[tor-bugs] #17027 [Tor]: policies_parse_exit_policy_internal should block all IPv4 and IPv6 local addresses
Tor Bug Tracker & Wiki
blackhole at torproject.org
Tue Sep 15 07:03:51 UTC 2015
#17027: policies_parse_exit_policy_internal should block all IPv4 and IPv6 local
addresses
-------------------------+-------------------------------------------------
Reporter: teor | Owner:
Type: defect | Status: new
Priority: major | Milestone: Tor: 0.2.7.x-final
Component: Tor | Version: Tor: unspecified
Resolution: | Keywords: TorCoreTeam201509 security
Actual Points: | 026-backport
Points: | Parent ID:
-------------------------+-------------------------------------------------
Changes (by teor):
* version: Tor: 0.2.7.2-alpha => Tor: unspecified
Comment:
Further notes:
This is a patch on 42b8fb5a1523 (11 Nov 2007), released in 0.2.0.11-alpha.
This fix will automatically benefit from changes that find more
interfaces/addresses, perhaps #12377 will do this for some platforms.
We should log an info-level (notice?) message for each address blocked
Internal addresses are blocked anyway by `reject private *:*`, so this
patch doesn't need to block them.
This change will include all addresses in non-internal blocks in the
publicly available exit policy, but these addresses are typically globally
visible on the Internet anyway. I believe the security benefits outweigh
the small risk of leaking public server addresses from unusual
configurations (and operators can always set `ExitPolicyRejectPrivate 0`
and block only the private and server addresses they want to block).
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/17027#comment:5>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list