[tor-commits] [stem/master] Skip accept/reject6 rules with IPv4 addresses

atagar at torproject.org atagar at torproject.org
Fri Mar 4 17:36:15 UTC 2016 

commit 400a8c2cbac31e9d9b1c605d5b4135bf9633cc06
Author: Damian Johnson <atagar at torproject.org>
Date:   Fri Mar 4 08:58:13 2016 -0800

    Skip accept/reject6 rules with IPv4 addresses
    
    Damn. These are invalid and tor should outright reject them but according to
    the manual they're just skipped...
    
      Using an IPv4 address with accept6 or reject6 is ignored and generates a warning.
    
    That was a mistake but oh well. It's minor.
---
 stem/exit_policy.py           | 15 +++++++++++++--
 test/unit/exit_policy/rule.py |  9 ++++++---
 2 files changed, 19 insertions(+), 5 deletions(-)

diff --git a/stem/exit_policy.py b/stem/exit_policy.py
index 0f80032..587ef14 100644
--- a/stem/exit_policy.py
+++ b/stem/exit_policy.py
@@ -683,6 +683,14 @@ class ExitPolicyRule(object):
 
     self._mask = None
 
+    # Malformed exit policies are rejected, but there's an exception where it's
+    # just skipped: when an accept6/reject6 rule has an IPv4 address...
+    #
+    #   "Using an IPv4 address with accept6 or reject6 is ignored and generates
+    #   a warning."
+
+    self._skip_rule = False
+
     addrspec, portspec = exitpattern.rsplit(':', 1)
     self._apply_addrspec(rule, addrspec)
     self._apply_portspec(rule, portspec)
@@ -741,6 +749,9 @@ class ExitPolicyRule(object):
     :raises: **ValueError** if provided with a malformed address or port
     """
 
+    if self._skip_rule:
+      return False
+
     # validate our input and check if the argument doesn't match our address type
 
     if address is not None:
@@ -964,8 +975,7 @@ class ExitPolicyRule(object):
       # num_ip4_bits ::= an integer between 0 and 32
 
       if self.is_ipv6_only:
-        rule_start = 'accept6' if self.is_accept else 'reject6'
-        raise ValueError("'%s' rules should have an IPv6 address, not IPv4 (%s)" % (rule_start, self.address))
+        self._skip_rule = True
 
       self._address_type = _address_type_to_int(AddressType.IPv4)
 
@@ -1075,6 +1085,7 @@ class MicroExitPolicyRule(ExitPolicyRule):
     self.min_port = min_port
     self.max_port = max_port
     self._hash = None
+    self._skip_rule = False
 
   def is_address_wildcard(self):
     return True
diff --git a/test/unit/exit_policy/rule.py b/test/unit/exit_policy/rule.py
index 9ff0181..780f7cb 100644
--- a/test/unit/exit_policy/rule.py
+++ b/test/unit/exit_policy/rule.py
@@ -360,10 +360,13 @@ class TestExitPolicyRule(unittest.TestCase):
         self.assertEqual(expected_result, rule.is_match(*match_args))
 
   def test_ipv6_only_entries(self):
-    # accept6/reject6 shouldn't allow ipv4 addresses
+    # accept6/reject6 shouldn't match anything when given an ipv4 addresses
 
-    self.assertRaises(ValueError, ExitPolicyRule, 'accept6 192.168.0.1:*')
-    self.assertRaises(ValueError, ExitPolicyRule, 'reject6 192.168.0.1:*')
+    rule = ExitPolicyRule('accept6 192.168.0.1/0:*')
+    self.assertTrue(rule._skip_rule)
+    self.assertFalse(rule.is_match('192.168.0.1'))
+    self.assertFalse(rule.is_match('FE80:0000:0000:0000:0202:B3FF:FE1E:8329'))
+    self.assertFalse(rule.is_match())
 
     # wildcards match all ipv6 but *not* ipv4

More information about the tor-commits mailing list