[tor-commits] [tor-browser-bundle/maint-4.5] Bug 16430: Backport Tor patch to allow DNS names with _

mikeperry at torproject.org mikeperry at torproject.org
Thu Jun 25 19:59:45 UTC 2015


commit 2c3f85664eda04e9a942d56d1c56ff2cc7d2de83
Author: Mike Perry <mikeperry-git at torproject.org>
Date:   Thu Jun 25 12:58:44 2015 -0700

    Bug 16430: Backport Tor patch to allow DNS names with _
---
 gitian/descriptors/linux/gitian-tor.yml   |    2 +
 gitian/descriptors/mac/gitian-tor.yml     |    2 +
 gitian/descriptors/windows/gitian-tor.yml |    2 +
 gitian/patches/bug16430.patch             |   93 +++++++++++++++++++++++++++++
 4 files changed, 99 insertions(+)

diff --git a/gitian/descriptors/linux/gitian-tor.yml b/gitian/descriptors/linux/gitian-tor.yml
index b218486..b95bcf5 100644
--- a/gitian/descriptors/linux/gitian-tor.yml
+++ b/gitian/descriptors/linux/gitian-tor.yml
@@ -22,6 +22,7 @@ files:
 - "bug8402-master.patch"
 - "bug8405.patch"
 - "bug15482.patch"
+- "bug16430.patch"
 - "dzip.sh"
 - "openssl-linux32-utils.zip"
 - "openssl-linux64-utils.zip"
@@ -83,6 +84,7 @@ script: |
       git am ~/build/bug8402-master.patch
   else
       git am ~/build/bug15482.patch
+      git am ~/build/bug16430.patch
   fi
   mkdir -p $OUTDIR/src
   #git archive HEAD | tar -x -C $OUTDIR/src
diff --git a/gitian/descriptors/mac/gitian-tor.yml b/gitian/descriptors/mac/gitian-tor.yml
index 3d0e0c6..8a7d333 100644
--- a/gitian/descriptors/mac/gitian-tor.yml
+++ b/gitian/descriptors/mac/gitian-tor.yml
@@ -18,6 +18,7 @@ files:
 - "bug8402-master.patch"
 - "bug8405.patch"
 - "bug15482.patch"
+- "bug16430.patch"
 - "apple-uni-sdk-10.6_20110407-0.flosoft1_i386.deb"
 - "multiarch-darwin11-cctools127.2-gcc42-5666.3-llvmgcc42-2336.1-Linux-120724.tar.xz"
 - "dzip.sh"
@@ -61,6 +62,7 @@ script: |
       git am ~/build/bug8402-master.patch
   else
       git am ~/build/bug15482.patch
+      git am ~/build/bug16430.patch
   fi
   mkdir -p $OUTDIR/src
   #git archive HEAD | tar -x -C $OUTDIR/src
diff --git a/gitian/descriptors/windows/gitian-tor.yml b/gitian/descriptors/windows/gitian-tor.yml
index 87e1dc2..c47982e 100644
--- a/gitian/descriptors/windows/gitian-tor.yml
+++ b/gitian/descriptors/windows/gitian-tor.yml
@@ -18,6 +18,7 @@ files:
 - "bug8402-master.patch"
 - "bug8405.patch"
 - "bug15482.patch"
+- "bug16430.patch"
 - "binutils.tar.bz2"
 - "dzip.sh"
 - "mingw-w64-win32-utils.zip"
@@ -61,6 +62,7 @@ script: |
       git am ~/build/bug8402-master.patch
   else
       git am ~/build/bug15482.patch
+      git am ~/build/bug16430.patch
   fi
   mkdir -p $OUTDIR/src
   #git archive HEAD | tar -x -C $OUTDIR/src
diff --git a/gitian/patches/bug16430.patch b/gitian/patches/bug16430.patch
new file mode 100644
index 0000000..81bbe3e
--- /dev/null
+++ b/gitian/patches/bug16430.patch
@@ -0,0 +1,93 @@
+From 3f336966a264d7cd7c6dab08fb85d85273f06d68 Mon Sep 17 00:00:00 2001
+From: Yawning Angel <yawning at schwanenlied.me>
+Date: Wed, 24 Jun 2015 13:52:29 +0000
+Subject: [PATCH] Work around nytimes.com's broken hostnames in our SOCKS
+ checks.
+
+RFC 952 is approximately 30 years old, and people are failing to comply,
+by serving A records with '_' as part of the hostname.  Since relaxing
+the check is a QOL improvement for our userbase, relax the check to
+allow such abominations as destinations, especially since there are
+likely to be other similarly misconfigured domains out there.
+---
+ changes/bug16430     | 4 ++++
+ src/common/util.c    | 7 +++++--
+ src/test/test_util.c | 9 +++++++--
+ 3 files changed, 16 insertions(+), 4 deletions(-)
+ create mode 100644 changes/bug16430
+
+diff --git a/changes/bug16430 b/changes/bug16430
+new file mode 100644
+index 0000000..ca7b874
+--- /dev/null
++++ b/changes/bug16430
+@@ -0,0 +1,4 @@
++  o Minor features (client):
++    - Relax the validation done to hostnames in SOCKS5 requests, and allow
++      '_' to cope with domains observed in the wild that are serving non-RFC
++      compliant records. Resolves ticket 16430.
+diff --git a/src/common/util.c b/src/common/util.c
+index 942d0c2..4490150 100644
+--- a/src/common/util.c
++++ b/src/common/util.c
+@@ -1036,6 +1036,9 @@ string_is_valid_ipv6_address(const char *string)
+ 
+ /** Return true iff <b>string</b> matches a pattern of DNS names
+  * that we allow Tor clients to connect to.
++ *
++ * Note: This allows certain technically invalid characters ('_') to cope
++ * with misconfigured zones that have been encountered in the wild.
+  */
+ int
+ string_is_valid_hostname(const char *string)
+@@ -1048,7 +1051,7 @@ string_is_valid_hostname(const char *string)
+   smartlist_split_string(components,string,".",0,0);
+ 
+   SMARTLIST_FOREACH_BEGIN(components, char *, c) {
+-    if (c[0] == '-') {
++    if ((c[0] == '-') || (*c == '_')) {
+       result = 0;
+       break;
+     }
+@@ -1057,7 +1060,7 @@ string_is_valid_hostname(const char *string)
+       if ((*c >= 'a' && *c <= 'z') ||
+           (*c >= 'A' && *c <= 'Z') ||
+           (*c >= '0' && *c <= '9') ||
+-          (*c == '-'))
++          (*c == '-') || (*c == '_'))
+         c++;
+       else
+         result = 0;
+diff --git a/src/test/test_util.c b/src/test/test_util.c
+index b0366db..0f64c26 100644
+--- a/src/test/test_util.c
++++ b/src/test/test_util.c
+@@ -4268,18 +4268,23 @@ test_util_hostname_validation(void *arg)
+   tt_assert(string_is_valid_hostname("stanford.edu"));
+   tt_assert(string_is_valid_hostname("multiple-words-with-hypens.jp"));
+ 
+-  // Subdomain name cannot start with '-'.
++  // Subdomain name cannot start with '-' or '_'.
+   tt_assert(!string_is_valid_hostname("-torproject.org"));
+   tt_assert(!string_is_valid_hostname("subdomain.-domain.org"));
+   tt_assert(!string_is_valid_hostname("-subdomain.domain.org"));
++  tt_assert(!string_is_valid_hostname("___abc.org"));
+ 
+   // Hostnames cannot contain non-alphanumeric characters.
+   tt_assert(!string_is_valid_hostname("%%domain.\\org."));
+   tt_assert(!string_is_valid_hostname("***x.net"));
+-  tt_assert(!string_is_valid_hostname("___abc.org"));
+   tt_assert(!string_is_valid_hostname("\xff\xffxyz.org"));
+   tt_assert(!string_is_valid_hostname("word1 word2.net"));
+ 
++  // Test workaround for nytimes.com stupidity, technically invalid,
++  // but we allow it since they are big, even though they are failing to
++  // comply with a ~30 year old standard.
++  tt_assert(string_is_valid_hostname("core3_euw1.fabrik.nytimes.com"));
++
+   // XXX: do we allow single-label DNS names?
+ 
+   done:
+-- 
+1.9.1
+





More information about the tor-commits mailing list