[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #4341 [Tor Relay]: MyFamily Option Requires a Dollar Sign "$"



#4341: MyFamily Option Requires a Dollar Sign "$"
--------------------------------+-------------------------------------------
 Reporter:  marlowe             |          Owner:                  
     Type:  defect              |         Status:  needs_review    
 Priority:  normal              |      Milestone:  Tor: unspecified
Component:  Tor Relay           |        Version:  Tor: 0.2.2.34   
 Keywords:  easy configuration  |         Parent:                  
   Points:                      |   Actualpoints:                  
--------------------------------+-------------------------------------------

Comment(by nickm):

 Ooh, dangerous!

 is_legal_nickname_or_hexdigest gets called from a lot of places.  One is
 in config.c in check_nickname_list, which seems okay.  Another is when
 validating MyFamily in router.c, which is also fine.

 But it's also used in rendservice.c to handle nicknames from introduce2
 cells, and in routerparse.c to validate family lines there!

 We don't want to change the behavior of parsing family lines in introduce2
 cells, routers, or microdescriptors.  If we did that, you'd be able to
 make descriptors that new Tors would accept as valid, but older Tors
 wouldn't.


 Also, I don't see anything that transforms fingerprints without a "$" into
 ones with a "$" before adding them to the Family line in router.c.  That
 makes for trouble, since older Tors don't know how to handle such
 fingerprints when they appear on the Family line.


 What needs to happen here is that the new looser validation logic can only
 apply in config.c and router.c, where we're checking the user-supplied
 input.  The other users of is_legal_nickname_or_hexdigest() need to stay
 unchanged.  Any digests provided without a "$" need to get a "$" added to
 them before adding them to the family line.

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/4341#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs