[tor-bugs] #12930 [Obfuscation/Pluggable transport]: Someone, somewhere needs to unescape pluggable transport "SMETHOD ARGS" arguments.
Tor Bug Tracker & Wiki
blackhole at torproject.org
Thu Apr 27 18:55:47 UTC 2017
#12930: Someone, somewhere needs to unescape pluggable transport "SMETHOD ARGS"
arguments.
---------------------------------------------+---------------------
Reporter: yawning | Owner: asn
Type: defect | Status: new
Priority: Medium | Milestone:
Component: Obfuscation/Pluggable transport | Version:
Severity: Normal | Resolution:
Keywords: goptlib | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
---------------------------------------------+---------------------
Comment (by catalyst):
If there are to be any code changes, they should probably be in the
BridgeDB implementation and maybe the pluggable transport client of `tor`.
I like the idea of using something like Bourne shell variable syntax,
e.g., `a=b=c` sets `$a` to the string `b=c`. Variable (key) names may not
contain `=` but values may, without needing quoting or escaping. I know
obfs4 worked around the `=` escaping problem by using unpadded base64, but
could other transports need `=` in argument values in the future? (maybe
as query parameters to URLs?)
Here's how I understand the existing data flow:
1. `SMETHOD ARGS`
- comma-separated key=value pairs
- `,` and `=` (but not `\` -- at least not consistently, e.g. goptlib)
escaped by `\` ([https://gitweb.torproject.org/torspec.git/tree/pt-
spec.txt#n566 pt-spec.txt#n566])
- no provision for escaping whitespace
2. `transport` lines in `extra-info`
- comma-separated key=value pairs
([https://gitweb.torproject.org/torspec.git/tree/bridgedb-spec.txt#n113
bridgedb-spec.txt#n113])
- no specification for escaping any characters
- apparently copied unchanged from `SMETHOD ARGS`
([https://gitweb.torproject.org/tor.git/tree/src/or/transports.c#n1624
transports.c#n1624]) apart from deleting the `ARGS:` prefix.
3. BridgeDB (as output to users)
- space-separated key=value pairs
([https://gitweb.torproject.org/torspec.git/tree/bridgedb-spec.txt#n350
bridgedb-spec.txt#n350])
- no specification for escaping any characters
4. `Bridge` line in `torrc` or Tor Browser config dialog
- space-separated key=value pairs
- no specification for escaping any characters
5. encoded in SOCKS username/password
- semicolon-separated key=value pairs
- `;`, `=`, and `\` escaped by `\`
([https://gitweb.torproject.org/torspec.git/tree/pt-spec.txt#n638 pt-
spec.txt#n638])
- currently, `transports.c` doesn't escape `=`, contrary to spec
([https://gitweb.torproject.org/tor.git/tree/src/or/transports.c#n1668
transports.c#n1668])
- on the other hand,
[https://gitweb.torproject.org/torspec.git/tree/proposals/180-pluggable-
transport.txt#n157 180-pluggable-transport.txt#n157] doesn't specify
escaping of `=` when sending to the transport's SOCKS proxy, so maybe this
can remain unchanged
Proposed spec changes will go in a separate ticket.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/12930#comment:10>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list