commit 066ad19d4a13a3ba5f3c4512fb3f257de99fa56a Author: Mike Perry mikeperry-git@torproject.org Date: Thu Jun 25 12:58:44 2015 -0700
Bug 16430: Backport Tor patch to allow DNS names with _ --- gitian/descriptors/linux/gitian-tor.yml | 2 + gitian/descriptors/mac/gitian-tor.yml | 2 + gitian/descriptors/windows/gitian-tor.yml | 2 + gitian/patches/bug16430.patch | 93 +++++++++++++++++++++++++++++ 4 files changed, 99 insertions(+)
diff --git a/gitian/descriptors/linux/gitian-tor.yml b/gitian/descriptors/linux/gitian-tor.yml index 617e8df..e62a1f0 100644 --- a/gitian/descriptors/linux/gitian-tor.yml +++ b/gitian/descriptors/linux/gitian-tor.yml @@ -22,6 +22,7 @@ files: - "bug8402-master.patch" - "bug8405.patch" - "bug15482.patch" +- "bug16430.patch" - "dzip.sh" - "openssl-linux32-utils.zip" - "openssl-linux64-utils.zip" @@ -83,6 +84,7 @@ script: | git am ~/build/bug8402-master.patch else git am ~/build/bug15482.patch + git am ~/build/bug16430.patch fi mkdir -p $OUTDIR/src #git archive HEAD | tar -x -C $OUTDIR/src diff --git a/gitian/descriptors/mac/gitian-tor.yml b/gitian/descriptors/mac/gitian-tor.yml index b3e4425..d305ff7 100644 --- a/gitian/descriptors/mac/gitian-tor.yml +++ b/gitian/descriptors/mac/gitian-tor.yml @@ -18,6 +18,7 @@ files: - "bug8402-master.patch" - "bug8405.patch" - "bug15482.patch" +- "bug16430.patch" - "apple-uni-sdk-10.6_20110407-0.flosoft1_i386.deb" - "multiarch-darwin11-cctools127.2-gcc42-5666.3-llvmgcc42-2336.1-Linux-120724.tar.xz" - "dzip.sh" @@ -61,6 +62,7 @@ script: | git am ~/build/bug8402-master.patch else git am ~/build/bug15482.patch + git am ~/build/bug16430.patch fi mkdir -p $OUTDIR/src #git archive HEAD | tar -x -C $OUTDIR/src diff --git a/gitian/descriptors/windows/gitian-tor.yml b/gitian/descriptors/windows/gitian-tor.yml index edcc091..22fda90 100644 --- a/gitian/descriptors/windows/gitian-tor.yml +++ b/gitian/descriptors/windows/gitian-tor.yml @@ -18,6 +18,7 @@ files: - "bug8402-master.patch" - "bug8405.patch" - "bug15482.patch" +- "bug16430.patch" - "binutils.tar.bz2" - "dzip.sh" - "mingw-w64-win32-utils.zip" @@ -61,6 +62,7 @@ script: | git am ~/build/bug8402-master.patch else git am ~/build/bug15482.patch + git am ~/build/bug16430.patch fi mkdir -p $OUTDIR/src #git archive HEAD | tar -x -C $OUTDIR/src diff --git a/gitian/patches/bug16430.patch b/gitian/patches/bug16430.patch new file mode 100644 index 0000000..81bbe3e --- /dev/null +++ b/gitian/patches/bug16430.patch @@ -0,0 +1,93 @@ +From 3f336966a264d7cd7c6dab08fb85d85273f06d68 Mon Sep 17 00:00:00 2001 +From: Yawning Angel yawning@schwanenlied.me +Date: Wed, 24 Jun 2015 13:52:29 +0000 +Subject: [PATCH] Work around nytimes.com's broken hostnames in our SOCKS + checks. + +RFC 952 is approximately 30 years old, and people are failing to comply, +by serving A records with '_' as part of the hostname. Since relaxing +the check is a QOL improvement for our userbase, relax the check to +allow such abominations as destinations, especially since there are +likely to be other similarly misconfigured domains out there. +--- + changes/bug16430 | 4 ++++ + src/common/util.c | 7 +++++-- + src/test/test_util.c | 9 +++++++-- + 3 files changed, 16 insertions(+), 4 deletions(-) + create mode 100644 changes/bug16430 + +diff --git a/changes/bug16430 b/changes/bug16430 +new file mode 100644 +index 0000000..ca7b874 +--- /dev/null ++++ b/changes/bug16430 +@@ -0,0 +1,4 @@ ++ o Minor features (client): ++ - Relax the validation done to hostnames in SOCKS5 requests, and allow ++ '_' to cope with domains observed in the wild that are serving non-RFC ++ compliant records. Resolves ticket 16430. +diff --git a/src/common/util.c b/src/common/util.c +index 942d0c2..4490150 100644 +--- a/src/common/util.c ++++ b/src/common/util.c +@@ -1036,6 +1036,9 @@ string_is_valid_ipv6_address(const char *string) + + /** Return true iff <b>string</b> matches a pattern of DNS names + * that we allow Tor clients to connect to. ++ * ++ * Note: This allows certain technically invalid characters ('_') to cope ++ * with misconfigured zones that have been encountered in the wild. + */ + int + string_is_valid_hostname(const char *string) +@@ -1048,7 +1051,7 @@ string_is_valid_hostname(const char *string) + smartlist_split_string(components,string,".",0,0); + + SMARTLIST_FOREACH_BEGIN(components, char *, c) { +- if (c[0] == '-') { ++ if ((c[0] == '-') || (*c == '_')) { + result = 0; + break; + } +@@ -1057,7 +1060,7 @@ string_is_valid_hostname(const char *string) + if ((*c >= 'a' && *c <= 'z') || + (*c >= 'A' && *c <= 'Z') || + (*c >= '0' && *c <= '9') || +- (*c == '-')) ++ (*c == '-') || (*c == '_')) + c++; + else + result = 0; +diff --git a/src/test/test_util.c b/src/test/test_util.c +index b0366db..0f64c26 100644 +--- a/src/test/test_util.c ++++ b/src/test/test_util.c +@@ -4268,18 +4268,23 @@ test_util_hostname_validation(void *arg) + tt_assert(string_is_valid_hostname("stanford.edu")); + tt_assert(string_is_valid_hostname("multiple-words-with-hypens.jp")); + +- // Subdomain name cannot start with '-'. ++ // Subdomain name cannot start with '-' or '_'. + tt_assert(!string_is_valid_hostname("-torproject.org")); + tt_assert(!string_is_valid_hostname("subdomain.-domain.org")); + tt_assert(!string_is_valid_hostname("-subdomain.domain.org")); ++ tt_assert(!string_is_valid_hostname("___abc.org")); + + // Hostnames cannot contain non-alphanumeric characters. + tt_assert(!string_is_valid_hostname("%%domain.\org.")); + tt_assert(!string_is_valid_hostname("***x.net")); +- tt_assert(!string_is_valid_hostname("___abc.org")); + tt_assert(!string_is_valid_hostname("\xff\xffxyz.org")); + tt_assert(!string_is_valid_hostname("word1 word2.net")); + ++ // Test workaround for nytimes.com stupidity, technically invalid, ++ // but we allow it since they are big, even though they are failing to ++ // comply with a ~30 year old standard. ++ tt_assert(string_is_valid_hostname("core3_euw1.fabrik.nytimes.com")); ++ + // XXX: do we allow single-label DNS names? + + done: +-- +1.9.1 +