[tor-bugs] #17901 [Core Tor/Tor]: Tor would bind ControlPort to public ip address if it has no localhost interface
Tor Bug Tracker & Wiki
blackhole at torproject.org
Thu Mar 8 17:12:33 UTC 2018
#17901: Tor would bind ControlPort to public ip address if it has no localhost
interface
-------------------------------------------------+-------------------------
Reporter: s7r | Owner: (none)
Type: defect | Status: new
Priority: High | Milestone: Tor:
| unspecified
Component: Core Tor/Tor | Version: Tor:
| 0.2.6.10
Severity: Major | Resolution:
Keywords: tor-control misconfiguration | Actual Points:
security easy |
Parent ID: | Points: 3
Reviewer: | Sponsor:
-------------------------------------------------+-------------------------
Comment (by fristonio):
If I got the issue right then, since ControlPort offers total control over
tor we should not let it bind when the port is publicly exposed or when
there is no loopback interface available. So to implement this we need to
use the functions attached here by teor and then check if loopback address
is available when we bind ControlPort using these functions, and close tor
if check fails with a warning that it is dangerous.
Can I work on this?
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/17901#comment:45>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list