[tor-commits] [tor/master] Check onion hostnames against client port flags
nickm at torproject.org
nickm at torproject.org
Wed Sep 7 15:50:58 UTC 2016
commit 382a28951fc4830bc0cbc1ad781a5ba1e9d323cc
Author: teor (Tim Wilson-Brown) <teor2345 at gmail.com>
Date: Fri Apr 1 00:29:46 2016 +1100
Check onion hostnames against client port flags
Check NoOnionTraffic before attaching a stream.
NoOnionTraffic refuses connections to all onion hostnames,
but permits non-onion hostnames and IP addresses.
---
src/or/connection_edge.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/src/or/connection_edge.c b/src/or/connection_edge.c
index 32272ec..4d615e8 100644
--- a/src/or/connection_edge.c
+++ b/src/or/connection_edge.c
@@ -1708,6 +1708,14 @@ connection_ap_handshake_rewrite_and_attach(entry_connection_t *conn,
/* If we get here, it's a request for a .onion address! */
tor_assert(!automap);
+ /* If .onion address requests are disabled, refuse the request */
+ if (!conn->entry_cfg.onion_traffic) {
+ log_warn(LD_APP, "Onion address %s requested from a port with .onion "
+ "disabled", safe_str_client(socks->address));
+ connection_mark_unattached_ap(conn, END_STREAM_REASON_ENTRYPOLICY);
+ return -1;
+ }
+
/* Check whether it's RESOLVE or RESOLVE_PTR. We don't handle those
* for hidden service addresses. */
if (SOCKS_COMMAND_IS_RESOLVE(socks->command)) {
More information about the tor-commits
mailing list