[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #8405 [Tor]: Provide a control port command to query the circuit used for SOCKS u+p



#8405: Provide a control port command to query the circuit used for SOCKS u+p
-----------------------------+------------------------------------
     Reporter:  mikeperry    |      Owner:  mikeperry
         Type:  enhancement  |     Status:  needs_revision
     Priority:  normal       |  Milestone:  Tor: 0.2.6.x-final
    Component:  Tor          |    Version:
   Resolution:               |   Keywords:  tor-client, mike-0.2.5
Actual Points:               |  Parent ID:  #5752
       Points:               |
-----------------------------+------------------------------------

Comment (by arthuredelstein):

 Replying to [comment:12 rransom]:

 Thanks for looking this over!

 > You must not output the SOCKS4 auth string without escaping it.

 Stupid mistake. Fixed.

 > Either use `esc_for_log_len` (and add it if it hasn't already been added
 to Tor somewhere) like I did or use `base16_encode`.

 > At the very least, be aware that hexifying strings makes it harder for a
 human to read the control-port output.

 > Remember that some people will think that a hex-encoded string is
 encrypted.

 Yes, I originally wanted to use esc_for_log, but it doesn't currently
 escape all possible dangerous characters. Examples include \= and \space.
 A client with a good parser that correctly recognizes a quoted string
 likely won't have any problem, but I didn't want to inadvertently break
 any existing naive parsers. So what do you think is the best option? (1)
 Use esc_for_log as is and assume good client parsers, (2) make esc_for_log
 safer, or (3) use base16_encode?

 > Consider dynamically allocating the hex-encoding buffers for SOCKS5 auth
 strings, or at least not allocating a full kilobyte on the stack -- you're
 about to `smartlist_add_asprintf` the contents anyway, so 512 bytes of
 buffer should be eno

 Fixed.

 > Remember to update `control-spec.txt` to document at least what is
 actually being used by other applications.

 Will do, once we settle on a final patch.

 I've now posted a new version with the fixes mentioned.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/8405#comment:14>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs