/dom/base/Document.cpp index a0823a6e457f..eebeada1c63c 100644 --- a/dom/base/Document.cpp +++ b/dom/base/Document.cpp @@ -1263,6 +1263,7 @@ Document::Document(const char* aContentType) mType(eUnknown), mDefaultElementType(0), mAllowXULXBL(eTriUnset), + mSkipDTDSecurityChecks(false), mBidiOptions(IBMBIDI_DEFAULT_BIDI_OPTIONS), mSandboxFlags(0), mPartID(0), @@ -1987,38 +1988,6 @@ void Document::Reset(nsIChannel* aChannel, nsILoadGroup* aLoadGroup) { mChannel = aChannel; } -/** - * Determine whether the principal is allowed access to the localization system. - * We don't want the web to ever see this but all our UI including in content - * pages should pass this test. - */ -bool PrincipalAllowsL10n(nsIPrincipal* principal) { - // The system principal is always allowed. - if (nsContentUtils::IsSystemPrincipal(principal)) { - return true; - } - - nsCOMPtr<nsIURI> uri; - nsresult rv = principal->GetURI(getter_AddRefs(uri)); - NS_ENSURE_SUCCESS(rv, false); - - bool hasFlags; - - // Allow access to uris that cannot be loaded by web content. - rv = NS_URIChainHasFlags(uri, nsIProtocolHandler::URI_DANGEROUS_TO_LOAD, - &hasFlags); - NS_ENSURE_SUCCESS(rv, false); - if (hasFlags) { - return true; - } - - // UI resources also get access. - rv = NS_URIChainHasFlags(uri, nsIProtocolHandler::URI_IS_UI_RESOURCE, - &hasFlags); - NS_ENSURE_SUCCESS(rv, false); - return hasFlags; -} - void Document::DisconnectNodeTree() { // Delete references to sub-documents and kill the subdocument map, // if any. This is not strictly needed, but makes the node tree @@ -3256,11 +3225,11 @@ DocumentL10n* Document::GetL10n() { return mDocumentL10n; } bool Document::DocumentSupportsL10n(JSContext* aCx, JSObject* aObject) { nsCOMPtr<nsIPrincipal> callerPrincipal = nsContentUtils::SubjectPrincipal(aCx); - return PrincipalAllowsL10n(callerPrincipal); + return nsContentUtils::PrincipalAllowsL10n(callerPrincipal); } void Document::LocalizationLinkAdded(Element* aLinkElement) { - if (!PrincipalAllowsL10n(NodePrincipal())) { + if (!nsContentUtils::PrincipalAllowsL10n(NodePrincipal())) { return; } @@ -3291,7 +3260,7 @@ void Document::LocalizationLinkAdded(Element* aLinkElement) { } void Document::LocalizationLinkRemoved(Element* aLinkElement) { - if (!PrincipalAllowsL10n(NodePrincipal())) { + if (!nsContentUtils::PrincipalAllowsL10n(NodePrincipal())) { return; } diff --git a/dom/base/Document.h b/dom/base/Document.h index 82b7d66753ef..e65bb95d94c9 100644 --- a/dom/base/Document.h +++ b/dom/base/Document.h @@ -2764,8 +2764,16 @@ class Document : public nsINode, : mAllowXULXBL == eTriFalse ? false : InternalAllowXULXBL(); } + /** + * Returns true if this document is allowed to load DTDs from UI resources + * no matter what. + */ + bool SkipDTDSecurityChecks() { return mSkipDTDSecurityChecks; } + void ForceEnableXULXBL() { mAllowXULXBL = eTriTrue; } + void ForceSkipDTDSecurityChecks() { mSkipDTDSecurityChecks = true; } + /** * Returns the template content owner document that owns the content of * HTMLTemplateElement. @@ -4401,6 +4409,8 @@ class Document : public nsINode, Tri mAllowXULXBL; + bool mSkipDTDSecurityChecks; + // The document's script global object, the object from which the // document can get its script context and scope. This is the // *inner* window object. diff --git a/dom/base/nsContentUtils.cpp b/dom/base/nsContentUtils.cpp index 2b416828e8c1..66134cdb691f 100644 --- a/dom/base/nsContentUtils.cpp +++ b/dom/base/nsContentUtils.cpp @@ -1676,6 +1676,34 @@ bool nsContentUtils::OfflineAppAllowed(nsIPrincipal* aPrincipal) { return NS_SUCCEEDED(rv) && allowed; } +/* static */ +bool nsContentUtils::PrincipalAllowsL10n(nsIPrincipal* aPrincipal) { + // The system principal is always allowed. + if (IsSystemPrincipal(aPrincipal)) { + return true; + } + + nsCOMPtr<nsIURI> uri; + nsresult rv = aPrincipal->GetURI(getter_AddRefs(uri)); + NS_ENSURE_SUCCESS(rv, false); + + bool hasFlags; + + // Allow access to uris that cannot be loaded by web content. + rv = NS_URIChainHasFlags(uri, nsIProtocolHandler::URI_DANGEROUS_TO_LOAD, + &hasFlags); + NS_ENSURE_SUCCESS(rv, false); + if (hasFlags) { + return true; + } + + // UI resources also get access. + rv = NS_URIChainHasFlags(uri, nsIProtocolHandler::URI_IS_UI_RESOURCE, + &hasFlags); + NS_ENSURE_SUCCESS(rv, false); + return hasFlags; +} + bool nsContentUtils::MaybeAllowOfflineAppByDefault(nsIPrincipal* aPrincipal) { if (!Preferences::GetRootBranch()) return false; diff --git a/dom/base/nsContentUtils.h b/dom/base/nsContentUtils.h index b80c6c91093b..46818cc43a1b 100644 --- a/dom/base/nsContentUtils.h +++ b/dom/base/nsContentUtils.h @@ -1984,6 +1984,13 @@ class nsContentUtils { static bool OfflineAppAllowed(nsIPrincipal* aPrincipal); /** + * Determine whether the principal is allowed access to the localization + * system. We don't want the web to ever see this but all our UI including in + * content pages should pass this test. + */ + static bool PrincipalAllowsL10n(nsIPrincipal* aPrincipal); + + /** * If offline-apps.allow_by_default is true, we set offline-app permission * for the principal and return true. Otherwise false. */ diff --git a/dom/security/nsContentSecurityManager.cpp b/dom/security/nsContentSecurityManager.cpp index d7724ff496ff..e7a0a9d1a72b 100644 --- a/dom/security/nsContentSecurityManager.cpp +++ b/dom/security/nsContentSecurityManager.cpp @@ -329,8 +329,20 @@ static bool IsImageLoadInEditorAppType(nsILoadInfo* aLoadInfo) { } static nsresult DoCheckLoadURIChecks(nsIURI* aURI, nsILoadInfo* aLoadInfo) { - // Bug 1228117: determine the correct security policy for DTD loads - if (aLoadInfo->GetExternalContentPolicyType() == nsIContentPolicy::TYPE_DTD) { + // In practice, these DTDs are just used for localization, so applying the + // same principal check as Fluent. + if (aLoadInfo->InternalContentPolicyType() == + nsIContentPolicy::TYPE_INTERNAL_DTD) { + return nsContentUtils::PrincipalAllowsL10n(aLoadInfo->TriggeringPrincipal()) + ? NS_OK + : NS_ERROR_DOM_BAD_URI; + } + + // This is used in order to allow a privileged DOMParser to parse documents + // that need to access localization DTDs. We just allow through + // TYPE_INTERNAL_FORCE_ALLOWED_DTD no matter what the triggering principal is. + if (aLoadInfo->InternalContentPolicyType() == + nsIContentPolicy::TYPE_INTERNAL_FORCE_ALLOWED_DTD) { return NS_OK; } diff --git a/dom/tests/mochitest/bugs/mochitest.ini b/dom/tests/mochitest/bugs/mochitest.ini index 571ca80e6339..26ce4e2b8c47 100644 --- a/dom/tests/mochitest/bugs/mochitest.ini +++ b/dom/tests/mochitest/bugs/mochitest.ini @@ -152,5 +152,6 @@ skip-if = toolkit == 'android' [test_bug1171215.html] support-files = window_bug1171215.html [test_bug1530292.html] +[test_bug467035.html] [test_no_find_showDialog.html] skip-if = toolkit == 'android' # Bug 1358633 - window.find doesn't work for Android diff --git a/dom/tests/mochitest/bugs/test_bug467035.html b/dom/tests/mochitest/bugs/test_bug467035.html new file mode 100644 index 000000000000..ffcfe03e7c61 --- /dev/null +++ b/dom/tests/mochitest/bugs/test_bug467035.html @@ -0,0 +1,45 @@ +<!DOCTYPE HTML> +<html> + +<head> + <meta charset="utf-8"> + <title>Test for Bug 467035</title> + <script src="/tests/SimpleTest/SimpleTest.js"></script> + <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/> + <script type="application/javascript"> + + /** Test for Bug 467035 **/ + SimpleTest.waitForExplicitFinish(); + addLoadEvent(() => { + const s = `<!DOCTYPE html SYSTEM \"chrome://branding/locale/brand.dtd\"> + <html xmlns=\"http://www.w3.org/1999/xhtml\"> + <head> + <meta charset=\"utf-8\"/> + <title>&brandShortName;</title> + </head> + </html>`; + + const parser = new DOMParser(); + let doc = parser.parseFromString(s, 'application/xhtml+xml'); + is(doc.getElementsByTagName('parsererror').length, 1, 'parseFromString cannot access locale DTD'); + + SpecialPowers.wrap(parser).forceEnableDTD(); + doc = parser.parseFromString(s, 'application/xhtml+xml'); + const isTitleLocalized = doc.getElementsByTagName('parsererror').length === 0 && + typeof doc.title === 'string' && + !!doc.title; + ok(isTitleLocalized, 'parseFromString can access locale DTD with forceEnableDTD'); + + SimpleTest.finish(); + }); + </script> +</head> +<body> +<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=467035">Mozilla Bug 467035</a> +<p id="display"></p> +<pre id="test"> +</pre> +</body> +</html> diff --git a/dom/webidl/DOMParser.webidl b/dom/webidl/DOMParser.webidl index 8afff03da225..6497374aff16 100644 --- a/dom/webidl/DOMParser.webidl +++ b/dom/webidl/DOMParser.webidl @@ -36,5 +36,10 @@ interface DOMParser { // principal it's using for the document. [ChromeOnly] void forceEnableXULXBL(); + + // Can be used to allow a DOMParser to load DTDs from URLs that + // normally would not be allowed based on the document principal. + [Func="IsChromeOrXBLOrUAWidget"] + void forceEnableDTD(); }; diff --git a/parser/htmlparser/nsExpatDriver.cpp b/parser/htmlparser/nsExpatDriver.cpp index dd09ba67d67e..9f2321cd2831 100644 --- a/parser/htmlparser/nsExpatDriver.cpp +++ b/parser/htmlparser/nsExpatDriver.cpp @@ -633,12 +633,16 @@ nsresult nsExpatDriver::OpenInputStreamFromExternalDTD(const char16_t* aFPIStr, mSink == nsCOMPtr<nsIExpatSink>(do_QueryInterface(mOriginalSink)), "In nsExpatDriver::OpenInputStreamFromExternalDTD: " "mOriginalSink not the same object as mSink?"); + nsContentPolicyType policyType = nsIContentPolicy::TYPE_INTERNAL_DTD; nsCOMPtr<nsIPrincipal> loadingPrincipal; if (mOriginalSink) { nsCOMPtr<Document> doc; doc = do_QueryInterface(mOriginalSink->GetTarget()); if (doc) { loadingPrincipal = doc->NodePrincipal(); + if (doc->SkipDTDSecurityChecks()) { + policyType = nsIContentPolicy::TYPE_INTERNAL_FORCE_ALLOWED_DTD; + } } } if (!loadingPrincipal) { @@ -648,7 +652,7 @@ nsresult nsExpatDriver::OpenInputStreamFromExternalDTD(const char16_t* aFPIStr, rv = NS_NewChannel(getter_AddRefs(channel), uri, loadingPrincipal, nsILoadInfo::SEC_ALLOW_CROSS_ORIGIN_DATA_INHERITS | nsILoadInfo::SEC_ALLOW_CHROME, - nsIContentPolicy::TYPE_DTD); + policyType); } NS_ENSURE_SUCCESS(rv, rv); diff --git a/testing/marionette/l10n.js b/testing/marionette/l10n.js index ebbe071f483b..b4c6a98b9c14 100644 --- a/testing/marionette/l10n.js +++ b/testing/marionette/l10n.js @@ -21,7 +21,11 @@ const { XPCOMUtils } = ChromeUtils.import( ); XPCOMUtils.defineLazyGlobalGetters(this, ["DOMParser"]); -XPCOMUtils.defineLazyGetter(this, "domParser", () => new DOMParser()); +XPCOMUtils.defineLazyGetter(this, "domParser", () => { + const parser = new DOMParser(); + parser.forceEnableDTD(); + return parser; +}); const { NoSuchElementError } = ChromeUtils.import( "chrome://marionette/content/error.js" diff --git a/testing/marionette/puppeteer/firefox/firefox_puppeteer/api/l10n.py b/testing/marionette/puppeteer/firefox/firefox_puppeteer/api/l10n.py index 159f8dc29e46..9a61bf89439d 100644 --- a/testing/marionette/puppeteer/firefox/firefox_puppeteer/api/l10n.py +++ b/testing/marionette/puppeteer/firefox/firefox_puppeteer/api/l10n.py @@ -75,6 +75,7 @@ class L10n(BaseLib): value = self.marionette.execute_script(""" Cu.importGlobalProperties(["DOMParser"]); var parser = new DOMParser(); + parser.forceEnableDTD(); var doc = parser.parseFromString(arguments[0], "text/xml"); var node = doc.querySelector("elem[id='entity']"); diff --git a/toolkit/content/widgets/datetimebox.js b/toolkit/content/widgets/datetimebox.js index 1865007a23ad..5153c3cfaf53 100644 --- a/toolkit/content/widgets/datetimebox.js +++ b/toolkit/content/widgets/datetimebox.js @@ -143,6 +143,7 @@ this.DateTimeInputBaseImplWidget = class { * Remove it when migrate to Fluent (bug 1504363). */ const parser = new this.window.DOMParser(); + parser.forceEnableDTD(); let parserDoc = parser.parseFromString( `<!DOCTYPE bindings [ <!ENTITY % datetimeboxDTD SYSTEM "chrome://global/locale/datetimebox.dtd"> diff --git a/toolkit/content/widgets/pluginProblem.js b/toolkit/content/widgets/pluginProblem.js index e2cd6a0b6138..aee9942daa5a 100644 --- a/toolkit/content/widgets/pluginProblem.js +++ b/toolkit/content/widgets/pluginProblem.js @@ -17,6 +17,7 @@ this.PluginProblemWidget = class { onsetup() { const parser = new this.window.DOMParser(); + parser.forceEnableDTD(); let parserDoc = parser.parseFromString( ` <!DOCTYPE bindings [ diff --git a/toolkit/content/widgets/videocontrols.js b/toolkit/content/widgets/videocontrols.js index 991c01534229..a32d3e2261ae 100644 --- a/toolkit/content/widgets/videocontrols.js +++ b/toolkit/content/widgets/videocontrols.js @@ -2472,6 +2472,7 @@ this.VideoControlsImplWidget = class { * Remove it when migrate to Fluent. */ const parser = new this.window.DOMParser(); + parser.forceEnableDTD(); let parserDoc = parser.parseFromString( `<!DOCTYPE bindings [ <!ENTITY % videocontrolsDTD SYSTEM "chrome://global/locale/videocontrols.dtd"> @@ -2719,6 +2720,7 @@ this.NoControlsMobileImplWidget = class { * Remove it when migrate to Fluent. */ const parser = new this.window.DOMParser(); + parser.forceEnableDTD(); let parserDoc = parser.parseFromString( `<!DOCTYPE bindings [ <!ENTITY % videocontrolsDTD SYSTEM "chrome://global/locale/videocontrols.dtd"> @@ -2769,6 +2771,7 @@ this.NoControlsPictureInPictureImplWidget = class { * Remove it when migrate to Fluent. */ const parser = new this.window.DOMParser(); + parser.forceEnableDTD(); let parserDoc = parser.parseFromString( `<!DOCTYPE bindings [ <!ENTITY % videocontrolsDTD SYSTEM "chrome://global/locale/videocontrols.dtd"> @@ -2875,6 +2878,7 @@ this.NoControlsDesktopImplWidget = class { * Remove it when migrate to Fluent. */ const parser = new this.window.DOMParser(); + parser.forceEnableDTD(); let parserDoc = parser.parseFromString( `<!DOCTYPE bindings [ <!ENTITY % videocontrolsDTD SYSTEM "chrome://global/locale/videocontrols.dtd">

1 0

[tor-browser/tor-browser-68.1.0esr-9.0-2] Bug 467035 - Add new internal DTD content types r=ckerschb
by gk＠torproject.org 16 Sep '19

16 Sep '19

commit 93c30885b92760fcdf6bd06b235ddd3c87b09b97 Author: Alex Catarineu <acat(a)torproject.org> Date: Wed Jul 3 17:28:25 2019 +0000 Bug 467035 - Add new internal DTD content types r=ckerschb Differential Revision: https://phabricator.services.mozilla.com/D35232 --HG-- extra : moz-landing-system : lando --- dom/base/nsContentPolicyUtils.h | 2 ++ dom/base/nsContentUtils.h | 4 ++++ dom/base/nsIContentPolicy.idl | 12 ++++++++++++ dom/cache/DBSchema.cpp | 4 +++- dom/fetch/InternalRequest.cpp | 2 ++ dom/security/nsCSPUtils.cpp | 2 ++ extensions/permissions/nsContentBlocker.cpp | 2 ++ 7 files changed, 27 insertions(+), 1 deletion(-) diff --git a/dom/base/nsContentPolicyUtils.h b/dom/base/nsContentPolicyUtils.h index 9af71cb85b3f..50767baa3637 100644 --- a/dom/base/nsContentPolicyUtils.h +++ b/dom/base/nsContentPolicyUtils.h @@ -137,6 +137,8 @@ inline const char* NS_CP_ContentTypeName(uint32_t contentType) { CASE_RETURN(TYPE_SPECULATIVE); CASE_RETURN(TYPE_INTERNAL_MODULE); CASE_RETURN(TYPE_INTERNAL_MODULE_PRELOAD); + CASE_RETURN(TYPE_INTERNAL_DTD); + CASE_RETURN(TYPE_INTERNAL_FORCE_ALLOWED_DTD); default: return "<Unknown Type>"; } diff --git a/dom/base/nsContentUtils.h b/dom/base/nsContentUtils.h index 9c409099c9af..b80c6c91093b 100644 --- a/dom/base/nsContentUtils.h +++ b/dom/base/nsContentUtils.h @@ -3467,6 +3467,10 @@ nsContentUtils::InternalContentPolicyTypeToExternal(nsContentPolicyType aType) { case nsIContentPolicy::TYPE_INTERNAL_STYLESHEET_PRELOAD: return nsIContentPolicy::TYPE_STYLESHEET; + case nsIContentPolicy::TYPE_INTERNAL_DTD: + case nsIContentPolicy::TYPE_INTERNAL_FORCE_ALLOWED_DTD: + return nsIContentPolicy::TYPE_DTD; + default: return aType; } diff --git a/dom/base/nsIContentPolicy.idl b/dom/base/nsIContentPolicy.idl index 5acbf9b8d9d2..13137cee7bc6 100644 --- a/dom/base/nsIContentPolicy.idl +++ b/dom/base/nsIContentPolicy.idl @@ -364,6 +364,18 @@ interface nsIContentPolicy : nsISupports */ const nsContentPolicyType TYPE_INTERNAL_MODULE_PRELOAD = 46; + /** + * Indicates a DTD loaded by an XML document the URI of which could + * not be mapped to a known local DTD. + */ + const nsContentPolicyType TYPE_INTERNAL_DTD = 47; + + /** + * Indicates a TYPE_INTERNAL_DTD which will not be blocked no matter + * what principal is being loaded from. + */ + const nsContentPolicyType TYPE_INTERNAL_FORCE_ALLOWED_DTD = 48; + /* When adding new content types, please update nsContentBlocker, * NS_CP_ContentTypeName, nsCSPContext, CSP_ContentTypeToDirective, * DoContentSecurityChecks, all nsIContentPolicy implementations, the diff --git a/dom/cache/DBSchema.cpp b/dom/cache/DBSchema.cpp index 540c12424925..670acb28b555 100644 --- a/dom/cache/DBSchema.cpp +++ b/dom/cache/DBSchema.cpp @@ -333,7 +333,9 @@ static_assert(nsIContentPolicy::TYPE_INVALID == 0 && nsIContentPolicy::TYPE_SAVEAS_DOWNLOAD == 43 && nsIContentPolicy::TYPE_SPECULATIVE == 44 && nsIContentPolicy::TYPE_INTERNAL_MODULE == 45 && - nsIContentPolicy::TYPE_INTERNAL_MODULE_PRELOAD == 46, + nsIContentPolicy::TYPE_INTERNAL_MODULE_PRELOAD == 46 && + nsIContentPolicy::TYPE_INTERNAL_DTD == 47 && + nsIContentPolicy::TYPE_INTERNAL_FORCE_ALLOWED_DTD == 48, "nsContentPolicyType values are as expected"); namespace { diff --git a/dom/fetch/InternalRequest.cpp b/dom/fetch/InternalRequest.cpp index dada8d6df418..6456fe55c9aa 100644 --- a/dom/fetch/InternalRequest.cpp +++ b/dom/fetch/InternalRequest.cpp @@ -254,6 +254,8 @@ RequestDestination InternalRequest::MapContentPolicyTypeToRequestDestination( destination = RequestDestination::_empty; break; case nsIContentPolicy::TYPE_DTD: + case nsIContentPolicy::TYPE_INTERNAL_DTD: + case nsIContentPolicy::TYPE_INTERNAL_FORCE_ALLOWED_DTD: destination = RequestDestination::_empty; break; case nsIContentPolicy::TYPE_FONT: diff --git a/dom/security/nsCSPUtils.cpp b/dom/security/nsCSPUtils.cpp index dc6b0f9b2025..cf30ba9e36f3 100644 --- a/dom/security/nsCSPUtils.cpp +++ b/dom/security/nsCSPUtils.cpp @@ -235,6 +235,8 @@ CSPDirective CSP_ContentTypeToDirective(nsContentPolicyType aType) { case nsIContentPolicy::TYPE_DTD: case nsIContentPolicy::TYPE_OTHER: case nsIContentPolicy::TYPE_SPECULATIVE: + case nsIContentPolicy::TYPE_INTERNAL_DTD: + case nsIContentPolicy::TYPE_INTERNAL_FORCE_ALLOWED_DTD: return nsIContentSecurityPolicy::DEFAULT_SRC_DIRECTIVE; // csp shold not block top level loads, e.g. in case diff --git a/extensions/permissions/nsContentBlocker.cpp b/extensions/permissions/nsContentBlocker.cpp index bd98eb5aa5a7..3c4246b2ecc2 100644 --- a/extensions/permissions/nsContentBlocker.cpp +++ b/extensions/permissions/nsContentBlocker.cpp @@ -71,6 +71,8 @@ static const nsLiteralCString kTypeString[] = { NS_LITERAL_CSTRING("speculative"), NS_LITERAL_CSTRING(""), // TYPE_INTERNAL_MODULE NS_LITERAL_CSTRING(""), // TYPE_INTERNAL_MODULE_PRELOAD + NS_LITERAL_CSTRING(""), // TYPE_INTERNAL_DTD + NS_LITERAL_CSTRING(""), // TYPE_INTERNAL_FORCE_ALLOWED_DTD }; #define NUMBER_OF_TYPES MOZ_ARRAY_LENGTH(kTypeString)

1 0

[tor/master] hand-edits to 0.4.2.1-alpha changelog
by nickm＠torproject.org 16 Sep '19

16 Sep '19

commit f281c3637a0180e6df76bf7946bf4b864462afd6 Author: Nick Mathewson <nickm(a)torproject.org> Date: Mon Sep 16 09:18:20 2019 -0400 hand-edits to 0.4.2.1-alpha changelog --- ChangeLog | 210 +++++++++++++++++++++++++++++++------------------------------- 1 file changed, 106 insertions(+), 104 deletions(-) diff --git a/ChangeLog b/ChangeLog index 3b288b553..3f8b5344d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,54 +1,40 @@ Changes in version 0.4.2.1-alpha - 2019-09-?? - This is the first alpha release in the 0.4.2.x series. BLURB - BLURB BLURB. + This is the first alpha release in the 0.4.2.x series. It adds new + defenses for denial-of-service attacks against onion services. It also + includes numerous kinds of bugfixes and refactoring to help improve + Tor's stability and ease of development. o Major features (onion service v3, denial of service): - - Add onion service introduction denial of service defenses. They - consist of rate limiting client introduction at the intro point - using parameters that can be sent by the service within the + - Add onion service introduction denial of service defenses. Intro + points can now rate-limit client introduction requests, using + parameters that can be sent by the service within the ESTABLISH_INTRO cell. If the cell extension for this is not used, the intro point will honor the consensus parameters. Closes ticket 30924. o Major bugfixes (circuit build, guard): - When considering upgrading circuits from "waiting for guard" to - "open", always ignore the ones that are mark for close. Else, we - can end up in the situation where a subsystem is notified of that - circuit opening but still marked for close leading to undesirable - behavior. Fixes bug 30871; bugfix on 0.3.0.1-alpha. + "open", always ignore circuits that are marked for close. + Previously we could end up in the situation where a subsystem is + notified of a circuit opening, but the circuit is still marked for + close, leading to undesirable behavior. Fixes bug 30871; bugfix + on 0.3.0.1-alpha. - o Major bugfixes (crash, android): + o Major bugfixes (crash, Linux, Android): - Tolerate systems (including some Android installations) where madvise and MADV_DONTDUMP are available at build-time, but not at run time. Previously, these systems would notice a failed syscall and abort. Fixes bug 31570; bugfix on 0.4.1.1-alpha. - - o Major bugfixes (crash, Linux): - Tolerate systems (including some Linux installations) where madvise and/or MADV_DONTFORK are available at build-time, but not at run time. Previously, these systems would notice a failed syscall and abort. Fixes bug 31696; bugfix on 0.4.1.1-alpha. - o Minor feature (onion service v3): - - Do not allow single hop client to fetch or post an HS descriptor - from an HSDir. Closes ticket 24964. - - o Minor feature (onion service): - - Disallow single hop clients to introduce directly at the - introduction point. We've removed Tor2web a while back and - rendezvous are blocked at the relays. This is to remove load off - the network from spammy clients. Close ticket 24963. - - o Minor feature (token bucket): - - Implement a generic token bucket that uses a single counter. This - will be useful for the anti-DoS onion service work. Closes - ticket 30687. - o Minor features (best practices tracker): - Our best-practices tracker now integrates with our include-checker - tool to keep track of the layering violations that we have not yet - fixed. We hope to reduce this number over time to improve Tor's - modularity. Closes ticket 31176. + tool to keep track of how many layering violations that we have + not yet fixed. We hope to reduce this number over time to improve + Tor's modularity. Closes ticket 31176. - Add a TOR_PRACTRACKER_OPTIONS variable for passing arguments to practracker from the environment. We may want this for continuous integration. Closes ticket 31309. @@ -56,7 +42,9 @@ Changes in version 0.4.2.1-alpha - 2019-09-?? is violated by a small amount; add a --list-overbroad option to practracker that lists exceptions that are stricter than they need to be, and provide an environment variable for disabling - practracker. Closes ticekt 30752. + practracker. Closes ticket 30752. + - Our best-practices tracker now looks at headers as well as C + files. Closes ticket 31175. o Minor features (build system): - Add --disable-manpage and --disable-html-manual options to @@ -76,8 +64,8 @@ Changes in version 0.4.2.1-alpha - 2019-09-?? o Minor features (continuous integration): - When running CI builds on Travis, put some random data in - ~/.torrc, to make sure no tests are dependent on default Tor - configuration. Resolves issue 30102. + ~/.torrc, to make sure no tests are reading the Tor configuration + file from its default location. Resolves issue 30102. o Minor features (debugging): - Log a nonfatal assertion failure if we encounter a configuration @@ -85,10 +73,6 @@ Changes in version 0.4.2.1-alpha - 2019-09-?? should be impossible, according to the rules of our configuration line parsing. Closes ticket 31529. - o Minor features (development tools): - - Our best-practices tracker now looks at headers as well as C - files. Closes ticket 31175. - o Minor features (git hooks): - Our pre-commit git hook now checks for a special file before running practracker, so that practracker only runs on branches @@ -124,9 +108,19 @@ Changes in version 0.4.2.1-alpha - 2019-09-?? ticket 31314. o Minor features (IPv6, logging): - - Log IPv6 addresses as well as IPv4 addresses, when describing + - Log IPv6 addresses as well as IPv4 addresses when describing routerinfos, routerstatuses, and nodes. Closes ticket 21003. + o Minor features (onion service v3): + - Do not allow single hop client to fetch or post an HS descriptor + from an HSDir. Closes ticket 24964. + + o Minor features (onion service): + - Disallow single-hop clients at the introduction point. We've + removed Tor2web support a while back and single-hop rendezvous + ttempts are blocked at the relays. This change should remove load + off the network from spammy clients. Close ticket 24963. + o Minor features (stem tests): - Change "make test-stem" so it only runs the stem tests that use tor. This change makes test-stem faster and more reliable. Closes @@ -142,8 +136,12 @@ Changes in version 0.4.2.1-alpha - 2019-09-?? management API. Closes ticket 30893. - Add integration tests to make sure that practracker gives the outputs we expect. Closes ticket 31477. - - The practracker tests are now run as part of the Tor test suite. - Closes ticket 31304. + - The practracker self-tests are now run as part of the Tor test + suite. Closes ticket 31304. + + o Minor features (token bucket): + - Implement a generic token bucket that uses a single counter, for + use in anti-DoS onion service work. Closes ticket 30687. o Minor bugfixes (best practices tracker): - Fix a few issues in the best-practices script, including tests, @@ -157,26 +155,26 @@ Changes in version 0.4.2.1-alpha - 2019-09-?? o Minor bugfixes (build system): - Do not include the deprecated <sys/sysctl.h> on Linux or Windows - system. Fixes bug 31673; bugfix on 0.2.5.4-alpha. + systems. Fixes bug 31673; bugfix on 0.2.5.4-alpha. o Minor bugfixes (chutney, makefiles, documentation): - - "make test-network-all" shows the warnings from each test- + - "make test-network-all" now shows the warnings from each test- network.sh run on the console, so developers see new warnings - early. Improve the documentation for this feature, and rename a - Makefile variable so the code is self-documenting. Fixes bug - 30455; bugfix on 0.3.0.4-rc. + early. We've also improved the documentation for this feature, and + renamed a Makefile variable so the code is self-documenting. Fixes + bug 30455; bugfix on 0.3.0.4-rc. o Minor bugfixes (compilation): - - Add more stub functions to fix compilation on Android with LTO, - when --disable-module-dirauth is used. Previously, these - compilation settings would make the compiler look for functions - that didn't exist. Fixes bug 31552; bugfix on 0.4.1.1-alpha. + - Add more stub functions to fix compilation on Android with link- + time optimization when --disable-module-dirauth is used. + Previously, these compilation settings would make the compiler + look for functions that didn't exist. Fixes bug 31552; bugfix + on 0.4.1.1-alpha. o Minor bugfixes (configuration): - Invalid floating-point values in the configuration file are now - detected treated as errors in the configuration. Previously, they - were ignored and treated as zero. Fixes bug 31475; bugfix - on 0.0.1. + treated as errors in the configuration. Previously, they were + ignored and treated as zero. Fixes bug 31475; bugfix on 0.0.1. o Minor bugfixes (coverity): - Add an assertion when parsing a BEGIN cell so that coverity can be @@ -190,8 +188,9 @@ Changes in version 0.4.2.1-alpha - 2019-09-?? 31030; bugfix on 0.2.4.1-alpha, 0.3.2.1-alpha, and 0.4.0.1-alpha. o Minor bugfixes (developer tooling): - - Only log git script changes in post-merge script when merge was to - the master branch. Fixes bug 31040; bugfix on 0.4.1.1-alpha. + - Only log git script changes in the post-merge script when the + merge was to the master branch. Fixes bug 31040; bugfix + on 0.4.1.1-alpha. o Minor bugfixes (directory authorities): - Return a distinct status when formatting annotations fails. Fixes @@ -199,8 +198,8 @@ Changes in version 0.4.2.1-alpha - 2019-09-?? o Minor bugfixes (error handling): - On abort, try harder to flush the output buffers of log messages. - On some platforms (macOS), log messages can be discarded when the - process terminates. Fixes bug 31571; bugfix on 0.3.5.1-alpha. + On some platforms (macOS), log messages could be discarded when + the process terminates. Fixes bug 31571; bugfix on 0.3.5.1-alpha. - Report the tor version whenever an assertion fails. Previously, we only reported the Tor version on some crashes, and some non-fatal assertions. Fixes bug 31571; bugfix on 0.3.5.1-alpha. @@ -252,30 +251,29 @@ Changes in version 0.4.2.1-alpha - 2019-09-?? by Xiaoyin Liu. o Minor bugfixes (networking, IP addresses): - - When parsing addreses via Tor's internal DNS lookup API, reject + - When parsing addresses via Tor's internal DNS lookup API, reject IPv4 addresses in square brackets, and accept IPv6 addresses in square brackets. This change completes the work started in 23082, making address parsing consistent between tor's internal DNS lookup and address parsing APIs. Fixes bug 30721; bugfix on 0.2.1.5-alpha. - - When parsing addreses via Tor's internal address:port parsing and + - When parsing addresses via Tor's internal address:port parsing and DNS lookup APIs, require IPv6 addresses with ports to have square brackets. But allow IPv6 addresses without ports, whether or not they have square brackets. Fixes bug 30721; bugfix on 0.2.1.5-alpha. o Minor bugfixes (onion service v3): - - When purging the client descriptor cache, always also close any - introduction point circuits associated with it. This avoids - picking those when connecting to them later while not having the - descriptor to complete the introduction. Fixes bug 30921; bugfix - on 0.3.2.1-alpha. + - When purging the client descriptor cache, close any introduction + point circuits associated with purged cache entries. This avoids + picking those circuits later when connecting to them later. Fixes + bug 30921; bugfix on 0.3.2.1-alpha. o Minor bugfixes (onion services): - In the hs_ident_circuit_t data structure, remove the unused field circuit_type and the respective argument in hs_ident_circuit_new(). - This field is set by clients (for introduction) and services (for - introduction and rendezvous) but is never used afterwards. Fixes + This field was set by clients (for introduction) and services (for + introduction and rendezvous) but was never used afterwards. Fixes bug 31490; bugfix on 0.3.2.1-alpha. Patch by Neel Chauhan. o Minor bugfixes (operator tools): @@ -303,8 +301,9 @@ Changes in version 0.4.2.1-alpha - 2019-09-?? o Minor bugfixes (subsystems): - Make the subsystem init order match the subsystem module dependencies. Call windows process security APIs as early as - possible. Init log before network and time, so that network and - time can use logging. Fixes bug 31615; bugfix on 0.4.0.1-alpha. + possible. Initialize logging before network and time, so that + network and time can use logging. Fixes bug 31615; bugfix + on 0.4.0.1-alpha. o Minor bugfixes (testing): - Teach the util/socketpair_ersatz test to work correctly when we @@ -314,9 +313,9 @@ Changes in version 0.4.2.1-alpha - 2019-09-?? o Minor bugfixes (v2 single onion services): - Always retry v2 single onion service intro and rend circuits with a 3-hop path. Previously, v2 single onion services used a 3-hop - path when rend circuits were retried after a remote or delayed - failure, but a 1-hop path for immediate retries. Fixes bug 23818; - bugfix on 0.2.9.3-alpha. + path when rendezvous circuits were retried after a remote or + delayed failure, but a 1-hop path for immediate retries. Fixes bug + 23818; bugfix on 0.2.9.3-alpha. o Minor bugfixes (v3 single onion services): - Always retry v3 single onion service intro and rend circuits with @@ -324,19 +323,40 @@ Changes in version 0.4.2.1-alpha - 2019-09-?? path when rend circuits were retried after a remote or delayed failure, but a 1-hop path for immediate retries. Fixes bug 23818; bugfix on 0.3.2.1-alpha. - - Make v3 single onion services fall back to a 3-hop intro, when - there all intro points are unreachable via a 1-hop path. - Previously, v3 single onion services failed when all intro nodes - were unreachable via a 1-hop path. Fixes bug 23507; bugfix - on 0.3.2.1-alpha. + - Make v3 single onion services fall back to a 3-hop intro, when all + intro points are unreachable via a 1-hop path. Previously, v3 + single onion services failed when all intro nodes were unreachable + via a 1-hop path. Fixes bug 23507; bugfix on 0.3.2.1-alpha. - o Code simplification and refactoring: - - Eliminate some uses of lower-level control reply abstractions, - primarily in the onion_helper functions. Closes ticket 30889. - - Extract our variable manipulation code from confparse.c to a new - lower-level typedvar.h module. Closes ticket 30864. + o Documentation: - Improve documentation in circuit padding subsystem. Patch by Tobias Pulls. Closes ticket 31113. + - Include an example usage for IPv6 ORPort in our sample torrc. + Closes ticket 31320; patch from Ali Raheem. + - Use RFC 2397 data URL scheme to embed an image into tor-exit- + notice.html so that operators no longer have to host it + themselves. Closes ticket 31089. + + o Removed features: + - No longer include recommended package digests in votes as detailed + in proposal 301. The RecommendedPackages torrc option is + deprecated and will no longer have any effect. "package" lines + will still be considered when computing consensuses for consensus + methods that include them. (This change has no effect on the list + of recommended Tor versions, which is still in use.) Closes + ticket 29738. + - Remove torctl.in from contrib/dist directory. Resolves + ticket 30550. + + o Testing: + - Run shellcheck for all non-third-party shell scripts that are + shipped with Tor. Closes ticket 29533. + - When checking shell scripts, ignore any user-created directories. + Closes ticket 30967. + + o Code simplification and refactoring (config handling): + - Extract our variable manipulation code from confparse.c to a new + lower-level typedvar.h module. Closes ticket 30864. - Lower another layer of object management from confparse.c to a more general tool. Now typed structure members are accessible via an abstract type. Implements ticket 30914. @@ -350,6 +370,10 @@ Changes in version 0.4.2.1-alpha - 2019-09-?? - Replace our ad-hoc set of flags for configuration variables and configuration variable types with fine-grained orthogonal flags corresponding to the actual behavior we want. Closes ticket 31625. + + o Code simplification and refactoring (misc): + - Eliminate some uses of lower-level control reply abstractions, + primarily in the onion_helper functions. Closes ticket 30889. - Rework bootstrap tracking to use the new publish-subscribe subsystem. Closes ticket 29976. - Rewrite format_node_description() and router_get_verbose_nickname() @@ -368,35 +392,13 @@ Changes in version 0.4.2.1-alpha - 2019-09-?? padding machines. Patch by Tobias Pulls. Closes tickets 31112 and 31098. - o Documentation: - - Include an example usage for IPv6 ORPort in our sample torrc. - Closes ticket 31320; patch from Ali Raheem. - - Use RFC 2397 data URL scheme to embed image into tor-exit- - notice.html so that operators would no longer have to host it - themselves. Closes ticket 31089. - - o Removed features: - - No longer include recommended packages in votes as detailed in - proposal 301. The RecommendedPackages torrc option is deprecated - and will no longer have any effect. "package" lines will still be - considered when computing consensuses for consensus methods that - include them. Closes ticket 29738. - - Remove torctl.in from contrib/dist directory. Resolves - ticket 30550. - - o Testing: - - Run shellcheck for all non-third-party shell scripts that are - shipped with Tor. Closes ticket 29533. - - When checking shell scripts, ignore any user-created directories. - Closes ticket 30967. - o Documentation (hard-coded directories): - Improve the documentation for the DirAuthority and FallbackDir torrc options. Closes ticket 30955. o Documentation (tor.1 man page): - - Fix typo -help to --help in tor.1 man page. Fixes bug 31008; - bugfix on 0.2.2.9-alpha. + - Fix typo in tor.1 man page: the option is "--help", not "-help". + Fixes bug 31008; bugfix on 0.2.2.9-alpha. Changes in version 0.4.1.5 - 2019-08-20

1 0

[tor-browser/tor-browser-68.1.0esr-9.0-2] Bug 26345: Hide tracking protection UI
by gk＠torproject.org 16 Sep '19

16 Sep '19

commit cbf4dfb66958590b64cf5b2fc63ff0ed9e2d7d0e Author: Alex Catarineu <acat(a)torproject.org> Date: Tue Sep 10 16:29:31 2019 +0200 Bug 26345: Hide tracking protection UI --- browser/components/controlcenter/content/identityPanel.inc.xul | 3 ++- browser/themes/shared/identity-block/identity-block.inc.css | 4 ++++ browser/themes/shared/incontentprefs/privacy.css | 4 ++++ 3 files changed, 10 insertions(+), 1 deletion(-) diff --git a/browser/components/controlcenter/content/identityPanel.inc.xul b/browser/components/controlcenter/content/identityPanel.inc.xul index 73cb3968c7fb..88d5074589e3 100644 --- a/browser/components/controlcenter/content/identityPanel.inc.xul +++ b/browser/components/controlcenter/content/identityPanel.inc.xul @@ -73,7 +73,8 @@  <hbox id="tracking-protection-container" class="identity-popup-section" - when-connection="not-secure secure secure-ev secure-cert-user-overridden extension"> + when-connection="not-secure secure secure-ev secure-cert-user-overridden extension" + hidden="true"> <vbox id="identity-popup-content-blocking-content" flex="1"> <hbox align="start"> <label id="content-blocking-label" diff --git a/browser/themes/shared/identity-block/identity-block.inc.css b/browser/themes/shared/identity-block/identity-block.inc.css index d8233077be69..e1911fd47305 100644 --- a/browser/themes/shared/identity-block/identity-block.inc.css +++ b/browser/themes/shared/identity-block/identity-block.inc.css @@ -173,6 +173,10 @@ toolbar[brighttext] #urlbar[pageproxystate="valid"] > #identity-box.chromeUI > # /* TRACKING PROTECTION ICON */ #tracking-protection-icon-box { + display: none; +} + +#tracking-protection-icon-box { visibility: collapse; overflow: hidden; width: 20px; diff --git a/browser/themes/shared/incontentprefs/privacy.css b/browser/themes/shared/incontentprefs/privacy.css index 5cb165d7d48d..ce9614bcd677 100644 --- a/browser/themes/shared/incontentprefs/privacy.css +++ b/browser/themes/shared/incontentprefs/privacy.css @@ -88,6 +88,10 @@ /* Content Blocking */ +#trackingGroup { + display: none; +} + /* Override styling that sets descriptions as grey */ #trackingGroup description.indent, #trackingGroup .indent > description {

1 0

[tor/master] Start a changelog for 0.4.2.1-alpha
by nickm＠torproject.org 16 Sep '19

16 Sep '19

commit cbd3b01863ceeaad4c5dc89544037658f69e9403 Author: Nick Mathewson <nickm(a)torproject.org> Date: Mon Sep 16 08:31:26 2019 -0400 Start a changelog for 0.4.2.1-alpha This commit sorts the changes files using sortChanges, and inserts them into a changelog entry. --- ChangeLog | 402 +++++++++++++++++++++++++++++++++++++++++++ changes/bug12399 | 3 - changes/bug23507 | 5 - changes/bug23818_v2 | 6 - changes/bug23818_v3 | 6 - changes/bug27284 | 5 - changes/bug30455 | 5 - changes/bug30721 | 10 -- changes/bug30780 | 3 - changes/bug30799 | 4 - changes/bug30804 | 4 - changes/bug30840 | 4 - changes/bug30841 | 3 - changes/bug30958 | 5 - changes/bug31040 | 3 - changes/bug31088 | 5 - changes/bug31112 | 3 - changes/bug31113 | 3 - changes/bug31442 | 3 - changes/bug31462 | 4 - changes/bug31463 | 3 - changes/bug31490 | 6 - changes/bug31552 | 5 - changes/bug31570 | 5 - changes/bug31571 | 7 - changes/bug31594 | 5 - changes/bug31615 | 5 - changes/bug31657 | 5 - changes/bug31696 | 5 - changes/doc31089 | 4 - changes/ticket19381 | 4 - changes/ticket21003 | 3 - changes/ticket24963 | 5 - changes/ticket24964 | 4 - changes/ticket27530 | 4 - changes/ticket29533 | 3 - changes/ticket29738 | 6 - changes/ticket29746 | 4 - changes/ticket29879 | 7 - changes/ticket29976 | 3 - changes/ticket30102 | 4 - changes/ticket30550 | 2 - changes/ticket30687 | 3 - changes/ticket30752 | 6 - changes/ticket30769 | 4 - changes/ticket30806 | 3 - changes/ticket30864 | 3 - changes/ticket30871 | 6 - changes/ticket30889 | 3 - changes/ticket30893 | 3 - changes/ticket30914 | 4 - changes/ticket30921 | 5 - changes/ticket30924 | 6 - changes/ticket30935 | 6 - changes/ticket30955 | 3 - changes/ticket30956_refactor | 3 - changes/ticket30967 | 6 - changes/ticket30979 | 7 - changes/ticket31008 | 3 - changes/ticket31012 | 4 - changes/ticket31025 | 5 - changes/ticket31026 | 5 - changes/ticket31030 | 3 - changes/ticket31175 | 3 - changes/ticket31176 | 5 - changes/ticket31240 | 5 - changes/ticket31304 | 3 - changes/ticket31309 | 4 - changes/ticket31314 | 18 -- changes/ticket31320 | 3 - changes/ticket31451 | 4 - changes/ticket31475 | 5 - changes/ticket31477 | 3 - changes/ticket31529 | 5 - changes/ticket31532 | 4 - changes/ticket31545 | 5 - changes/ticket31554 | 4 - changes/ticket31578 | 6 - changes/ticket31625 | 4 - changes/ticket31626 | 4 - changes/ticket31637 | 6 - changes/ticket31673 | 3 - 82 files changed, 402 insertions(+), 368 deletions(-) diff --git a/ChangeLog b/ChangeLog index 637a1dfcd..721604c65 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,405 @@ +Changes in version 0.4.2.1-alpha - 2019-09-?? + + o Major features (developer tools): + - Our best-practices tracker now integrates with our include-checker tool + to keep track of the layering violations that we have not yet fixed. + We hope to reduce this number over time to improve Tor's modularity. + Closes ticket 31176. + + o Major features (onion service v3, denial of service): + - Add onion service introduction denial of service defenses. They consist of + rate limiting client introduction at the intro point using parameters that + can be sent by the service within the ESTABLISH_INTRO cell. If the cell + extension for this is not used, the intro point will honor the consensus + parameters. Closes ticket 30924. + + o Major bugfixes (circuit build, guard): + - When considering upgrading circuits from "waiting for guard" to "open", + always ignore the ones that are mark for close. Else, we can end up in + the situation where a subsystem is notified of that circuit opening but + still marked for close leading to undesirable behavior. Fixes bug 30871; + bugfix on 0.3.0.1-alpha. + + o Major bugfixes (crash, android): + - Tolerate systems (including some Android installations) where madvise + and MADV_DONTDUMP are available at build-time, but not at run time. + Previously, these systems would notice a failed syscall and abort. + Fixes bug 31570; bugfix on 0.4.1.1-alpha. + + o Major bugfixes (crash, Linux): + - Tolerate systems (including some Linux installations) where madvise + and/or MADV_DONTFORK are available at build-time, but not at run time. + Previously, these systems would notice a failed syscall and abort. + Fixes bug 31696; bugfix on 0.4.1.1-alpha. + + o Minor feature (onion service v3): + - Do not allow single hop client to fetch or post an HS descriptor from an + HSDir. Closes ticket 24964; + + o Minor feature (onion service): + - Disallow single hop clients to introduce directly at the introduction + point. We've removed Tor2web a while back and rendezvous are blocked at + the relays. This is to remove load off the network from spammy clients. + Close ticket 24963. + + o Minor feature (token bucket): + - Implement a generic token bucket that uses a single counter. This will be + useful for the anti-DoS onion service work. Closes ticket 30687. + + o Minor features (best practices tracker): + - Add a TOR_PRACTRACKER_OPTIONS variable for passing arguments + to practracker from the environment. We may want this for + continuous integration. Closes ticket 31309. + - Give a warning rather than an error when a practracker exception is + violated by a small amount; add a --list-overbroad option to + practracker that lists exceptions that are stricter than they need to + be, and provide an environment variable for disabling + practracker. Closes ticekt 30752. + + o Minor features (build system): + - Add --disable-manpage and --disable-html-manual options to configure + script. This will enable shortening build times by not building + documentation. Resolves issue 19381. + + o Minor features (compilation): + - Log a more useful error message when we are compiling and one of the + compile-time hardening options we have selected can be linked but + not executed. Closes ticket 27530. + + o Minor features (configuration): + - The configuration code has been extended to allow splitting + configuration data across multiple objects. Previously, all + configuration data needed to be kept in a single object, which + tended to become bloated. Closes ticket 31240. + + o Minor features (continuous integration): + - When running CI builds on Travis, put some random data in ~/.torrc, + to make sure no tests are dependent on default Tor configuration. + Resolves issue 30102. + + o Minor features (debugging): + - Log a nonfatal assertion failure if we encounter a configuration + line whose command is "CLEAR" but which has a nonempty value. + This should be impossible, according to the rules of our + configuration line parsing. Closes ticket 31529. + + o Minor features (development tools): + - Our best-practices tracker now looks at headers as well as + C files. Closes ticket 31175. + + o Minor features (git hooks): + - Our pre-commit git hook now checks for a special file + before running practracker, so that practracker only runs on branches + that are based on master. Since the pre-push hook calls the pre-commit + hook, practracker will also only run before pushes of branches based + on master. + Closes ticket 30979. + + o Minor features (git scripts): + - Add a "--" command-line argument, to + separate git-push-all.sh script arguments from arguments that are passed + through to git push. Closes ticket 31314. + - Add a -r <remote-name> argument to git-push-all.sh, so the script can + push test branches to a personal remote. Closes ticket 31314. + - Add a -t <test-branch-prefix> argument to git-merge-forward.sh and + git-push-all.sh, which makes these scripts create, merge forward, and + push test branches. Closes ticket 31314. + - Add a -u argument to git-merge-forward.sh, so that the script can re-use + existing test branches after a merge failure and fix. + Closes ticket 31314. + - Add a TOR_GIT_PUSH env var, which sets the default git push command and + arguments for git-push-all.sh. Closes ticket 31314. + - Add a TOR_PUSH_DELAY variable to git-push-all.sh, which makes the script + push master and maint branches with a delay between each branch. These + delays trigger the CI jobs in a set order, which should show the most + likely failures first. Also make pushes atomic by default, and make + the script pass any command-line arguments to git push. + Closes ticket 29879. + - Call the shellcheck script from the pre-commit hook. + Closes ticket 30967. + - Skip pushing test branches that are the same as a remote + maint/release/master branch in git-push-all.sh by default. Add a -s + argument, so git-push-all.sh can push all test branches. + Closes ticket 31314. + + o Minor features (IPv6, logging): + - Log IPv6 addresses as well as IPv4 addresses, when describing + routerinfos, routerstatuses, and nodes. Closes ticket 21003. + + o Minor features (recommended packages): + - No longer include recommended packages in votes as detailed in proposal + 301. The RecommendedPackages torrc option is deprecated and will no + longer have any effect. "package" lines will still be considered when + computing consensuses for consensus methods that include them. Fixes + ticket 29738. + + o Minor features (stem tests): + - Change "make test-stem" so it only runs the stem tests that use tor. + This change makes test-stem faster and more reliable. + Closes ticket 31554. + + o Minor features (testing): + - Add a script to invoke "tor --dump-config" and "tor --verify-config" + with various configuration options, and see whether tor's resulting + configuration or error messages are what we expect. Use it for + integration testing of our +Option and /Option flags. + Closes ticket 31637. + - Improve test coverage for our existing configuration parsing and + management API. Closes ticket 30893. + + o Minor features (tests): + - Add integration tests to make sure that practracker gives the outputs + we expect. Closes ticket 31477. + - The practracker tests are now run as part of the Tor test suite. + Closes ticket 31304. + + o Minor bugfixes (best practices tracker): + - Fix a few issues in the best-practices script, including tests, tab + tolerance, error reporting, and directory-exclusion logic. Fixes bug + 29746; bugfix on 0.4.1.1-alpha. + + o Minor bugfixes (chutney, makefiles, documentation): + - "make test-network-all" shows the warnings from each test-network.sh + run on the console, so developers see new warnings early. Improve the + documentation for this feature, and rename a Makefile variable so the + code is self-documenting. Fixes bug 30455; bugfix on 0.3.0.4-rc. + + o Minor bugfixes (compilation): + - Add more stub functions to fix compilation on Android with LTO, when + --disable-module-dirauth is used. Previously, these compilation + settings would make the compiler look for functions that didn't exist. + Fixes bug 31552; bugfix on 0.4.1.1-alpha. + + o Minor bugfixes (configuration): + - Invalid floating-point values in the configuration file are now + detected treated as errors in the configuration. Previously, they + were ignored and treated as zero. Fixes bug 31475; bugfix on + 0.0.1. + + o Minor bugfixes (coverity compliance): + - Add an assertion when parsing a BEGIN cell so that coverity can be sure + that we are not about to dereference a NULL address. + Fixes bug 31026; bugfix on 0.2.4.7-alpha. This is CID + 1447296. + + o Minor bugfixes (coverity): + - In our siphash implementation, when building for coverity, use memcpy + in place of a switch statement, so that coverity can tell we are not + accessing out-of-bounds memory. Fixes bug 31025; bugfix on + 0.2.8.1-alpha. This is tracked as CID 1447293 and 1447295. + + o Minor bugfixes (coverity, tests): + - Fix several coverity warnings from our unit tests. Fixes bug 31030; + bugfix on 0.2.4.1-alpha, 0.3.2.1-alpha, and 0.4.0.1-alpha. + + o Minor bugfixes (developer tooling): + - Only log git script changes in post-merge script when merge was to the + master branch. Fixes bug 31040; bugfix on 0.4.1.1-alpha. + + o Minor bugfixes (directory authorities): + - Return a distinct status when formatting annotations fails. + Fixes bug 30780; bugfix on 0.2.0.8-alpha. + + o Minor bugfixes (error handling): + - On abort, try harder to flush the output buffers of log messages. On + some platforms (macOS), log messages can be discarded when the process + terminates. Fixes bug 31571; bugfix on 0.3.5.1-alpha. + - Report the tor version whenever an assertion fails. Previously, we only + reported the Tor version on some crashes, and some non-fatal assertions. + Fixes bug 31571; bugfix on 0.3.5.1-alpha. + - When tor aborts due to an error, close log file descriptors before + aborting. Closing the logs makes some OSes flush log file buffers, + rather than deleting buffered log lines. Fixes bug 31594; + bugfix on 0.2.5.2-alpha. + + o Minor bugfixes (git hooks): + - Remove a duplicate call to practracker from the pre-push hook. + The pre-push hook already calls the pre-commit hook, which calls + practracker. Fixes bug 31462; bugfix on 0.4.1.1-alpha. + + o Minor bugfixes (git scripts): + - Stop hard-coding the bash path in the git scripts. Some OSes don't + have bash in /usr/bin, others have an ancient bash at this path. + Fixes bug 30840; bugfix on 0.4.0.1-alpha. + - Stop hard-coding the tor master branch name and worktree path in the + git scripts. Fixes bug 30841; bugfix on 0.4.0.1-alpha. + + o Minor bugfixes (guards): + - When tor is missing descriptors for some primary entry guards, make the + log message less alarming. It's normal for descriptors to expire, as long + as tor fetches new ones soon after. Fixes bug 31657; + bugfix on 0.3.3.1-alpha. + + o Minor bugfixes (ipv6): + - We check for private IPv6 address alongside their IPv4 equivalents when + authorities check descriptors. Previously, we only checked for private + IPv4 addresses. Fixes bug 31088; bugfix on 0.2.3.21-rc. Patch by Neel + Chauhan. + - When parsing microdescriptors, we should check the IPv6 exit policy + alongside IPv4. Previously, we checked both exit policies for only + router info structures, while microdescriptors were IPv4-only. Fixes + bug 27284; bugfix on 0.2.3.1-alpha. Patch by Neel Chauhan. + + o Minor bugfixes (logging): + - Change log level of message "Hash of session info was not as expected" + to LOG_PROTOCOL_WARN. Fixes bug 12399; bugfix on 0.1.1.10-alpha. + - Fix a code issue that would have broken our parsing of log + domains as soon as we had 33 of them. Fortunately, we still + only have 29. Fixes bug 31451; bugfix on 0.4.1.4-rc. + + o Minor bugfixes (memory management): + - Stop leaking a small amount of memory in nt_service_install(), in + unreachable code. Fixes bug 30799; bugfix on 0.2.0.7-alpha. + Patch by Xiaoyin Liu. + + o Minor bugfixes (networking, IP addresses): + - When parsing addreses via Tor's internal DNS lookup API, reject IPv4 + addresses in square brackets, and accept IPv6 addresses in square + brackets. This change completes the work started in 23082, making + address parsing consistent between tor's internal DNS lookup and address + parsing APIs. Fixes bug 30721; bugfix on 0.2.1.5-alpha. + - When parsing addreses via Tor's internal address:port parsing and + DNS lookup APIs, require IPv6 addresses with ports to have square + brackets. But allow IPv6 addresses without ports, whether or not they + have square brackets. Fixes bug 30721; bugfix on 0.2.1.5-alpha. + + o Minor bugfixes (onion service v3): + - When purging the client descriptor cache, always also close any + introduction point circuits associated with it. This avoids picking those + when connecting to them later while not having the descriptor to complete + the introduction. Fixes bug 30921; bugfix on 0.3.2.1-alpha. + + o Minor bugfixes (onion services): + - In the hs_ident_circuit_t data structure, remove the unused field + circuit_type and the respective argument in hs_ident_circuit_new(). + This field is set by clients (for introduction) and services (for + introduction and rendezvous) but is never used afterwards. Fixes + bug 31490; bugfix on 0.3.2.1-alpha. Patch by Neel Chauhan. + + o Minor bugfixes (operator tools): + - Make tor-print-ed-signing-cert(1) print certificate expiration date in + RFC 1123 and UNIX timestamp formats, to make output machine readable. + Fixes bug 31012; bugfix on 0.3.5.1-alpha. + + o Minor bugfixes (practracker): + - When running check-best-practices, only consider files in the + src subdirectory. Previously we had recursively considered + all subdirectories, which made us get confused by the + temporary directories made by "make distcheck". Fixes bug + 31578; bugfix on 0.4.1.1-alpha. + + o Minor bugfixes (rust): + - Correctly exclude a redundant rust build job in Travis. Fixes bug 31463; + bugfix on 0.3.5.4-alpha. + - Raise the minimum rustc version to 1.31.0, as checked by configure + and CI. Fixes bug 31442; bugfix on 0.3.5.4-alpha. + + o Minor bugfixes (sendme, code structure): + - Rename the trunnel SENDME file definition from sendme.trunnel to + sendme_cell.trunnel to avoid having twice sendme.{c|h} in the repository. + Fixes bug 30769; bugfix on 0.4.1.1-alpha. + + o Minor bugfixes (statistics): + - Stop removing the ed25519 signature if the extra info file is too big. + If the signature data was removed, but the keyword was kept, this could + result in an unparseable extra info file. Fixes bug 30958; + bugfix on 0.2.7.2-alpha. + + o Minor bugfixes (subsystems): + - Make the subsystem init order match the subsystem module dependencies. + Call windows process security APIs as early as possible. Init log before + network and time, so that network and time can use logging. + Fixes bug 31615; bugfix on 0.4.0.1-alpha. + + o Minor bugfixes (testing): + - Teach the util/socketpair_ersatz test to work correctly when we + have no network stack configured. Fixes bug 30804; bugfix on + 0.2.5.1-alpha. + + o Minor bugfixes (v2 single onion services): + - Always retry v2 single onion service intro and rend circuits with a + 3-hop path. Previously, v2 single onion services used a 3-hop path + when rend circuits were retried after a remote or delayed failure, + but a 1-hop path for immediate retries. Fixes bug 23818; + bugfix on 0.2.9.3-alpha. + + o Minor bugfixes (v3 single onion services): + - Always retry v3 single onion service intro and rend circuits with a + 3-hop path. Previously, v3 single onion services used a 3-hop path + when rend circuits were retried after a remote or delayed failure, + but a 1-hop path for immediate retries. Fixes bug 23818; + bugfix on 0.3.2.1-alpha. + - Make v3 single onion services fall back to a 3-hop intro, when there + all intro points are unreachable via a 1-hop path. Previously, v3 + single onion services failed when all intro nodes were unreachable + via a 1-hop path. Fixes bug 23507; bugfix on 0.3.2.1-alpha. + + o Code simplification and refactoring: + - Eliminate some uses of lower-level control reply abstractions, + primarily in the onion_helper functions. Closes ticket 30889. + - Extract our variable manipulation code from confparse.c to a new + lower-level typedvar.h module. Closes ticket 30864. + - Improve documentation in circuit padding subsystem. Patch by Tobias + Pulls. Closes ticket 31113. + - Lower another layer of object management from confparse.c to + a more general tool. Now typed structure members are accessible + via an abstract type. Implements ticket 30914. + - Move our backend logic for working with configuration and state + files into a lower-level library, since in no longer depends on + any tor-specific functionality. Closes ticket 31626. + - Numerous simplifications in configuration-handling logic: + remove duplicated macro definitions, replace magical names + with flags, and refactor "TestingTorNetwork" to use the + same default-option logic as the rest of Tor. + Closes ticket 30935. + - Replace our ad-hoc set of flags for configuration variables and + configuration variable types with fine-grained orthogonal flags + corresponding to the actual behavior we want. Closes ticket 31625. + - Rework bootstrap tracking to use the new publish-subscribe + subsystem. Closes ticket 29976. + - Rewrite format_node_description() and router_get_verbose_nickname() to + use strlcpy() and strlcat(). The previous implementation used memcpy() + and pointer arithmetic, which was error-prone. + Closes ticket 31545. This is CID 1452819. + - Split extrainfo_dump_to_string() into smaller functions. + Closes ticket 30956. + - Use the ptrdiff_t type consistently for expressing variable offsets and + pointer differences. Previously we incorrectly (but harmlessly) used + int and sometimes off_t for these cases. Closes ticket 31532. + - Use the subsystems mechanism to manage the main event loop code. + Closes ticket 30806. + - Various simplifications and minor improvements to the circuit padding + machines. Patch by Tobias Pulls. Closes tickets 31112 and 31098. + + o Documentation (hard-coded directories): + - Improve the documentation for the DirAuthority and FallbackDir torrc + options. Closes ticket 30955. + + o Documentation (tor.1 man page): + - Fix typo -help to --help in tor.1 man page. Fixes bug 31008; bugfix on + 0.2.2.9-alpha. + + o Documentation: + - Include an example usage for IPv6 ORPort in our sample torrc. + Closes ticket 31320; patch from Ali Raheem. + - Use RFC 2397 data URL scheme to embed image into tor-exit-notice.html + so that operators would no longer have to host it themselves. + Closes ticket 31089. + + o New system requirements (build system): + - Do not include the deprecated <sys/sysctl.h> on Linux or Windows system. + Closes 31673; + + o Removed features: + - Remove torctl.in from contrib/dist directory. Resolves ticket 30550. + + o Testing: + - Run shellcheck for all non-third-party shell scripts that are shipped + with Tor. Closes ticket 29533. + - When checking shell scripts, ignore any user-created directories. + Closes ticket 30967. + + Changes in version 0.4.1.5 - 2019-08-20 This is the first stable release in the 0.4.1.x series. This series adds experimental circuit-level padding, authenticated SENDME cells to diff --git a/changes/bug12399 b/changes/bug12399 deleted file mode 100644 index 922c08c5e..000000000 --- a/changes/bug12399 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor bugfixes (logging): - - Change log level of message "Hash of session info was not as expected" - to LOG_PROTOCOL_WARN. Fixes bug 12399; bugfix on 0.1.1.10-alpha. diff --git a/changes/bug23507 b/changes/bug23507 deleted file mode 100644 index de18273fd..000000000 --- a/changes/bug23507 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor bugfixes (v3 single onion services): - - Make v3 single onion services fall back to a 3-hop intro, when there - all intro points are unreachable via a 1-hop path. Previously, v3 - single onion services failed when all intro nodes were unreachable - via a 1-hop path. Fixes bug 23507; bugfix on 0.3.2.1-alpha. diff --git a/changes/bug23818_v2 b/changes/bug23818_v2 deleted file mode 100644 index 0219a20f4..000000000 --- a/changes/bug23818_v2 +++ /dev/null @@ -1,6 +0,0 @@ - o Minor bugfixes (v2 single onion services): - - Always retry v2 single onion service intro and rend circuits with a - 3-hop path. Previously, v2 single onion services used a 3-hop path - when rend circuits were retried after a remote or delayed failure, - but a 1-hop path for immediate retries. Fixes bug 23818; - bugfix on 0.2.9.3-alpha. diff --git a/changes/bug23818_v3 b/changes/bug23818_v3 deleted file mode 100644 index c430144d8..000000000 --- a/changes/bug23818_v3 +++ /dev/null @@ -1,6 +0,0 @@ - o Minor bugfixes (v3 single onion services): - - Always retry v3 single onion service intro and rend circuits with a - 3-hop path. Previously, v3 single onion services used a 3-hop path - when rend circuits were retried after a remote or delayed failure, - but a 1-hop path for immediate retries. Fixes bug 23818; - bugfix on 0.3.2.1-alpha. diff --git a/changes/bug27284 b/changes/bug27284 deleted file mode 100644 index 14fc2082f..000000000 --- a/changes/bug27284 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor bugfixes (ipv6): - - When parsing microdescriptors, we should check the IPv6 exit policy - alongside IPv4. Previously, we checked both exit policies for only - router info structures, while microdescriptors were IPv4-only. Fixes - bug 27284; bugfix on 0.2.3.1-alpha. Patch by Neel Chauhan. diff --git a/changes/bug30455 b/changes/bug30455 deleted file mode 100644 index aecbde5a3..000000000 --- a/changes/bug30455 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor bugfixes (chutney, makefiles, documentation): - - "make test-network-all" shows the warnings from each test-network.sh - run on the console, so developers see new warnings early. Improve the - documentation for this feature, and rename a Makefile variable so the - code is self-documenting. Fixes bug 30455; bugfix on 0.3.0.4-rc. diff --git a/changes/bug30721 b/changes/bug30721 deleted file mode 100644 index 5ea4a1462..000000000 --- a/changes/bug30721 +++ /dev/null @@ -1,10 +0,0 @@ - o Minor bugfixes (networking, IP addresses): - - When parsing addreses via Tor's internal DNS lookup API, reject IPv4 - addresses in square brackets, and accept IPv6 addresses in square - brackets. This change completes the work started in 23082, making - address parsing consistent between tor's internal DNS lookup and address - parsing APIs. Fixes bug 30721; bugfix on 0.2.1.5-alpha. - - When parsing addreses via Tor's internal address:port parsing and - DNS lookup APIs, require IPv6 addresses with ports to have square - brackets. But allow IPv6 addresses without ports, whether or not they - have square brackets. Fixes bug 30721; bugfix on 0.2.1.5-alpha. diff --git a/changes/bug30780 b/changes/bug30780 deleted file mode 100644 index 5731d201a..000000000 --- a/changes/bug30780 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor bugfixes (directory authorities): - - Return a distinct status when formatting annotations fails. - Fixes bug 30780; bugfix on 0.2.0.8-alpha. diff --git a/changes/bug30799 b/changes/bug30799 deleted file mode 100644 index b10420a95..000000000 --- a/changes/bug30799 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes (memory management): - - Stop leaking a small amount of memory in nt_service_install(), in - unreachable code. Fixes bug 30799; bugfix on 0.2.0.7-alpha. - Patch by Xiaoyin Liu. diff --git a/changes/bug30804 b/changes/bug30804 deleted file mode 100644 index ba4a3e8b8..000000000 --- a/changes/bug30804 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes (testing): - - Teach the util/socketpair_ersatz test to work correctly when we - have no network stack configured. Fixes bug 30804; bugfix on - 0.2.5.1-alpha. diff --git a/changes/bug30840 b/changes/bug30840 deleted file mode 100644 index 562b0fbd9..000000000 --- a/changes/bug30840 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes (git scripts): - - Stop hard-coding the bash path in the git scripts. Some OSes don't - have bash in /usr/bin, others have an ancient bash at this path. - Fixes bug 30840; bugfix on 0.4.0.1-alpha. diff --git a/changes/bug30841 b/changes/bug30841 deleted file mode 100644 index c6d1c5146..000000000 --- a/changes/bug30841 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor bugfixes (git scripts): - - Stop hard-coding the tor master branch name and worktree path in the - git scripts. Fixes bug 30841; bugfix on 0.4.0.1-alpha. diff --git a/changes/bug30958 b/changes/bug30958 deleted file mode 100644 index 374c8e46f..000000000 --- a/changes/bug30958 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor bugfixes (statistics): - - Stop removing the ed25519 signature if the extra info file is too big. - If the signature data was removed, but the keyword was kept, this could - result in an unparseable extra info file. Fixes bug 30958; - bugfix on 0.2.7.2-alpha. diff --git a/changes/bug31040 b/changes/bug31040 deleted file mode 100644 index 81f6d7e79..000000000 --- a/changes/bug31040 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor bugfixes (developer tooling): - - Only log git script changes in post-merge script when merge was to the - master branch. Fixes bug 31040; bugfix on 0.4.1.1-alpha. diff --git a/changes/bug31088 b/changes/bug31088 deleted file mode 100644 index c258d1bad..000000000 --- a/changes/bug31088 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor bugfixes (ipv6): - - We check for private IPv6 address alongside their IPv4 equivalents when - authorities check descriptors. Previously, we only checked for private - IPv4 addresses. Fixes bug 31088; bugfix on 0.2.3.21-rc. Patch by Neel - Chauhan. diff --git a/changes/bug31112 b/changes/bug31112 deleted file mode 100644 index 882efaad5..000000000 --- a/changes/bug31112 +++ /dev/null @@ -1,3 +0,0 @@ - o Code simplification and refactoring: - - Various simplifications and minor improvements to the circuit padding - machines. Patch by Tobias Pulls. Closes tickets 31112 and 31098. diff --git a/changes/bug31113 b/changes/bug31113 deleted file mode 100644 index f48328f0f..000000000 --- a/changes/bug31113 +++ /dev/null @@ -1,3 +0,0 @@ - o Code simplification and refactoring: - - Improve documentation in circuit padding subsystem. Patch by Tobias - Pulls. Closes ticket 31113. diff --git a/changes/bug31442 b/changes/bug31442 deleted file mode 100644 index 4df9fc6df..000000000 --- a/changes/bug31442 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor bugfixes (rust): - - Raise the minimum rustc version to 1.31.0, as checked by configure - and CI. Fixes bug 31442; bugfix on 0.3.5.4-alpha. diff --git a/changes/bug31462 b/changes/bug31462 deleted file mode 100644 index 54ab990bb..000000000 --- a/changes/bug31462 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes (git hooks): - - Remove a duplicate call to practracker from the pre-push hook. - The pre-push hook already calls the pre-commit hook, which calls - practracker. Fixes bug 31462; bugfix on 0.4.1.1-alpha. diff --git a/changes/bug31463 b/changes/bug31463 deleted file mode 100644 index d85c0887c..000000000 --- a/changes/bug31463 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor bugfixes (rust): - - Correctly exclude a redundant rust build job in Travis. Fixes bug 31463; - bugfix on 0.3.5.4-alpha. diff --git a/changes/bug31490 b/changes/bug31490 deleted file mode 100644 index 24782be3e..000000000 --- a/changes/bug31490 +++ /dev/null @@ -1,6 +0,0 @@ - o Minor bugfixes (onion services): - - In the hs_ident_circuit_t data structure, remove the unused field - circuit_type and the respective argument in hs_ident_circuit_new(). - This field is set by clients (for introduction) and services (for - introduction and rendezvous) but is never used afterwards. Fixes - bug 31490; bugfix on 0.3.2.1-alpha. Patch by Neel Chauhan. diff --git a/changes/bug31552 b/changes/bug31552 deleted file mode 100644 index fb33e1442..000000000 --- a/changes/bug31552 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor bugfixes (compilation): - - Add more stub functions to fix compilation on Android with LTO, when - --disable-module-dirauth is used. Previously, these compilation - settings would make the compiler look for functions that didn't exist. - Fixes bug 31552; bugfix on 0.4.1.1-alpha. diff --git a/changes/bug31570 b/changes/bug31570 deleted file mode 100644 index f70b577b4..000000000 --- a/changes/bug31570 +++ /dev/null @@ -1,5 +0,0 @@ - o Major bugfixes (crash, android): - - Tolerate systems (including some Android installations) where madvise - and MADV_DONTDUMP are available at build-time, but not at run time. - Previously, these systems would notice a failed syscall and abort. - Fixes bug 31570; bugfix on 0.4.1.1-alpha. diff --git a/changes/bug31571 b/changes/bug31571 deleted file mode 100644 index 86de3537b..000000000 --- a/changes/bug31571 +++ /dev/null @@ -1,7 +0,0 @@ - o Minor bugfixes (error handling): - - Report the tor version whenever an assertion fails. Previously, we only - reported the Tor version on some crashes, and some non-fatal assertions. - Fixes bug 31571; bugfix on 0.3.5.1-alpha. - - On abort, try harder to flush the output buffers of log messages. On - some platforms (macOS), log messages can be discarded when the process - terminates. Fixes bug 31571; bugfix on 0.3.5.1-alpha. diff --git a/changes/bug31594 b/changes/bug31594 deleted file mode 100644 index 75e6ec33c..000000000 --- a/changes/bug31594 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor bugfixes (error handling): - - When tor aborts due to an error, close log file descriptors before - aborting. Closing the logs makes some OSes flush log file buffers, - rather than deleting buffered log lines. Fixes bug 31594; - bugfix on 0.2.5.2-alpha. diff --git a/changes/bug31615 b/changes/bug31615 deleted file mode 100644 index 49b13bea9..000000000 --- a/changes/bug31615 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor bugfixes (subsystems): - - Make the subsystem init order match the subsystem module dependencies. - Call windows process security APIs as early as possible. Init log before - network and time, so that network and time can use logging. - Fixes bug 31615; bugfix on 0.4.0.1-alpha. diff --git a/changes/bug31657 b/changes/bug31657 deleted file mode 100644 index 08e9d95fd..000000000 --- a/changes/bug31657 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor bugfixes (guards): - - When tor is missing descriptors for some primary entry guards, make the - log message less alarming. It's normal for descriptors to expire, as long - as tor fetches new ones soon after. Fixes bug 31657; - bugfix on 0.3.3.1-alpha. diff --git a/changes/bug31696 b/changes/bug31696 deleted file mode 100644 index b9d6c4130..000000000 --- a/changes/bug31696 +++ /dev/null @@ -1,5 +0,0 @@ - o Major bugfixes (crash, Linux): - - Tolerate systems (including some Linux installations) where madvise - and/or MADV_DONTFORK are available at build-time, but not at run time. - Previously, these systems would notice a failed syscall and abort. - Fixes bug 31696; bugfix on 0.4.1.1-alpha. diff --git a/changes/doc31089 b/changes/doc31089 deleted file mode 100644 index 2fc0ba4f7..000000000 --- a/changes/doc31089 +++ /dev/null @@ -1,4 +0,0 @@ - o Documentation: - - Use RFC 2397 data URL scheme to embed image into tor-exit-notice.html - so that operators would no longer have to host it themselves. - Closes ticket 31089. diff --git a/changes/ticket19381 b/changes/ticket19381 deleted file mode 100644 index ee51e2a3e..000000000 --- a/changes/ticket19381 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor features (build system): - - Add --disable-manpage and --disable-html-manual options to configure - script. This will enable shortening build times by not building - documentation. Resolves issue 19381. diff --git a/changes/ticket21003 b/changes/ticket21003 deleted file mode 100644 index 896d7493e..000000000 --- a/changes/ticket21003 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor features (IPv6, logging): - - Log IPv6 addresses as well as IPv4 addresses, when describing - routerinfos, routerstatuses, and nodes. Closes ticket 21003. diff --git a/changes/ticket24963 b/changes/ticket24963 deleted file mode 100644 index 50adcfaaf..000000000 --- a/changes/ticket24963 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor feature (onion service): - - Disallow single hop clients to introduce directly at the introduction - point. We've removed Tor2web a while back and rendezvous are blocked at - the relays. This is to remove load off the network from spammy clients. - Close ticket 24963. diff --git a/changes/ticket24964 b/changes/ticket24964 deleted file mode 100644 index 171c86eb1..000000000 --- a/changes/ticket24964 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor feature (onion service v3): - - Do not allow single hop client to fetch or post an HS descriptor from an - HSDir. Closes ticket 24964; - diff --git a/changes/ticket27530 b/changes/ticket27530 deleted file mode 100644 index 8ae4f5266..000000000 --- a/changes/ticket27530 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor features (compilation): - - Log a more useful error message when we are compiling and one of the - compile-time hardening options we have selected can be linked but - not executed. Closes ticket 27530. diff --git a/changes/ticket29533 b/changes/ticket29533 deleted file mode 100644 index 27ef68121..000000000 --- a/changes/ticket29533 +++ /dev/null @@ -1,3 +0,0 @@ - o Testing: - - Run shellcheck for all non-third-party shell scripts that are shipped - with Tor. Closes ticket 29533. diff --git a/changes/ticket29738 b/changes/ticket29738 deleted file mode 100644 index 9217cc9a5..000000000 --- a/changes/ticket29738 +++ /dev/null @@ -1,6 +0,0 @@ - o Minor features (recommended packages): - - No longer include recommended packages in votes as detailed in proposal - 301. The RecommendedPackages torrc option is deprecated and will no - longer have any effect. "package" lines will still be considered when - computing consensuses for consensus methods that include them. Fixes - ticket 29738. diff --git a/changes/ticket29746 b/changes/ticket29746 deleted file mode 100644 index 63b9edb39..000000000 --- a/changes/ticket29746 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes (best practices tracker): - - Fix a few issues in the best-practices script, including tests, tab - tolerance, error reporting, and directory-exclusion logic. Fixes bug - 29746; bugfix on 0.4.1.1-alpha. diff --git a/changes/ticket29879 b/changes/ticket29879 deleted file mode 100644 index c37bdd3f6..000000000 --- a/changes/ticket29879 +++ /dev/null @@ -1,7 +0,0 @@ - o Minor features (git scripts): - - Add a TOR_PUSH_DELAY variable to git-push-all.sh, which makes the script - push master and maint branches with a delay between each branch. These - delays trigger the CI jobs in a set order, which should show the most - likely failures first. Also make pushes atomic by default, and make - the script pass any command-line arguments to git push. - Closes ticket 29879. diff --git a/changes/ticket29976 b/changes/ticket29976 deleted file mode 100644 index 9991bfb1f..000000000 --- a/changes/ticket29976 +++ /dev/null @@ -1,3 +0,0 @@ - o Code simplification and refactoring: - - Rework bootstrap tracking to use the new publish-subscribe - subsystem. Closes ticket 29976. diff --git a/changes/ticket30102 b/changes/ticket30102 deleted file mode 100644 index c8b1148da..000000000 --- a/changes/ticket30102 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor features (continuous integration): - - When running CI builds on Travis, put some random data in ~/.torrc, - to make sure no tests are dependent on default Tor configuration. - Resolves issue 30102. diff --git a/changes/ticket30550 b/changes/ticket30550 deleted file mode 100644 index f356c4048..000000000 --- a/changes/ticket30550 +++ /dev/null @@ -1,2 +0,0 @@ - o Removed features: - - Remove torctl.in from contrib/dist directory. Resolves ticket 30550. diff --git a/changes/ticket30687 b/changes/ticket30687 deleted file mode 100644 index c3124eb64..000000000 --- a/changes/ticket30687 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor feature (token bucket): - - Implement a generic token bucket that uses a single counter. This will be - useful for the anti-DoS onion service work. Closes ticket 30687. diff --git a/changes/ticket30752 b/changes/ticket30752 deleted file mode 100644 index 044c7c7d9..000000000 --- a/changes/ticket30752 +++ /dev/null @@ -1,6 +0,0 @@ - o Minor features (best practices tracker): - - Give a warning rather than an error when a practracker exception is - violated by a small amount; add a --list-overbroad option to - practracker that lists exceptions that are stricter than they need to - be, and provide an environment variable for disabling - practracker. Closes ticekt 30752. diff --git a/changes/ticket30769 b/changes/ticket30769 deleted file mode 100644 index 74f63a146..000000000 --- a/changes/ticket30769 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes (sendme, code structure): - - Rename the trunnel SENDME file definition from sendme.trunnel to - sendme_cell.trunnel to avoid having twice sendme.{c|h} in the repository. - Fixes bug 30769; bugfix on 0.4.1.1-alpha. diff --git a/changes/ticket30806 b/changes/ticket30806 deleted file mode 100644 index 4f09ea2af..000000000 --- a/changes/ticket30806 +++ /dev/null @@ -1,3 +0,0 @@ - o Code simplification and refactoring: - - Use the subsystems mechanism to manage the main event loop code. - Closes ticket 30806. diff --git a/changes/ticket30864 b/changes/ticket30864 deleted file mode 100644 index b8fb57130..000000000 --- a/changes/ticket30864 +++ /dev/null @@ -1,3 +0,0 @@ - o Code simplification and refactoring: - - Extract our variable manipulation code from confparse.c to a new - lower-level typedvar.h module. Closes ticket 30864. diff --git a/changes/ticket30871 b/changes/ticket30871 deleted file mode 100644 index 81c076bb0..000000000 --- a/changes/ticket30871 +++ /dev/null @@ -1,6 +0,0 @@ - o Major bugfixes (circuit build, guard): - - When considering upgrading circuits from "waiting for guard" to "open", - always ignore the ones that are mark for close. Else, we can end up in - the situation where a subsystem is notified of that circuit opening but - still marked for close leading to undesirable behavior. Fixes bug 30871; - bugfix on 0.3.0.1-alpha. diff --git a/changes/ticket30889 b/changes/ticket30889 deleted file mode 100644 index 8582e2bca..000000000 --- a/changes/ticket30889 +++ /dev/null @@ -1,3 +0,0 @@ - o Code simplification and refactoring: - - Eliminate some uses of lower-level control reply abstractions, - primarily in the onion_helper functions. Closes ticket 30889. diff --git a/changes/ticket30893 b/changes/ticket30893 deleted file mode 100644 index 638b99a9f..000000000 --- a/changes/ticket30893 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor features (testing): - - Improve test coverage for our existing configuration parsing and - management API. Closes ticket 30893. diff --git a/changes/ticket30914 b/changes/ticket30914 deleted file mode 100644 index c8c008b3d..000000000 --- a/changes/ticket30914 +++ /dev/null @@ -1,4 +0,0 @@ - o Code simplification and refactoring: - - Lower another layer of object management from confparse.c to - a more general tool. Now typed structure members are accessible - via an abstract type. Implements ticket 30914. diff --git a/changes/ticket30921 b/changes/ticket30921 deleted file mode 100644 index 50ec570ff..000000000 --- a/changes/ticket30921 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor bugfixes (onion service v3): - - When purging the client descriptor cache, always also close any - introduction point circuits associated with it. This avoids picking those - when connecting to them later while not having the descriptor to complete - the introduction. Fixes bug 30921; bugfix on 0.3.2.1-alpha. diff --git a/changes/ticket30924 b/changes/ticket30924 deleted file mode 100644 index 832c37797..000000000 --- a/changes/ticket30924 +++ /dev/null @@ -1,6 +0,0 @@ - o Major features (onion service v3, denial of service): - - Add onion service introduction denial of service defenses. They consist of - rate limiting client introduction at the intro point using parameters that - can be sent by the service within the ESTABLISH_INTRO cell. If the cell - extension for this is not used, the intro point will honor the consensus - parameters. Closes ticket 30924. diff --git a/changes/ticket30935 b/changes/ticket30935 deleted file mode 100644 index 5a7e91889..000000000 --- a/changes/ticket30935 +++ /dev/null @@ -1,6 +0,0 @@ - o Code simplification and refactoring: - - Numerous simplifications in configuration-handling logic: - remove duplicated macro definitions, replace magical names - with flags, and refactor "TestingTorNetwork" to use the - same default-option logic as the rest of Tor. - Closes ticket 30935. diff --git a/changes/ticket30955 b/changes/ticket30955 deleted file mode 100644 index 7715a0756..000000000 --- a/changes/ticket30955 +++ /dev/null @@ -1,3 +0,0 @@ - o Documentation (hard-coded directories): - - Improve the documentation for the DirAuthority and FallbackDir torrc - options. Closes ticket 30955. diff --git a/changes/ticket30956_refactor b/changes/ticket30956_refactor deleted file mode 100644 index 81151c6cc..000000000 --- a/changes/ticket30956_refactor +++ /dev/null @@ -1,3 +0,0 @@ - o Code simplification and refactoring: - - Split extrainfo_dump_to_string() into smaller functions. - Closes ticket 30956. diff --git a/changes/ticket30967 b/changes/ticket30967 deleted file mode 100644 index 5fe9c980b..000000000 --- a/changes/ticket30967 +++ /dev/null @@ -1,6 +0,0 @@ - o Testing: - - When checking shell scripts, ignore any user-created directories. - Closes ticket 30967. - o Minor features (git scripts): - - Call the shellcheck script from the pre-commit hook. - Closes ticket 30967. diff --git a/changes/ticket30979 b/changes/ticket30979 deleted file mode 100644 index ffe1bfb4a..000000000 --- a/changes/ticket30979 +++ /dev/null @@ -1,7 +0,0 @@ - o Minor features (git hooks): - - Our pre-commit git hook now checks for a special file - before running practracker, so that practracker only runs on branches - that are based on master. Since the pre-push hook calls the pre-commit - hook, practracker will also only run before pushes of branches based - on master. - Closes ticket 30979. diff --git a/changes/ticket31008 b/changes/ticket31008 deleted file mode 100644 index c7077de6c..000000000 --- a/changes/ticket31008 +++ /dev/null @@ -1,3 +0,0 @@ - o Documentation (tor.1 man page): - - Fix typo -help to --help in tor.1 man page. Fixes bug 31008; bugfix on - 0.2.2.9-alpha. diff --git a/changes/ticket31012 b/changes/ticket31012 deleted file mode 100644 index 61ea30d8d..000000000 --- a/changes/ticket31012 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes (operator tools): - - Make tor-print-ed-signing-cert(1) print certificate expiration date in - RFC 1123 and UNIX timestamp formats, to make output machine readable. - Fixes bug 31012; bugfix on 0.3.5.1-alpha. diff --git a/changes/ticket31025 b/changes/ticket31025 deleted file mode 100644 index c57228823..000000000 --- a/changes/ticket31025 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor bugfixes (coverity): - - In our siphash implementation, when building for coverity, use memcpy - in place of a switch statement, so that coverity can tell we are not - accessing out-of-bounds memory. Fixes bug 31025; bugfix on - 0.2.8.1-alpha. This is tracked as CID 1447293 and 1447295. diff --git a/changes/ticket31026 b/changes/ticket31026 deleted file mode 100644 index 6f6abcffb..000000000 --- a/changes/ticket31026 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor bugfixes (coverity compliance): - - Add an assertion when parsing a BEGIN cell so that coverity can be sure - that we are not about to dereference a NULL address. - Fixes bug 31026; bugfix on 0.2.4.7-alpha. This is CID - 1447296. diff --git a/changes/ticket31030 b/changes/ticket31030 deleted file mode 100644 index 4d99323b4..000000000 --- a/changes/ticket31030 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor bugfixes (coverity, tests): - - Fix several coverity warnings from our unit tests. Fixes bug 31030; - bugfix on 0.2.4.1-alpha, 0.3.2.1-alpha, and 0.4.0.1-alpha. diff --git a/changes/ticket31175 b/changes/ticket31175 deleted file mode 100644 index cff13761a..000000000 --- a/changes/ticket31175 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor features (development tools): - - Our best-practices tracker now looks at headers as well as - C files. Closes ticket 31175. diff --git a/changes/ticket31176 b/changes/ticket31176 deleted file mode 100644 index 5fcdeab3a..000000000 --- a/changes/ticket31176 +++ /dev/null @@ -1,5 +0,0 @@ - o Major features (developer tools): - - Our best-practices tracker now integrates with our include-checker tool - to keep track of the layering violations that we have not yet fixed. - We hope to reduce this number over time to improve Tor's modularity. - Closes ticket 31176. diff --git a/changes/ticket31240 b/changes/ticket31240 deleted file mode 100644 index 0fe37ff44..000000000 --- a/changes/ticket31240 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor features (configuration): - - The configuration code has been extended to allow splitting - configuration data across multiple objects. Previously, all - configuration data needed to be kept in a single object, which - tended to become bloated. Closes ticket 31240. diff --git a/changes/ticket31304 b/changes/ticket31304 deleted file mode 100644 index ca60148b0..000000000 --- a/changes/ticket31304 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor features (tests): - - The practracker tests are now run as part of the Tor test suite. - Closes ticket 31304. diff --git a/changes/ticket31309 b/changes/ticket31309 deleted file mode 100644 index 8e1c9f27e..000000000 --- a/changes/ticket31309 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor features (best practices tracker): - - Add a TOR_PRACTRACKER_OPTIONS variable for passing arguments - to practracker from the environment. We may want this for - continuous integration. Closes ticket 31309. diff --git a/changes/ticket31314 b/changes/ticket31314 deleted file mode 100644 index 7ce96e96c..000000000 --- a/changes/ticket31314 +++ /dev/null @@ -1,18 +0,0 @@ - o Minor features (git scripts): - - Add a -t <test-branch-prefix> argument to git-merge-forward.sh and - git-push-all.sh, which makes these scripts create, merge forward, and - push test branches. Closes ticket 31314. - - Add a -r <remote-name> argument to git-push-all.sh, so the script can - push test branches to a personal remote. Closes ticket 31314. - - Add a -u argument to git-merge-forward.sh, so that the script can re-use - existing test branches after a merge failure and fix. - Closes ticket 31314. - - Add a TOR_GIT_PUSH env var, which sets the default git push command and - arguments for git-push-all.sh. Closes ticket 31314. - - Add a "--" command-line argument, to - separate git-push-all.sh script arguments from arguments that are passed - through to git push. Closes ticket 31314. - - Skip pushing test branches that are the same as a remote - maint/release/master branch in git-push-all.sh by default. Add a -s - argument, so git-push-all.sh can push all test branches. - Closes ticket 31314. diff --git a/changes/ticket31320 b/changes/ticket31320 deleted file mode 100644 index 07847e562..000000000 --- a/changes/ticket31320 +++ /dev/null @@ -1,3 +0,0 @@ - o Documentation: - - Include an example usage for IPv6 ORPort in our sample torrc. - Closes ticket 31320; patch from Ali Raheem. diff --git a/changes/ticket31451 b/changes/ticket31451 deleted file mode 100644 index 773d66595..000000000 --- a/changes/ticket31451 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes (logging): - - Fix a code issue that would have broken our parsing of log - domains as soon as we had 33 of them. Fortunately, we still - only have 29. Fixes bug 31451; bugfix on 0.4.1.4-rc. diff --git a/changes/ticket31475 b/changes/ticket31475 deleted file mode 100644 index e156c145a..000000000 --- a/changes/ticket31475 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor bugfixes (configuration): - - Invalid floating-point values in the configuration file are now - detected treated as errors in the configuration. Previously, they - were ignored and treated as zero. Fixes bug 31475; bugfix on - 0.0.1. diff --git a/changes/ticket31477 b/changes/ticket31477 deleted file mode 100644 index 5a0fdd154..000000000 --- a/changes/ticket31477 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor features (tests): - - Add integration tests to make sure that practracker gives the outputs - we expect. Closes ticket 31477. diff --git a/changes/ticket31529 b/changes/ticket31529 deleted file mode 100644 index 84f982214..000000000 --- a/changes/ticket31529 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor features (debugging): - - Log a nonfatal assertion failure if we encounter a configuration - line whose command is "CLEAR" but which has a nonempty value. - This should be impossible, according to the rules of our - configuration line parsing. Closes ticket 31529. diff --git a/changes/ticket31532 b/changes/ticket31532 deleted file mode 100644 index 95bcbc517..000000000 --- a/changes/ticket31532 +++ /dev/null @@ -1,4 +0,0 @@ - o Code simplification and refactoring: - - Use the ptrdiff_t type consistently for expressing variable offsets and - pointer differences. Previously we incorrectly (but harmlessly) used - int and sometimes off_t for these cases. Closes ticket 31532. diff --git a/changes/ticket31545 b/changes/ticket31545 deleted file mode 100644 index 58921c2ad..000000000 --- a/changes/ticket31545 +++ /dev/null @@ -1,5 +0,0 @@ - o Code simplification and refactoring: - - Rewrite format_node_description() and router_get_verbose_nickname() to - use strlcpy() and strlcat(). The previous implementation used memcpy() - and pointer arithmetic, which was error-prone. - Closes ticket 31545. This is CID 1452819. diff --git a/changes/ticket31554 b/changes/ticket31554 deleted file mode 100644 index 73f4159ff..000000000 --- a/changes/ticket31554 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor features (stem tests): - - Change "make test-stem" so it only runs the stem tests that use tor. - This change makes test-stem faster and more reliable. - Closes ticket 31554. diff --git a/changes/ticket31578 b/changes/ticket31578 deleted file mode 100644 index 220efffa6..000000000 --- a/changes/ticket31578 +++ /dev/null @@ -1,6 +0,0 @@ - o Minor bugfixes (practracker): - - When running check-best-practices, only consider files in the - src subdirectory. Previously we had recursively considered - all subdirectories, which made us get confused by the - temporary directories made by "make distcheck". Fixes bug - 31578; bugfix on 0.4.1.1-alpha. diff --git a/changes/ticket31625 b/changes/ticket31625 deleted file mode 100644 index 822a921e4..000000000 --- a/changes/ticket31625 +++ /dev/null @@ -1,4 +0,0 @@ - o Code simplification and refactoring: - - Replace our ad-hoc set of flags for configuration variables and - configuration variable types with fine-grained orthogonal flags - corresponding to the actual behavior we want. Closes ticket 31625. diff --git a/changes/ticket31626 b/changes/ticket31626 deleted file mode 100644 index 443bc1eb8..000000000 --- a/changes/ticket31626 +++ /dev/null @@ -1,4 +0,0 @@ - o Code simplification and refactoring: - - Move our backend logic for working with configuration and state - files into a lower-level library, since in no longer depends on - any tor-specific functionality. Closes ticket 31626. diff --git a/changes/ticket31637 b/changes/ticket31637 deleted file mode 100644 index b6ffa8b89..000000000 --- a/changes/ticket31637 +++ /dev/null @@ -1,6 +0,0 @@ - o Minor features (testing): - - Add a script to invoke "tor --dump-config" and "tor --verify-config" - with various configuration options, and see whether tor's resulting - configuration or error messages are what we expect. Use it for - integration testing of our +Option and /Option flags. - Closes ticket 31637. diff --git a/changes/ticket31673 b/changes/ticket31673 deleted file mode 100644 index 3b2bb4a46..000000000 --- a/changes/ticket31673 +++ /dev/null @@ -1,3 +0,0 @@ - o New system requirements (build system): - - Do not include the deprecated <sys/sysctl.h> on Linux or Windows system. - Closes 31673;

1 0

[tor/master] Run format-changelog, add a stub blurb.
by nickm＠torproject.org 16 Sep '19

16 Sep '19

commit 1f4a7a4bb170c1a0ef7f70fd08993837002d8bdc Author: Nick Mathewson <nickm(a)torproject.org> Date: Mon Sep 16 08:33:10 2019 -0400 Run format-changelog, add a stub blurb. --- ChangeLog | 483 ++++++++++++++++++++++++++++++++------------------------------ 1 file changed, 247 insertions(+), 236 deletions(-) diff --git a/ChangeLog b/ChangeLog index 721604c65..d5ae71fb8 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,273 +1,285 @@ Changes in version 0.4.2.1-alpha - 2019-09-?? + This is the first alpha release in the 0.4.2.x series. BLURB + BLURB BLURB. + + o New system requirements (build system): + - Do not include the deprecated <sys/sysctl.h> on Linux or Windows + system. Closes 31673; o Major features (developer tools): - - Our best-practices tracker now integrates with our include-checker tool - to keep track of the layering violations that we have not yet fixed. - We hope to reduce this number over time to improve Tor's modularity. - Closes ticket 31176. + - Our best-practices tracker now integrates with our include-checker + tool to keep track of the layering violations that we have not yet + fixed. We hope to reduce this number over time to improve Tor's + modularity. Closes ticket 31176. o Major features (onion service v3, denial of service): - - Add onion service introduction denial of service defenses. They consist of - rate limiting client introduction at the intro point using parameters that - can be sent by the service within the ESTABLISH_INTRO cell. If the cell - extension for this is not used, the intro point will honor the consensus - parameters. Closes ticket 30924. + - Add onion service introduction denial of service defenses. They + consist of rate limiting client introduction at the intro point + using parameters that can be sent by the service within the + ESTABLISH_INTRO cell. If the cell extension for this is not used, + the intro point will honor the consensus parameters. Closes + ticket 30924. o Major bugfixes (circuit build, guard): - - When considering upgrading circuits from "waiting for guard" to "open", - always ignore the ones that are mark for close. Else, we can end up in - the situation where a subsystem is notified of that circuit opening but - still marked for close leading to undesirable behavior. Fixes bug 30871; - bugfix on 0.3.0.1-alpha. + - When considering upgrading circuits from "waiting for guard" to + "open", always ignore the ones that are mark for close. Else, we + can end up in the situation where a subsystem is notified of that + circuit opening but still marked for close leading to undesirable + behavior. Fixes bug 30871; bugfix on 0.3.0.1-alpha. o Major bugfixes (crash, android): - - Tolerate systems (including some Android installations) where madvise - and MADV_DONTDUMP are available at build-time, but not at run time. - Previously, these systems would notice a failed syscall and abort. - Fixes bug 31570; bugfix on 0.4.1.1-alpha. + - Tolerate systems (including some Android installations) where + madvise and MADV_DONTDUMP are available at build-time, but not at + run time. Previously, these systems would notice a failed syscall + and abort. Fixes bug 31570; bugfix on 0.4.1.1-alpha. o Major bugfixes (crash, Linux): - - Tolerate systems (including some Linux installations) where madvise - and/or MADV_DONTFORK are available at build-time, but not at run time. - Previously, these systems would notice a failed syscall and abort. - Fixes bug 31696; bugfix on 0.4.1.1-alpha. + - Tolerate systems (including some Linux installations) where + madvise and/or MADV_DONTFORK are available at build-time, but not + at run time. Previously, these systems would notice a failed + syscall and abort. Fixes bug 31696; bugfix on 0.4.1.1-alpha. o Minor feature (onion service v3): - - Do not allow single hop client to fetch or post an HS descriptor from an - HSDir. Closes ticket 24964; + - Do not allow single hop client to fetch or post an HS descriptor + from an HSDir. Closes ticket 24964; o Minor feature (onion service): - - Disallow single hop clients to introduce directly at the introduction - point. We've removed Tor2web a while back and rendezvous are blocked at - the relays. This is to remove load off the network from spammy clients. - Close ticket 24963. + - Disallow single hop clients to introduce directly at the + introduction point. We've removed Tor2web a while back and + rendezvous are blocked at the relays. This is to remove load off + the network from spammy clients. Close ticket 24963. o Minor feature (token bucket): - - Implement a generic token bucket that uses a single counter. This will be - useful for the anti-DoS onion service work. Closes ticket 30687. + - Implement a generic token bucket that uses a single counter. This + will be useful for the anti-DoS onion service work. Closes + ticket 30687. o Minor features (best practices tracker): - - Add a TOR_PRACTRACKER_OPTIONS variable for passing arguments - to practracker from the environment. We may want this for - continuous integration. Closes ticket 31309. - - Give a warning rather than an error when a practracker exception is - violated by a small amount; add a --list-overbroad option to - practracker that lists exceptions that are stricter than they need to - be, and provide an environment variable for disabling + - Add a TOR_PRACTRACKER_OPTIONS variable for passing arguments to + practracker from the environment. We may want this for continuous + integration. Closes ticket 31309. + - Give a warning rather than an error when a practracker exception + is violated by a small amount; add a --list-overbroad option to + practracker that lists exceptions that are stricter than they need + to be, and provide an environment variable for disabling practracker. Closes ticekt 30752. o Minor features (build system): - - Add --disable-manpage and --disable-html-manual options to configure - script. This will enable shortening build times by not building - documentation. Resolves issue 19381. + - Add --disable-manpage and --disable-html-manual options to + configure script. This will enable shortening build times by not + building documentation. Resolves issue 19381. o Minor features (compilation): - - Log a more useful error message when we are compiling and one of the - compile-time hardening options we have selected can be linked but - not executed. Closes ticket 27530. + - Log a more useful error message when we are compiling and one of + the compile-time hardening options we have selected can be linked + but not executed. Closes ticket 27530. o Minor features (configuration): - The configuration code has been extended to allow splitting configuration data across multiple objects. Previously, all configuration data needed to be kept in a single object, which - tended to become bloated. Closes ticket 31240. + tended to become bloated. Closes ticket 31240. o Minor features (continuous integration): - - When running CI builds on Travis, put some random data in ~/.torrc, - to make sure no tests are dependent on default Tor configuration. - Resolves issue 30102. + - When running CI builds on Travis, put some random data in + ~/.torrc, to make sure no tests are dependent on default Tor + configuration. Resolves issue 30102. o Minor features (debugging): - Log a nonfatal assertion failure if we encounter a configuration - line whose command is "CLEAR" but which has a nonempty value. - This should be impossible, according to the rules of our - configuration line parsing. Closes ticket 31529. + line whose command is "CLEAR" but which has a nonempty value. This + should be impossible, according to the rules of our configuration + line parsing. Closes ticket 31529. o Minor features (development tools): - - Our best-practices tracker now looks at headers as well as - C files. Closes ticket 31175. + - Our best-practices tracker now looks at headers as well as C + files. Closes ticket 31175. o Minor features (git hooks): - - Our pre-commit git hook now checks for a special file - before running practracker, so that practracker only runs on branches - that are based on master. Since the pre-push hook calls the pre-commit - hook, practracker will also only run before pushes of branches based - on master. - Closes ticket 30979. + - Our pre-commit git hook now checks for a special file before + running practracker, so that practracker only runs on branches + that are based on master. Since the pre-push hook calls the pre- + commit hook, practracker will also only run before pushes of + branches based on master. Closes ticket 30979. o Minor features (git scripts): - - Add a "--" command-line argument, to - separate git-push-all.sh script arguments from arguments that are passed - through to git push. Closes ticket 31314. - - Add a -r <remote-name> argument to git-push-all.sh, so the script can - push test branches to a personal remote. Closes ticket 31314. + - Add a "--" command-line argument, to separate git-push-all.sh + script arguments from arguments that are passed through to git + push. Closes ticket 31314. + - Add a -r <remote-name> argument to git-push-all.sh, so the script + can push test branches to a personal remote. Closes ticket 31314. - Add a -t <test-branch-prefix> argument to git-merge-forward.sh and - git-push-all.sh, which makes these scripts create, merge forward, and - push test branches. Closes ticket 31314. - - Add a -u argument to git-merge-forward.sh, so that the script can re-use - existing test branches after a merge failure and fix. + git-push-all.sh, which makes these scripts create, merge forward, + and push test branches. Closes ticket 31314. + - Add a -u argument to git-merge-forward.sh, so that the script can + re-use existing test branches after a merge failure and fix. Closes ticket 31314. - - Add a TOR_GIT_PUSH env var, which sets the default git push command and - arguments for git-push-all.sh. Closes ticket 31314. - - Add a TOR_PUSH_DELAY variable to git-push-all.sh, which makes the script - push master and maint branches with a delay between each branch. These - delays trigger the CI jobs in a set order, which should show the most - likely failures first. Also make pushes atomic by default, and make - the script pass any command-line arguments to git push. - Closes ticket 29879. - - Call the shellcheck script from the pre-commit hook. - Closes ticket 30967. + - Add a TOR_GIT_PUSH env var, which sets the default git push + command and arguments for git-push-all.sh. Closes ticket 31314. + - Add a TOR_PUSH_DELAY variable to git-push-all.sh, which makes the + script push master and maint branches with a delay between each + branch. These delays trigger the CI jobs in a set order, which + should show the most likely failures first. Also make pushes + atomic by default, and make the script pass any command-line + arguments to git push. Closes ticket 29879. + - Call the shellcheck script from the pre-commit hook. Closes + ticket 30967. - Skip pushing test branches that are the same as a remote - maint/release/master branch in git-push-all.sh by default. Add a -s - argument, so git-push-all.sh can push all test branches. - Closes ticket 31314. + maint/release/master branch in git-push-all.sh by default. Add a + -s argument, so git-push-all.sh can push all test branches. Closes + ticket 31314. o Minor features (IPv6, logging): - Log IPv6 addresses as well as IPv4 addresses, when describing routerinfos, routerstatuses, and nodes. Closes ticket 21003. o Minor features (recommended packages): - - No longer include recommended packages in votes as detailed in proposal - 301. The RecommendedPackages torrc option is deprecated and will no - longer have any effect. "package" lines will still be considered when - computing consensuses for consensus methods that include them. Fixes - ticket 29738. + - No longer include recommended packages in votes as detailed in + proposal 301. The RecommendedPackages torrc option is deprecated + and will no longer have any effect. "package" lines will still be + considered when computing consensuses for consensus methods that + include them. Fixes ticket 29738. o Minor features (stem tests): - - Change "make test-stem" so it only runs the stem tests that use tor. - This change makes test-stem faster and more reliable. - Closes ticket 31554. + - Change "make test-stem" so it only runs the stem tests that use + tor. This change makes test-stem faster and more reliable. Closes + ticket 31554. o Minor features (testing): - - Add a script to invoke "tor --dump-config" and "tor --verify-config" - with various configuration options, and see whether tor's resulting - configuration or error messages are what we expect. Use it for - integration testing of our +Option and /Option flags. - Closes ticket 31637. + - Add a script to invoke "tor --dump-config" and "tor + --verify-config" with various configuration options, and see + whether tor's resulting configuration or error messages are what + we expect. Use it for integration testing of our +Option and + /Option flags. Closes ticket 31637. - Improve test coverage for our existing configuration parsing and management API. Closes ticket 30893. o Minor features (tests): - - Add integration tests to make sure that practracker gives the outputs - we expect. Closes ticket 31477. + - Add integration tests to make sure that practracker gives the + outputs we expect. Closes ticket 31477. - The practracker tests are now run as part of the Tor test suite. Closes ticket 31304. o Minor bugfixes (best practices tracker): - - Fix a few issues in the best-practices script, including tests, tab - tolerance, error reporting, and directory-exclusion logic. Fixes bug - 29746; bugfix on 0.4.1.1-alpha. + - Fix a few issues in the best-practices script, including tests, + tab tolerance, error reporting, and directory-exclusion logic. + Fixes bug 29746; bugfix on 0.4.1.1-alpha. o Minor bugfixes (chutney, makefiles, documentation): - - "make test-network-all" shows the warnings from each test-network.sh - run on the console, so developers see new warnings early. Improve the - documentation for this feature, and rename a Makefile variable so the - code is self-documenting. Fixes bug 30455; bugfix on 0.3.0.4-rc. + - "make test-network-all" shows the warnings from each test- + network.sh run on the console, so developers see new warnings + early. Improve the documentation for this feature, and rename a + Makefile variable so the code is self-documenting. Fixes bug + 30455; bugfix on 0.3.0.4-rc. o Minor bugfixes (compilation): - - Add more stub functions to fix compilation on Android with LTO, when - --disable-module-dirauth is used. Previously, these compilation - settings would make the compiler look for functions that didn't exist. - Fixes bug 31552; bugfix on 0.4.1.1-alpha. + - Add more stub functions to fix compilation on Android with LTO, + when --disable-module-dirauth is used. Previously, these + compilation settings would make the compiler look for functions + that didn't exist. Fixes bug 31552; bugfix on 0.4.1.1-alpha. o Minor bugfixes (configuration): - Invalid floating-point values in the configuration file are now detected treated as errors in the configuration. Previously, they - were ignored and treated as zero. Fixes bug 31475; bugfix on - 0.0.1. + were ignored and treated as zero. Fixes bug 31475; bugfix + on 0.0.1. o Minor bugfixes (coverity compliance): - - Add an assertion when parsing a BEGIN cell so that coverity can be sure - that we are not about to dereference a NULL address. - Fixes bug 31026; bugfix on 0.2.4.7-alpha. This is CID - 1447296. + - Add an assertion when parsing a BEGIN cell so that coverity can be + sure that we are not about to dereference a NULL address. Fixes + bug 31026; bugfix on 0.2.4.7-alpha. This is CID 1447296. o Minor bugfixes (coverity): - - In our siphash implementation, when building for coverity, use memcpy - in place of a switch statement, so that coverity can tell we are not - accessing out-of-bounds memory. Fixes bug 31025; bugfix on - 0.2.8.1-alpha. This is tracked as CID 1447293 and 1447295. + - In our siphash implementation, when building for coverity, use + memcpy in place of a switch statement, so that coverity can tell + we are not accessing out-of-bounds memory. Fixes bug 31025; bugfix + on 0.2.8.1-alpha. This is tracked as CID 1447293 and 1447295. o Minor bugfixes (coverity, tests): - - Fix several coverity warnings from our unit tests. Fixes bug 31030; - bugfix on 0.2.4.1-alpha, 0.3.2.1-alpha, and 0.4.0.1-alpha. + - Fix several coverity warnings from our unit tests. Fixes bug + 31030; bugfix on 0.2.4.1-alpha, 0.3.2.1-alpha, and 0.4.0.1-alpha. o Minor bugfixes (developer tooling): - - Only log git script changes in post-merge script when merge was to the - master branch. Fixes bug 31040; bugfix on 0.4.1.1-alpha. + - Only log git script changes in post-merge script when merge was to + the master branch. Fixes bug 31040; bugfix on 0.4.1.1-alpha. o Minor bugfixes (directory authorities): - - Return a distinct status when formatting annotations fails. - Fixes bug 30780; bugfix on 0.2.0.8-alpha. + - Return a distinct status when formatting annotations fails. Fixes + bug 30780; bugfix on 0.2.0.8-alpha. o Minor bugfixes (error handling): - - On abort, try harder to flush the output buffers of log messages. On - some platforms (macOS), log messages can be discarded when the process - terminates. Fixes bug 31571; bugfix on 0.3.5.1-alpha. - - Report the tor version whenever an assertion fails. Previously, we only - reported the Tor version on some crashes, and some non-fatal assertions. - Fixes bug 31571; bugfix on 0.3.5.1-alpha. + - On abort, try harder to flush the output buffers of log messages. + On some platforms (macOS), log messages can be discarded when the + process terminates. Fixes bug 31571; bugfix on 0.3.5.1-alpha. + - Report the tor version whenever an assertion fails. Previously, we + only reported the Tor version on some crashes, and some non-fatal + assertions. Fixes bug 31571; bugfix on 0.3.5.1-alpha. - When tor aborts due to an error, close log file descriptors before aborting. Closing the logs makes some OSes flush log file buffers, - rather than deleting buffered log lines. Fixes bug 31594; - bugfix on 0.2.5.2-alpha. + rather than deleting buffered log lines. Fixes bug 31594; bugfix + on 0.2.5.2-alpha. o Minor bugfixes (git hooks): - - Remove a duplicate call to practracker from the pre-push hook. - The pre-push hook already calls the pre-commit hook, which calls + - Remove a duplicate call to practracker from the pre-push hook. The + pre-push hook already calls the pre-commit hook, which calls practracker. Fixes bug 31462; bugfix on 0.4.1.1-alpha. o Minor bugfixes (git scripts): - Stop hard-coding the bash path in the git scripts. Some OSes don't have bash in /usr/bin, others have an ancient bash at this path. Fixes bug 30840; bugfix on 0.4.0.1-alpha. - - Stop hard-coding the tor master branch name and worktree path in the - git scripts. Fixes bug 30841; bugfix on 0.4.0.1-alpha. + - Stop hard-coding the tor master branch name and worktree path in + the git scripts. Fixes bug 30841; bugfix on 0.4.0.1-alpha. o Minor bugfixes (guards): - - When tor is missing descriptors for some primary entry guards, make the - log message less alarming. It's normal for descriptors to expire, as long - as tor fetches new ones soon after. Fixes bug 31657; - bugfix on 0.3.3.1-alpha. + - When tor is missing descriptors for some primary entry guards, + make the log message less alarming. It's normal for descriptors to + expire, as long as tor fetches new ones soon after. Fixes bug + 31657; bugfix on 0.3.3.1-alpha. o Minor bugfixes (ipv6): - - We check for private IPv6 address alongside their IPv4 equivalents when - authorities check descriptors. Previously, we only checked for private - IPv4 addresses. Fixes bug 31088; bugfix on 0.2.3.21-rc. Patch by Neel - Chauhan. - - When parsing microdescriptors, we should check the IPv6 exit policy - alongside IPv4. Previously, we checked both exit policies for only - router info structures, while microdescriptors were IPv4-only. Fixes - bug 27284; bugfix on 0.2.3.1-alpha. Patch by Neel Chauhan. + - We check for private IPv6 address alongside their IPv4 equivalents + when authorities check descriptors. Previously, we only checked + for private IPv4 addresses. Fixes bug 31088; bugfix on + 0.2.3.21-rc. Patch by Neel Chauhan. + - When parsing microdescriptors, we should check the IPv6 exit + policy alongside IPv4. Previously, we checked both exit policies + for only router info structures, while microdescriptors were + IPv4-only. Fixes bug 27284; bugfix on 0.2.3.1-alpha. Patch by + Neel Chauhan. o Minor bugfixes (logging): - - Change log level of message "Hash of session info was not as expected" - to LOG_PROTOCOL_WARN. Fixes bug 12399; bugfix on 0.1.1.10-alpha. - - Fix a code issue that would have broken our parsing of log - domains as soon as we had 33 of them. Fortunately, we still - only have 29. Fixes bug 31451; bugfix on 0.4.1.4-rc. + - Change log level of message "Hash of session info was not as + expected" to LOG_PROTOCOL_WARN. Fixes bug 12399; bugfix + on 0.1.1.10-alpha. + - Fix a code issue that would have broken our parsing of log domains + as soon as we had 33 of them. Fortunately, we still only have 29. + Fixes bug 31451; bugfix on 0.4.1.4-rc. o Minor bugfixes (memory management): - Stop leaking a small amount of memory in nt_service_install(), in - unreachable code. Fixes bug 30799; bugfix on 0.2.0.7-alpha. - Patch by Xiaoyin Liu. + unreachable code. Fixes bug 30799; bugfix on 0.2.0.7-alpha. Patch + by Xiaoyin Liu. o Minor bugfixes (networking, IP addresses): - - When parsing addreses via Tor's internal DNS lookup API, reject IPv4 - addresses in square brackets, and accept IPv6 addresses in square - brackets. This change completes the work started in 23082, making - address parsing consistent between tor's internal DNS lookup and address - parsing APIs. Fixes bug 30721; bugfix on 0.2.1.5-alpha. + - When parsing addreses via Tor's internal DNS lookup API, reject + IPv4 addresses in square brackets, and accept IPv6 addresses in + square brackets. This change completes the work started in 23082, + making address parsing consistent between tor's internal DNS + lookup and address parsing APIs. Fixes bug 30721; bugfix + on 0.2.1.5-alpha. - When parsing addreses via Tor's internal address:port parsing and DNS lookup APIs, require IPv6 addresses with ports to have square - brackets. But allow IPv6 addresses without ports, whether or not they - have square brackets. Fixes bug 30721; bugfix on 0.2.1.5-alpha. + brackets. But allow IPv6 addresses without ports, whether or not + they have square brackets. Fixes bug 30721; bugfix + on 0.2.1.5-alpha. o Minor bugfixes (onion service v3): - When purging the client descriptor cache, always also close any - introduction point circuits associated with it. This avoids picking those - when connecting to them later while not having the descriptor to complete - the introduction. Fixes bug 30921; bugfix on 0.3.2.1-alpha. + introduction point circuits associated with it. This avoids + picking those when connecting to them later while not having the + descriptor to complete the introduction. Fixes bug 30921; bugfix + on 0.3.2.1-alpha. o Minor bugfixes (onion services): - In the hs_ident_circuit_t data structure, remove the unused field @@ -277,128 +289,127 @@ Changes in version 0.4.2.1-alpha - 2019-09-?? bug 31490; bugfix on 0.3.2.1-alpha. Patch by Neel Chauhan. o Minor bugfixes (operator tools): - - Make tor-print-ed-signing-cert(1) print certificate expiration date in - RFC 1123 and UNIX timestamp formats, to make output machine readable. - Fixes bug 31012; bugfix on 0.3.5.1-alpha. + - Make tor-print-ed-signing-cert(1) print certificate expiration + date in RFC 1123 and UNIX timestamp formats, to make output + machine readable. Fixes bug 31012; bugfix on 0.3.5.1-alpha. o Minor bugfixes (practracker): - - When running check-best-practices, only consider files in the - src subdirectory. Previously we had recursively considered - all subdirectories, which made us get confused by the - temporary directories made by "make distcheck". Fixes bug - 31578; bugfix on 0.4.1.1-alpha. + - When running check-best-practices, only consider files in the src + subdirectory. Previously we had recursively considered all + subdirectories, which made us get confused by the temporary + directories made by "make distcheck". Fixes bug 31578; bugfix + on 0.4.1.1-alpha. o Minor bugfixes (rust): - - Correctly exclude a redundant rust build job in Travis. Fixes bug 31463; - bugfix on 0.3.5.4-alpha. + - Correctly exclude a redundant rust build job in Travis. Fixes bug + 31463; bugfix on 0.3.5.4-alpha. - Raise the minimum rustc version to 1.31.0, as checked by configure and CI. Fixes bug 31442; bugfix on 0.3.5.4-alpha. o Minor bugfixes (sendme, code structure): - Rename the trunnel SENDME file definition from sendme.trunnel to - sendme_cell.trunnel to avoid having twice sendme.{c|h} in the repository. - Fixes bug 30769; bugfix on 0.4.1.1-alpha. + sendme_cell.trunnel to avoid having twice sendme.{c|h} in the + repository. Fixes bug 30769; bugfix on 0.4.1.1-alpha. o Minor bugfixes (statistics): - - Stop removing the ed25519 signature if the extra info file is too big. - If the signature data was removed, but the keyword was kept, this could - result in an unparseable extra info file. Fixes bug 30958; - bugfix on 0.2.7.2-alpha. + - Stop removing the ed25519 signature if the extra info file is too + big. If the signature data was removed, but the keyword was kept, + this could result in an unparseable extra info file. Fixes bug + 30958; bugfix on 0.2.7.2-alpha. o Minor bugfixes (subsystems): - - Make the subsystem init order match the subsystem module dependencies. - Call windows process security APIs as early as possible. Init log before - network and time, so that network and time can use logging. - Fixes bug 31615; bugfix on 0.4.0.1-alpha. + - Make the subsystem init order match the subsystem module + dependencies. Call windows process security APIs as early as + possible. Init log before network and time, so that network and + time can use logging. Fixes bug 31615; bugfix on 0.4.0.1-alpha. o Minor bugfixes (testing): - Teach the util/socketpair_ersatz test to work correctly when we - have no network stack configured. Fixes bug 30804; bugfix on - 0.2.5.1-alpha. + have no network stack configured. Fixes bug 30804; bugfix + on 0.2.5.1-alpha. o Minor bugfixes (v2 single onion services): - - Always retry v2 single onion service intro and rend circuits with a - 3-hop path. Previously, v2 single onion services used a 3-hop path - when rend circuits were retried after a remote or delayed failure, - but a 1-hop path for immediate retries. Fixes bug 23818; + - Always retry v2 single onion service intro and rend circuits with + a 3-hop path. Previously, v2 single onion services used a 3-hop + path when rend circuits were retried after a remote or delayed + failure, but a 1-hop path for immediate retries. Fixes bug 23818; bugfix on 0.2.9.3-alpha. o Minor bugfixes (v3 single onion services): - - Always retry v3 single onion service intro and rend circuits with a - 3-hop path. Previously, v3 single onion services used a 3-hop path - when rend circuits were retried after a remote or delayed failure, - but a 1-hop path for immediate retries. Fixes bug 23818; + - Always retry v3 single onion service intro and rend circuits with + a 3-hop path. Previously, v3 single onion services used a 3-hop + path when rend circuits were retried after a remote or delayed + failure, but a 1-hop path for immediate retries. Fixes bug 23818; bugfix on 0.3.2.1-alpha. - - Make v3 single onion services fall back to a 3-hop intro, when there - all intro points are unreachable via a 1-hop path. Previously, v3 - single onion services failed when all intro nodes were unreachable - via a 1-hop path. Fixes bug 23507; bugfix on 0.3.2.1-alpha. + - Make v3 single onion services fall back to a 3-hop intro, when + there all intro points are unreachable via a 1-hop path. + Previously, v3 single onion services failed when all intro nodes + were unreachable via a 1-hop path. Fixes bug 23507; bugfix + on 0.3.2.1-alpha. o Code simplification and refactoring: - Eliminate some uses of lower-level control reply abstractions, primarily in the onion_helper functions. Closes ticket 30889. - Extract our variable manipulation code from confparse.c to a new lower-level typedvar.h module. Closes ticket 30864. - - Improve documentation in circuit padding subsystem. Patch by Tobias - Pulls. Closes ticket 31113. - - Lower another layer of object management from confparse.c to - a more general tool. Now typed structure members are accessible - via an abstract type. Implements ticket 30914. + - Improve documentation in circuit padding subsystem. Patch by + Tobias Pulls. Closes ticket 31113. + - Lower another layer of object management from confparse.c to a + more general tool. Now typed structure members are accessible via + an abstract type. Implements ticket 30914. - Move our backend logic for working with configuration and state files into a lower-level library, since in no longer depends on any tor-specific functionality. Closes ticket 31626. - - Numerous simplifications in configuration-handling logic: - remove duplicated macro definitions, replace magical names - with flags, and refactor "TestingTorNetwork" to use the - same default-option logic as the rest of Tor. - Closes ticket 30935. + - Numerous simplifications in configuration-handling logic: remove + duplicated macro definitions, replace magical names with flags, + and refactor "TestingTorNetwork" to use the same default-option + logic as the rest of Tor. Closes ticket 30935. - Replace our ad-hoc set of flags for configuration variables and configuration variable types with fine-grained orthogonal flags corresponding to the actual behavior we want. Closes ticket 31625. - Rework bootstrap tracking to use the new publish-subscribe subsystem. Closes ticket 29976. - - Rewrite format_node_description() and router_get_verbose_nickname() to - use strlcpy() and strlcat(). The previous implementation used memcpy() - and pointer arithmetic, which was error-prone. - Closes ticket 31545. This is CID 1452819. - - Split extrainfo_dump_to_string() into smaller functions. - Closes ticket 30956. - - Use the ptrdiff_t type consistently for expressing variable offsets and - pointer differences. Previously we incorrectly (but harmlessly) used - int and sometimes off_t for these cases. Closes ticket 31532. + - Rewrite format_node_description() and router_get_verbose_nickname() + to use strlcpy() and strlcat(). The previous implementation used + memcpy() and pointer arithmetic, which was error-prone. Closes + ticket 31545. This is CID 1452819. + - Split extrainfo_dump_to_string() into smaller functions. Closes + ticket 30956. + - Use the ptrdiff_t type consistently for expressing variable + offsets and pointer differences. Previously we incorrectly (but + harmlessly) used int and sometimes off_t for these cases. Closes + ticket 31532. - Use the subsystems mechanism to manage the main event loop code. Closes ticket 30806. - - Various simplifications and minor improvements to the circuit padding - machines. Patch by Tobias Pulls. Closes tickets 31112 and 31098. - - o Documentation (hard-coded directories): - - Improve the documentation for the DirAuthority and FallbackDir torrc - options. Closes ticket 30955. - - o Documentation (tor.1 man page): - - Fix typo -help to --help in tor.1 man page. Fixes bug 31008; bugfix on - 0.2.2.9-alpha. + - Various simplifications and minor improvements to the circuit + padding machines. Patch by Tobias Pulls. Closes tickets 31112 + and 31098. o Documentation: - Include an example usage for IPv6 ORPort in our sample torrc. Closes ticket 31320; patch from Ali Raheem. - - Use RFC 2397 data URL scheme to embed image into tor-exit-notice.html - so that operators would no longer have to host it themselves. - Closes ticket 31089. - - o New system requirements (build system): - - Do not include the deprecated <sys/sysctl.h> on Linux or Windows system. - Closes 31673; + - Use RFC 2397 data URL scheme to embed image into tor-exit- + notice.html so that operators would no longer have to host it + themselves. Closes ticket 31089. o Removed features: - - Remove torctl.in from contrib/dist directory. Resolves ticket 30550. + - Remove torctl.in from contrib/dist directory. Resolves + ticket 30550. o Testing: - - Run shellcheck for all non-third-party shell scripts that are shipped - with Tor. Closes ticket 29533. + - Run shellcheck for all non-third-party shell scripts that are + shipped with Tor. Closes ticket 29533. - When checking shell scripts, ignore any user-created directories. Closes ticket 30967. + o Documentation (hard-coded directories): + - Improve the documentation for the DirAuthority and FallbackDir + torrc options. Closes ticket 30955. + + o Documentation (tor.1 man page): + - Fix typo -help to --help in tor.1 man page. Fixes bug 31008; + bugfix on 0.2.2.9-alpha. + Changes in version 0.4.1.5 - 2019-08-20 This is the first stable release in the 0.4.1.x series. This series

1 0

[tor/master] sort and coalesce some changelog sections
by nickm＠torproject.org 16 Sep '19

16 Sep '19

commit 804260828b13e76aa54fe04789737632d1479eb6 Author: Nick Mathewson <nickm(a)torproject.org> Date: Mon Sep 16 08:40:21 2019 -0400 sort and coalesce some changelog sections --- ChangeLog | 52 ++++++++++++++++++++-------------------------------- 1 file changed, 20 insertions(+), 32 deletions(-) diff --git a/ChangeLog b/ChangeLog index d5ae71fb8..3b288b553 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2,16 +2,6 @@ Changes in version 0.4.2.1-alpha - 2019-09-?? This is the first alpha release in the 0.4.2.x series. BLURB BLURB BLURB. - o New system requirements (build system): - - Do not include the deprecated <sys/sysctl.h> on Linux or Windows - system. Closes 31673; - - o Major features (developer tools): - - Our best-practices tracker now integrates with our include-checker - tool to keep track of the layering violations that we have not yet - fixed. We hope to reduce this number over time to improve Tor's - modularity. Closes ticket 31176. - o Major features (onion service v3, denial of service): - Add onion service introduction denial of service defenses. They consist of rate limiting client introduction at the intro point @@ -41,7 +31,7 @@ Changes in version 0.4.2.1-alpha - 2019-09-?? o Minor feature (onion service v3): - Do not allow single hop client to fetch or post an HS descriptor - from an HSDir. Closes ticket 24964; + from an HSDir. Closes ticket 24964. o Minor feature (onion service): - Disallow single hop clients to introduce directly at the @@ -55,6 +45,10 @@ Changes in version 0.4.2.1-alpha - 2019-09-?? ticket 30687. o Minor features (best practices tracker): + - Our best-practices tracker now integrates with our include-checker + tool to keep track of the layering violations that we have not yet + fixed. We hope to reduce this number over time to improve Tor's + modularity. Closes ticket 31176. - Add a TOR_PRACTRACKER_OPTIONS variable for passing arguments to practracker from the environment. We may want this for continuous integration. Closes ticket 31309. @@ -133,13 +127,6 @@ Changes in version 0.4.2.1-alpha - 2019-09-?? - Log IPv6 addresses as well as IPv4 addresses, when describing routerinfos, routerstatuses, and nodes. Closes ticket 21003. - o Minor features (recommended packages): - - No longer include recommended packages in votes as detailed in - proposal 301. The RecommendedPackages torrc option is deprecated - and will no longer have any effect. "package" lines will still be - considered when computing consensuses for consensus methods that - include them. Fixes ticket 29738. - o Minor features (stem tests): - Change "make test-stem" so it only runs the stem tests that use tor. This change makes test-stem faster and more reliable. Closes @@ -153,8 +140,6 @@ Changes in version 0.4.2.1-alpha - 2019-09-?? /Option flags. Closes ticket 31637. - Improve test coverage for our existing configuration parsing and management API. Closes ticket 30893. - - o Minor features (tests): - Add integration tests to make sure that practracker gives the outputs we expect. Closes ticket 31477. - The practracker tests are now run as part of the Tor test suite. @@ -164,6 +149,15 @@ Changes in version 0.4.2.1-alpha - 2019-09-?? - Fix a few issues in the best-practices script, including tests, tab tolerance, error reporting, and directory-exclusion logic. Fixes bug 29746; bugfix on 0.4.1.1-alpha. + - When running check-best-practices, only consider files in the src + subdirectory. Previously we had recursively considered all + subdirectories, which made us get confused by the temporary + directories made by "make distcheck". Fixes bug 31578; bugfix + on 0.4.1.1-alpha. + + o Minor bugfixes (build system): + - Do not include the deprecated <sys/sysctl.h> on Linux or Windows + system. Fixes bug 31673; bugfix on 0.2.5.4-alpha. o Minor bugfixes (chutney, makefiles, documentation): - "make test-network-all" shows the warnings from each test- @@ -184,18 +178,14 @@ Changes in version 0.4.2.1-alpha - 2019-09-?? were ignored and treated as zero. Fixes bug 31475; bugfix on 0.0.1. - o Minor bugfixes (coverity compliance): + o Minor bugfixes (coverity): - Add an assertion when parsing a BEGIN cell so that coverity can be sure that we are not about to dereference a NULL address. Fixes bug 31026; bugfix on 0.2.4.7-alpha. This is CID 1447296. - - o Minor bugfixes (coverity): - In our siphash implementation, when building for coverity, use memcpy in place of a switch statement, so that coverity can tell we are not accessing out-of-bounds memory. Fixes bug 31025; bugfix on 0.2.8.1-alpha. This is tracked as CID 1447293 and 1447295. - - o Minor bugfixes (coverity, tests): - Fix several coverity warnings from our unit tests. Fixes bug 31030; bugfix on 0.2.4.1-alpha, 0.3.2.1-alpha, and 0.4.0.1-alpha. @@ -293,13 +283,6 @@ Changes in version 0.4.2.1-alpha - 2019-09-?? date in RFC 1123 and UNIX timestamp formats, to make output machine readable. Fixes bug 31012; bugfix on 0.3.5.1-alpha. - o Minor bugfixes (practracker): - - When running check-best-practices, only consider files in the src - subdirectory. Previously we had recursively considered all - subdirectories, which made us get confused by the temporary - directories made by "make distcheck". Fixes bug 31578; bugfix - on 0.4.1.1-alpha. - o Minor bugfixes (rust): - Correctly exclude a redundant rust build job in Travis. Fixes bug 31463; bugfix on 0.3.5.4-alpha. @@ -393,6 +376,11 @@ Changes in version 0.4.2.1-alpha - 2019-09-?? themselves. Closes ticket 31089. o Removed features: + - No longer include recommended packages in votes as detailed in + proposal 301. The RecommendedPackages torrc option is deprecated + and will no longer have any effect. "package" lines will still be + considered when computing consensuses for consensus methods that + include them. Closes ticket 29738. - Remove torctl.in from contrib/dist directory. Resolves ticket 30550.

1 0

[tor/master] Merge branch 'tor-github/pr/1316'
by asn＠torproject.org 16 Sep '19

16 Sep '19

commit cd72850e08f39413d281a480a78f38838ddf42e9 Merge: 5ec751b38 bfc5f0997 Author: George Kadianakis <desnacked(a)riseup.net> Date: Mon Sep 16 15:22:18 2019 +0300 Merge branch 'tor-github/pr/1316' changes/ticket31475 | 5 +++++ src/lib/confmgt/type_defs.c | 20 ++++++++++++++++++-- src/test/test_confparse.c | 16 ++++++++++++++++ 3 files changed, 39 insertions(+), 2 deletions(-)

1 0

[tor/master] Detect overflow or underflow on double config values.
by asn＠torproject.org 16 Sep '19

16 Sep '19

commit bfc5f09979d49867b373b9433edf37adce8c66dd Author: Nick Mathewson <nickm(a)torproject.org> Date: Fri Sep 13 18:24:15 2019 -0400 Detect overflow or underflow on double config values. Any floating point value too positive or negative to distinguish from +/-Inf, or too small to distinguish from +/-0, is an over/underflow. --- src/lib/confmgt/type_defs.c | 13 +++++++++++-- src/test/test_confparse.c | 12 ++++++++++++ 2 files changed, 23 insertions(+), 2 deletions(-) diff --git a/src/lib/confmgt/type_defs.c b/src/lib/confmgt/type_defs.c index 137af4ed9..6b0eac782 100644 --- a/src/lib/confmgt/type_defs.c +++ b/src/lib/confmgt/type_defs.c @@ -37,6 +37,7 @@ #include <stddef.h> #include <string.h> +#include <errno.h> ////// // CONFIG_TYPE_STRING @@ -284,15 +285,23 @@ double_parse(void *target, const char *value, char **errmsg, (void)errmsg; double *v = (double*)target; char *endptr=NULL; + errno = 0; *v = strtod(value, &endptr); if (endptr == value || *endptr != '\0') { // Either there are no converted characters, or there were some characters // that didn't get converted. tor_asprintf(errmsg, "Could not convert %s to a number.", escaped(value)); return -1; - } else { - return 0; } + if (errno == ERANGE) { + // strtod will set errno to ERANGE on underflow or overflow. + bool underflow = -.00001 < *v && *v < .00001; + tor_asprintf(errmsg, + "%s is too %s to express as a floating-point number.", + escaped(value), underflow ? "small" : "large"); + return -1; + } + return 0; } static char * diff --git a/src/test/test_confparse.c b/src/test/test_confparse.c index a4da6c7c9..f04853af7 100644 --- a/src/test/test_confparse.c +++ b/src/test/test_confparse.c @@ -490,6 +490,14 @@ static const badval_test_t bv_negint = { "pos -10\n", "out of bounds" }; static const badval_test_t bv_badu64 = { "u64 u64\n", "malformed" }; static const badval_test_t bv_dbl1 = { "dbl xxx\n", "Could not convert" }; static const badval_test_t bv_dbl2 = { "dbl 1.0 xx\n", "Could not convert" }; +static const badval_test_t bv_dbl3 = { + "dbl 1e-10000\n", "too small to express" }; +static const badval_test_t bv_dbl4 = { + "dbl 1e1000\n", "too large to express" }; +static const badval_test_t bv_dbl5 = { + "dbl -1e-10000\n", "too small to express" }; +static const badval_test_t bv_dbl6 = { + "dbl -1e1000\n", "too large to express" }; static const badval_test_t bv_badcsvi1 = { "csv_interval 10 wl\n", "malformed" }; static const badval_test_t bv_badcsvi2 = @@ -1049,6 +1057,10 @@ struct testcase_t confparse_tests[] = { BADVAL_TEST(badu64), BADVAL_TEST(dbl1), BADVAL_TEST(dbl2), + BADVAL_TEST(dbl3), + BADVAL_TEST(dbl4), + BADVAL_TEST(dbl5), + BADVAL_TEST(dbl6), BADVAL_TEST(badcsvi1), BADVAL_TEST(badcsvi2), BADVAL_TEST(nonoption),

1 0

[tor/master] Use strtod, not atof, for parsing doubles in the configuration.
by asn＠torproject.org 16 Sep '19

16 Sep '19

commit 9d604959036bd02e7ff0ca1bd33f842664610b82 Author: Nick Mathewson <nickm(a)torproject.org> Date: Tue Sep 10 18:59:10 2019 -0400 Use strtod, not atof, for parsing doubles in the configuration. This lets us detect erroneous doubles, which previously we could not do. Fixes bug 31475; bugfix on commit 00a9e3732e88, a.k.a svn:r136. --- changes/ticket31475 | 5 +++++ src/lib/confmgt/type_defs.c | 13 ++++++++++--- src/test/test_confparse.c | 4 ++++ 3 files changed, 19 insertions(+), 3 deletions(-) diff --git a/changes/ticket31475 b/changes/ticket31475 new file mode 100644 index 000000000..e156c145a --- /dev/null +++ b/changes/ticket31475 @@ -0,0 +1,5 @@ + o Minor bugfixes (configuration): + - Invalid floating-point values in the configuration file are now + detected treated as errors in the configuration. Previously, they + were ignored and treated as zero. Fixes bug 31475; bugfix on + 0.0.1. diff --git a/src/lib/confmgt/type_defs.c b/src/lib/confmgt/type_defs.c index f8b2681aa..137af4ed9 100644 --- a/src/lib/confmgt/type_defs.c +++ b/src/lib/confmgt/type_defs.c @@ -283,9 +283,16 @@ double_parse(void *target, const char *value, char **errmsg, (void)params; (void)errmsg; double *v = (double*)target; - // XXXX This is the preexisting behavior, but we should detect errors here. - *v = atof(value); - return 0; + char *endptr=NULL; + *v = strtod(value, &endptr); + if (endptr == value || *endptr != '\0') { + // Either there are no converted characters, or there were some characters + // that didn't get converted. + tor_asprintf(errmsg, "Could not convert %s to a number.", escaped(value)); + return -1; + } else { + return 0; + } } static char * diff --git a/src/test/test_confparse.c b/src/test/test_confparse.c index bd2b5cdf1..a4da6c7c9 100644 --- a/src/test/test_confparse.c +++ b/src/test/test_confparse.c @@ -488,6 +488,8 @@ test_confparse_assign_badval(void *arg) static const badval_test_t bv_notint = { "pos X\n", "malformed" }; static const badval_test_t bv_negint = { "pos -10\n", "out of bounds" }; static const badval_test_t bv_badu64 = { "u64 u64\n", "malformed" }; +static const badval_test_t bv_dbl1 = { "dbl xxx\n", "Could not convert" }; +static const badval_test_t bv_dbl2 = { "dbl 1.0 xx\n", "Could not convert" }; static const badval_test_t bv_badcsvi1 = { "csv_interval 10 wl\n", "malformed" }; static const badval_test_t bv_badcsvi2 = @@ -1045,6 +1047,8 @@ struct testcase_t confparse_tests[] = { BADVAL_TEST(notint), BADVAL_TEST(negint), BADVAL_TEST(badu64), + BADVAL_TEST(dbl1), + BADVAL_TEST(dbl2), BADVAL_TEST(badcsvi1), BADVAL_TEST(badcsvi2), BADVAL_TEST(nonoption),

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

tor-commits September 2019