[tor-bugs] #12930 [Obfuscation/Pluggable transport]: Someone, somewhere needs to unescape pluggable transport "SMETHOD ARGS" arguments.

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu Apr 27 19:59:12 UTC 2017 

#12930: Someone, somewhere needs to unescape pluggable transport "SMETHOD ARGS"
arguments.
---------------------------------------------+---------------------
 Reporter:  yawning                          |          Owner:  asn
     Type:  defect                           |         Status:  new
 Priority:  Medium                           |      Milestone:
Component:  Obfuscation/Pluggable transport  |        Version:
 Severity:  Normal                           |     Resolution:
 Keywords:  goptlib                          |  Actual Points:
Parent ID:                                   |         Points:
 Reviewer:                                   |        Sponsor:
---------------------------------------------+---------------------

Comment (by catalyst):

 Replying to [comment:11 dcf]:
 > Replying to [comment:10 catalyst]:
 > > 1.  `SMETHOD ARGS`
 >
 > Is there a place where goptlib doesn't escape `\`? If so it is probably
 a bug. `\` has to be escaped in order to make the escaping reversible,
 even though the spec doesn't explicitly call for it ("Equal signs and
 commas MUST be escaped with a backslash"); my comment in goptlib
 interpolates "[and backslashes]".
 I think we're actually in agreement.  I meant that goptlib does something
 (escaping `\`) that the spec doesn't call for.  I think the escaping is
 reversible even if `\` isn't escaped, as long as everyone is consistent
 (which I think they aren't).  It's more robust to have a syntax where `\`
 gets escaped though, particularly if characters can be optionally escaped.

 > > 5. encoded in SOCKS username/password
 >
 > Here, I felt that the lack of backslashing equals signs was a bug in the
 spec and interpolated into a comment above `parseClientParameters`:
 > {{{
 > // "If a key or value value must contain [an equals sign or] a semicolon
 > // or a backslash, it is escaped with a backslash."
 > }}}
 I would tend to agree, but see #22088 for a possible way to update the
 specs to avoid escaping `=`.  Note that to make `tor` conform to the
 current spec (which requires `=` to be escaped), it might need to do
 additional parsing of the PT arguments (to split them into pairs of keys
 and values) beyond what it does now (treating them as a sequence of space-
 separated words each of which contains an `=` character).

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/12930#comment:12>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list