commit 382a28951fc4830bc0cbc1ad781a5ba1e9d323cc Author: teor (Tim Wilson-Brown) teor2345@gmail.com Date: Fri Apr 1 00:29:46 2016 +1100
Check onion hostnames against client port flags
Check NoOnionTraffic before attaching a stream.
NoOnionTraffic refuses connections to all onion hostnames, but permits non-onion hostnames and IP addresses. --- src/or/connection_edge.c | 8 ++++++++ 1 file changed, 8 insertions(+)
diff --git a/src/or/connection_edge.c b/src/or/connection_edge.c index 32272ec..4d615e8 100644 --- a/src/or/connection_edge.c +++ b/src/or/connection_edge.c @@ -1708,6 +1708,14 @@ connection_ap_handshake_rewrite_and_attach(entry_connection_t *conn, /* If we get here, it's a request for a .onion address! */ tor_assert(!automap);
+ /* If .onion address requests are disabled, refuse the request */ + if (!conn->entry_cfg.onion_traffic) { + log_warn(LD_APP, "Onion address %s requested from a port with .onion " + "disabled", safe_str_client(socks->address)); + connection_mark_unattached_ap(conn, END_STREAM_REASON_ENTRYPOLICY); + return -1; + } + /* Check whether it's RESOLVE or RESOLVE_PTR. We don't handle those * for hidden service addresses. */ if (SOCKS_COMMAND_IS_RESOLVE(socks->command)) {
tor-commits@lists.torproject.org