[tor-bugs] #13071 [Tor]: [patch] tor 0.2.6 sometimes fails to escape logged directory requests
Tor Bug Tracker & Wiki
blackhole at torproject.org
Sat Sep 6 11:18:51 UTC 2014
#13071: [patch] tor 0.2.6 sometimes fails to escape logged directory requests
--------------------+------------------------------------
Reporter: teor | Owner:
Type: defect | Status: new
Priority: normal | Milestone:
Component: Tor | Version: Tor: 0.2.5.5-alpha
Keywords: | Actual Points:
Parent ID: | Points:
--------------------+------------------------------------
tor 0.2.6 (git Jul - Sep 2014) sometimes writes (parts of) directory
requests directly to the log without escaping them. This can lead to
arbitrary characters being written to the log.
The attached test case should be run using:
cat tor_log_bell.http | nc -c tor-directory-ip tor-directory-port
A url-encoded version of the file is supplied in case the random garbage
turns into sensible garbage in transit.
Running this test case on a tor directory logging "[debug] {DIRSERV}"
would normally write a URL that ends in random garbage (including the BEL
character) to the log. The bell makes the failure of the test easy to
identify when reading the log from a terminal with an audible or visual
bell.
After applying this patch, tor writes:
(time and date) [debug] {DIRSERV} int
directory_handle_command_get(dir_connection_t *, const char *, const char
*, size_t)(): rewritten url as
'"/tor/server/fp/\014\303\266\302\220\302\2379L(\303\274\302\266\"\303\200\303\220\302\210&\303\226\302\261\034\007\006\302\217\303\264\302\234\302\257\302\267\302\245\303\273\302\257\302\265o\030\302\210d7A\302\233<\302\263\302\2148H"'.
(No bell sound occurs.)
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/13071>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list