This is an automated email from the git hooks/post-receive script.
dgoulet pushed a change to branch main in repository tor.
from 637213fce3 Merge branch 'maint-0.4.7' new a282145b36 socks: Make SafeSocks refuse SOCKS4 and accept SOCKS4a new 7b83e336ec Merge branch 'ticket40730_045_01' into maint-0.4.5 new 0df4083299 Merge branch 'maint-0.4.5' into maint-0.4.7 new 610b791aa6 Merge branch 'maint-0.4.7'
The 4 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference.
Summary of changes: changes/ticket40730 | 5 +++++ src/core/proto/proto_socks.c | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) create mode 100644 changes/ticket40730
This is an automated email from the git hooks/post-receive script.
dgoulet pushed a commit to branch main in repository tor.
commit a282145b3634547ab84ccd959d0537c021ff7ffc Author: David Goulet dgoulet@torproject.org AuthorDate: Mon Dec 12 10:02:07 2022 -0500
socks: Make SafeSocks refuse SOCKS4 and accept SOCKS4a
The logic was inverted. Introduced in commit 9155e08450fe7a609f8223202e8aa7dfbca20a6d.
This was reported through our bug bounty program on H1. It fixes the TROVE-2022-002.
Fixes #40730
Signed-off-by: David Goulet dgoulet@torproject.org --- changes/ticket40730 | 5 +++++ src/core/proto/proto_socks.c | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-)
diff --git a/changes/ticket40730 b/changes/ticket40730 new file mode 100644 index 0000000000..f6d4c9de3b --- /dev/null +++ b/changes/ticket40730 @@ -0,0 +1,5 @@ + o Major bugfixes (TROVE-2022-002, client): + - The SafeSocks option had its logic inverted for SOCKS4 and SOCKS4a. It + would let the unsafe SOCKS4 pass but not the safe SOCKS4a one. This is + TROVE-2022-002 which was reported on Hackerone by "cojabo". Fixes bug + 40730; bugfix on 0.3.5.1-alpha. diff --git a/src/core/proto/proto_socks.c b/src/core/proto/proto_socks.c index a7ee190b3f..97863d389e 100644 --- a/src/core/proto/proto_socks.c +++ b/src/core/proto/proto_socks.c @@ -233,7 +233,7 @@ static socks_result_t process_socks4_request(const socks_request_t *req, int is_socks4a, int log_sockstype, int safe_socks) { - if (is_socks4a && !addressmap_have_mapping(req->address, 0)) { + if (!is_socks4a && !addressmap_have_mapping(req->address, 0)) { log_unsafe_socks_warning(4, req->address, req->port, safe_socks);
if (safe_socks)
This is an automated email from the git hooks/post-receive script.
dgoulet pushed a commit to branch main in repository tor.
commit 7b83e336ec4a1d137d6400f4d501c9a73835e34d Merge: 85547a9b5b a282145b36 Author: David Goulet dgoulet@torproject.org AuthorDate: Thu Jan 12 10:52:31 2023 -0500
Merge branch 'ticket40730_045_01' into maint-0.4.5
changes/ticket40730 | 5 +++++ src/core/proto/proto_socks.c | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-)
This is an automated email from the git hooks/post-receive script.
dgoulet pushed a commit to branch main in repository tor.
commit 0df4083299970674b4f399d3d85c6eab22cb8c7d Merge: f2e9ce72d6 7b83e336ec Author: David Goulet dgoulet@torproject.org AuthorDate: Thu Jan 12 10:52:35 2023 -0500
Merge branch 'maint-0.4.5' into maint-0.4.7
changes/ticket40730 | 5 +++++ src/core/proto/proto_socks.c | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-)
This is an automated email from the git hooks/post-receive script.
dgoulet pushed a commit to branch main in repository tor.
commit 610b791aa6d148fcaea149738f667695587cbfbf Merge: 637213fce3 0df4083299 Author: David Goulet dgoulet@torproject.org AuthorDate: Thu Jan 12 10:52:35 2023 -0500
Merge branch 'maint-0.4.7'
changes/ticket40730 | 5 +++++ src/core/proto/proto_socks.c | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-)
tor-commits@lists.torproject.org
-
gitolite role