[tor-bugs] #18938 [Core Tor/Tor]: Authorities should reject non-UTF-8 content in ExtraInfo descriptors

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu Aug 30 01:42:02 UTC 2018


#18938: Authorities should reject non-UTF-8 content in ExtraInfo descriptors
-------------------------------------------------+-------------------------
 Reporter:  teor                                 |          Owner:  neel
     Type:  defect                               |         Status:
                                                 |  assigned
 Priority:  Medium                               |      Milestone:  Tor:
                                                 |  unspecified
Component:  Core Tor/Tor                         |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:  needs-proposal, tor-dirauth, needs-  |  Actual Points:
  spec, easy, 034-triage-20180328,               |
  034-removed-20180328                           |
Parent ID:  #24033                               |         Points:  1
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------

Comment (by neel):

 I have a few questions:

 1. As prop285 already exists, I assume I don't need to make a proposal. Is
 this correct?
 2. Should I put this in `dirserv_add_extrainfo()`?
 3. In extrainfo_t, should I check that cache_info.signed_descriptor_body
 is UTF-8, and if it isn't, I should reject the descriptor?
 4. I don't think there is any library for checking for UTF-8 text in Tor.
 Can I include external library from GitHub (I am thinking about using
 https://github.com/chansen/c-utf8-valid) and modify it to fit with Tor
 (meaning including it in `src/ext`, not linking to another library an
 adding a dependency)? Is there going to be a security issue with a third-
 party library?

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/18938#comment:38>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list