[tor-commits] [tor/master] Don't allow tor2web-mode Tors to connect to non-HS addresses

[nickm at torproject.org]

commit ebf524b48b0340ed3b2bfc1d652e3d65b3aee11c
Author: Robert Ransom <rransom.8774 at gmail.com>
Date:   Tue May 31 07:05:40 2011 -0700

    Don't allow tor2web-mode Tors to connect to non-HS addresses
    
    The client's anonymity when accessing a non-HS address in tor2web-mode
    would be easily nuked by inserting an inline image with a .onion URL, so
    don't even pretend to access non-HS addresses through Tor.
---
 src/or/connection_edge.c |    8 ++++++++
 1 files changed, 8 insertions(+), 0 deletions(-)

diff --git a/src/or/connection_edge.c b/src/or/connection_edge.c
index efaad79..bba666d 100644
--- a/src/or/connection_edge.c
+++ b/src/or/connection_edge.c
@@ -1892,6 +1892,14 @@ connection_ap_handshake_rewrite_and_attach(entry_connection_t *conn,
       return -1;
     }
 
+    if (options->Tor2webMode) {
+      log_warn(LD_APP, "Refusing to connect to non-hidden-service hostname %s "
+               "because tor2web mode is enabled.",
+               safe_str_client(socks->address));
+      connection_mark_unattached_ap(conn, END_STREAM_REASON_ENTRYPOLICY);
+      return -1;
+    }
+
     if (socks->command == SOCKS_COMMAND_RESOLVE) {
       uint32_t answer;
       struct in_addr in;