[tor-bugs] #29175 [Core Tor/Tor]: Tor 0.3.5.x mishandles empty socks5 auth
Tor Bug Tracker & Wiki
blackhole at torproject.org
Fri Jan 25 04:21:12 UTC 2019
#29175: Tor 0.3.5.x mishandles empty socks5 auth
--------------------------------------+------------------------------------
Reporter: arma | Owner: (none)
Type: defect | Status: new
Priority: Medium | Milestone: Tor: 0.4.0.x-final
Component: Core Tor/Tor | Version:
Severity: Normal | Resolution:
Keywords: regression, backport-035 | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
--------------------------------------+------------------------------------
Comment (by yawning):
Rejecting malformed username/password authentication attempts is the
correct behavior.
> {{{ send <Buffer 01 00 00> [00 = zero length username, 00 = zero length
password] }}}
Both UNAME and PASSWD are explicitly specified as 1 to 255 octets long.
Fix the client library.
See:
* https://tools.ietf.org/html/rfc1929
* https://www.ietf.org/archive/id/draft-thomson-postel-was-wrong-03.txt
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/29175#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list