commit 53ce6bb52d29e80c7efd29b8604bdd680c9515ea Author: Robert Hogan robert@roberthogan.net Date: Mon Dec 27 17:35:16 2010 +0000

Address nickm's comments at https://trac.torproject.org/projects/tor/ticket/933#comment:8

1. Only allow '*.' in MapAddress expressions. Ignore '*ample.com' and '.example.com'. This has resulted in a slight refactoring of config_register_addressmaps. 2. Add some more detail to the man page entry for AddressMap. 3. Fix initialization of a pointer to NULL rather than 0. 4. Update the unit tests to cater for the changes in 1 and test more explicitly for recursive mapping. --- doc/tor.1.txt | 41 +++++++++++++++++++++++++----- src/or/config.c | 62 ++++++++++++++++++++++++++++----------------- src/or/connection_edge.c | 2 +- src/test/test_config.c | 31 +++++++++++++++++------ 4 files changed, 96 insertions(+), 40 deletions(-)

diff --git a/doc/tor.1.txt b/doc/tor.1.txt index 1c9d387..eb79452 100644 --- a/doc/tor.1.txt +++ b/doc/tor.1.txt @@ -658,15 +658,42 @@ The following options are useful only for clients (that is, if When a request for address arrives to Tor, it will rewrite it to newaddress before processing it. For example, if you always want connections to www.indymedia.org to exit via __torserver__ (where __torserver__ is the - nickname of the server), use "MapAddress www.indymedia.org - www.indymedia.org.torserver.exit". If the value is prepended with a '*.', - it is treated as matching an entire domain. For example, if you always - want connections to any sub-domain of indymedia.org to exit via + nickname of the server), use MapAddress www.indymedia.org + www.indymedia.org.torserver.exit. If the value is prepended with a + '*.', it is treated as matching an entire domain. For example, if you + always want connections to any sub-domain of indymedia.org to exit via __torserver__ (where __torserver__ is the nickname of the server), use - "MapAddress *.indymedia.org *.indymedia.org.torserver.exit". (Note the + MapAddress *.indymedia.org *.indymedia.org.torserver.exit. (Note the leading '*.' in each part of the directive.) You can also redirect all - subdomains of a domain to a single address. For example, "MapAddress - *.indymedia.org www.indymedia.org". + subdomains of a domain to a single address. For example, MapAddress + *.indymedia.org www.indymedia.org. + + + + NOTES: + + 1. When evaluating MapAddress expressions Tor stops when it hits the most + recently added expression that matches the requested address. So if you + have the following in your torrc, www.torproject.org will map to 1.1.1.1: + + MapAddress www.torproject.org 2.2.2.2 + MapAddress www.torproject.org 1.1.1.1 + + 2. Tor evaluates the MapAddress configuration until it finds no matches. So + if you have the following in your torrc, www.torproject.org will map to + 2.2.2.2: + + MapAddress www.torproject.org 3.3.3.3 + MapAddress 1.1.1.1 4.4.4.4 + MapAddress 1.1.1.1 2.2.2.2 + MapAddress www.torproject.org 1.1.1.1 + + 3. The following MapAddress expression is invalid (and will be + ignored) because you cannot map from a specific address to a wildcarded + address: + + MapAddress www.torproject.org *.torproject.org.torserver.exit + + 4. Using a wildcard as a regular expression (e.g. *ample.com) is + also invalid.

**NewCircuitPeriod** __NUM__:: Every NUM seconds consider whether to build a new circuit. (Default: 30 diff --git a/src/or/config.c b/src/or/config.c index 1744b84..1d42413 100644 --- a/src/or/config.c +++ b/src/or/config.c @@ -4461,33 +4461,47 @@ config_register_addressmaps(const or_options_t *options) for (opt = options->AddressMap; opt; opt = opt->next) { smartlist_split_string(elts, opt->value, NULL, SPLIT_SKIP_SPACE|SPLIT_IGNORE_BLANK, 2); - if (smartlist_len(elts) >= 2) { - from = smartlist_get(elts,0); - to = smartlist_get(elts,1); - - /* Remove leading asterisk in expressions of type: '*.example.com' */ - if (from[0] == '*' && strlen(from) > 1) - from++; - if (to[0] == '*' && strlen(to) > 1) - to++; - if (to[0] == '.' && from[0] != '.') { - log_warn(LD_CONFIG, - "Skipping invalid argument '%s' to MapAddress: " - "can only use wildcard (i.e. '.' or '*.') if 'from' address " - "uses wildcard also", to); - } else if (address_is_invalid_destination(to, 1)) { - log_warn(LD_CONFIG, - "Skipping invalid argument '%s' to MapAddress", to); - } else { - addressmap_register(from, tor_strdup(to), 0, ADDRMAPSRC_TORRC); - if (smartlist_len(elts)>2) { - log_warn(LD_CONFIG,"Ignoring extra arguments to MapAddress."); - } - } - } else { + if (smartlist_len(elts) < 2) { log_warn(LD_CONFIG,"MapAddress '%s' has too few arguments. Ignoring.", opt->value); + goto cleanup; + } + + from = smartlist_get(elts,0); + to = smartlist_get(elts,1); + + if (to[0] == '.' || from[0] == '.') { + log_warn(LD_CONFIG,"MapAddress '%s' is ambiguous - address starts with a" + "'.'. Ignoring.",opt->value); + goto cleanup; + } + + /* Remove leading asterisk in expressions of type: '*.example.com' */ + if (!strncmp(from,"*.",2)) + from++; + if (!strncmp(to,"*.",2)) + to++; + + if (to[0] == '.' && from[0] != '.') { + log_warn(LD_CONFIG, + "Skipping invalid argument '%s' to MapAddress: " + "can only use wildcard (i.e. '*.') if 'from' address " + "uses wildcard also", to); + goto cleanup; + } + + if (address_is_invalid_destination(to, 1)) { + log_warn(LD_CONFIG, + "Skipping invalid argument '%s' to MapAddress", to); + goto cleanup; } + + addressmap_register(from, tor_strdup(to), 0, ADDRMAPSRC_TORRC); + + if (smartlist_len(elts) > 2) + log_warn(LD_CONFIG,"Ignoring extra arguments to MapAddress."); + + cleanup: SMARTLIST_FOREACH(elts, char*, cp, tor_free(cp)); smartlist_clear(elts); } diff --git a/src/or/connection_edge.c b/src/or/connection_edge.c index 2c8c9da..284b320 100644 --- a/src/or/connection_edge.c +++ b/src/or/connection_edge.c @@ -1052,7 +1052,7 @@ addressmap_match_superdomains(char *address) const char *key; void *_val; addressmap_entry_t *val; - char *matched_domains = 0; + char *matched_domains = NULL;

for (iter = strmap_iter_init(addressmap); !strmap_iter_done(iter); ) { strmap_iter_get(iter, &key, &_val); diff --git a/src/test/test_config.c b/src/test/test_config.c index a7b5d03..8880bd0 100644 --- a/src/test/test_config.c +++ b/src/test/test_config.c @@ -15,9 +15,11 @@ test_config_addressmap(void) char buf[1024]; char address[256]; time_t expires = TIME_MAX; - strlcpy(buf, "MapAddress .google.com .torserver.exit\n" + strlcpy(buf, "MapAddress .invalidwildcard.com *.torserver.exit\n" // invalid + "MapAddress *invalidasterisk.com *.torserver.exit\n" // invalid + "MapAddress *.google.com *.torserver.exit\n" "MapAddress *.yahoo.com *.google.com.torserver.exit\n" - "MapAddress .cn.com www.cnn.com\n" + "MapAddress *.cn.com www.cnn.com\n" "MapAddress *.cnn.com www.cnn.com\n" "MapAddress ex.com www.cnn.com\n" "MapAddress ey.com *.cnn.com\n" @@ -27,6 +29,7 @@ test_config_addressmap(void) "MapAddress test.torproject.org 2.2.2.2\n" "MapAddress www.google.com 3.3.3.3\n" "MapAddress www.example.org 4.4.4.4\n" + "MapAddress 4.4.4.4 7.7.7.7\n" "MapAddress 4.4.4.4 5.5.5.5\n" "MapAddress www.infiniteloop.org 6.6.6.6\n" "MapAddress 6.6.6.6 www.infiniteloop.org\n" @@ -35,6 +38,14 @@ test_config_addressmap(void) config_get_lines(buf, &(get_options()->AddressMap)); config_register_addressmaps(get_options());

+ /* MapAddress .invalidwildcard.com .torserver.exit - no match */ + strlcpy(address, "www.invalidwildcard.com", sizeof(address)); + test_assert(!addressmap_rewrite(address, sizeof(address), &expires)); + + /* MapAddress *invalidasterisk.com .torserver.exit - no match */ + strlcpy(address, "www.invalidasterisk.com", sizeof(address)); + test_assert(!addressmap_rewrite(address, sizeof(address), &expires)); + /* Where no mapping for FQDN match on top-level domain */ /* MapAddress .google.com .torserver.exit */ strlcpy(address, "reader.google.com", sizeof(address)); @@ -81,7 +92,11 @@ test_config_addressmap(void) test_assert(addressmap_rewrite(address, sizeof(address), &expires)); test_streq(address, "2.2.2.2");

- /* Test a chain of address mappings */ + /* Test a chain of address mappings and the order in which they were added: + "MapAddress www.example.org 4.4.4.4" + "MapAddress 4.4.4.4 7.7.7.7" + "MapAddress 4.4.4.4 5.5.5.5" + */ strlcpy(address, "www.example.org", sizeof(address)); test_assert(addressmap_rewrite(address, sizeof(address), &expires)); test_streq(address, "5.5.5.5"); @@ -97,9 +112,9 @@ test_config_addressmap(void)

/* Test top-level-domain matching a bit harder */ addressmap_clear_configured(); - strlcpy(buf, "MapAddress .com .torserver.exit\n" - "MapAddress .torproject.org 1.1.1.1\n" - "MapAddress .net 2.2.2.2\n" + strlcpy(buf, "MapAddress *.com *.torserver.exit\n" + "MapAddress *.torproject.org 1.1.1.1\n" + "MapAddress *.net 2.2.2.2\n" , sizeof(buf)); config_get_lines(buf, &(get_options()->AddressMap)); config_register_addressmaps(get_options()); @@ -124,9 +139,9 @@ test_config_addressmap(void) test_assert(addressmap_rewrite(address, sizeof(address), &expires)); test_streq(address, "2.2.2.2");

- /* We don't support '.' as a mapping directive */ + /* We don't support '*' as a mapping directive */ addressmap_clear_configured(); - strlcpy(buf, "MapAddress . .torserver.exit\n", sizeof(buf)); + strlcpy(buf, "MapAddress * *.torserver.exit\n", sizeof(buf)); config_get_lines(buf, &(get_options()->AddressMap)); config_register_addressmaps(get_options());