"Please don't do stuff like this."
Why not? I don't see any problem in validating/checking the behavior or request/fingerprints of incoming connections to Tor, so long as it doesn't break Tor (hence QA testing after R&D). Why would checking input be a bad thing?
On 8/14/07, Peter Palfrader <peter@xxxxxxxxxxxxx> wrote:
On Tue, 14 Aug 2007, Kyle Williams wrote:
>> SecRule REQUEST_URI "!^/tor/server/authority$" "chain,msg:'Badly formed uri'"
>> SecRule REQUEST_URI "!^/tor/status/all$" "chain"
>> SecRule REQUEST_URI "!^/tor/running-routers$" "chain"
>> SecRule REQUEST_URI "!^/tor/dir\.z$" "chain"
>> SecRule REQUEST_URI "!^/tor/server/(?>d|fp)/(?>[A-F0-9]{40})(?>\+[A-F0-9]{40})*\.z$" "chain"
>> SecRule REQUEST_URI "!^/tor/status/fp/[A-F0-9]{40}(?>\+[A-F0-9]{40})*\.z$"
> Nice! Thank you for that helpful information.
> I will definitely take note of that with the next version of JanusVM.
> Strict rules such as these are a very good idea, because it never hurts to
> check your input before processing it.
Actually they are horrible. They already are out of date and would
reject proper directory requests. Please don't do stuff like this.
--
| .''`. ** Debian GNU/Linux **
Peter Palfrader | : :' : The universal
http://www.palfrader.org/ | `. `' Operating System
| `- http://www.debian.org/