[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #8405 [Tor]: Provide a control port command to query the circuit used for SOCKS u+p

Subject: Re: [tor-bugs] #8405 [Tor]: Provide a control port command to query the circuit used for SOCKS u+p
From: "Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>
Date: Thu, 17 Jul 2014 21:07:37 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Thu, 17 Jul 2014 17:07:46 -0400
In-reply-to: <049.c660a3479c92fa04af829bd4ffa9e048@xxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-bugs/>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: "auto: Tor bug tracker status mails" <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
References: <049.c660a3479c92fa04af829bd4ffa9e048@xxxxxxxxxxxxxx>
Reply-to: tor-assistants@xxxxxxxxxxxxxx
Sender: "tor-bugs" <tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx>

#8405: Provide a control port command to query the circuit used for SOCKS u+p
-----------------------------+------------------------------------
     Reporter:  mikeperry    |      Owner:  mikeperry
         Type:  enhancement  |     Status:  needs_revision
     Priority:  normal       |  Milestone:  Tor: 0.2.6.x-final
    Component:  Tor          |    Version:
   Resolution:               |   Keywords:  tor-client, mike-0.2.5
Actual Points:               |  Parent ID:  #5752
       Points:               |
-----------------------------+------------------------------------

Comment (by arthuredelstein):

 Replying to [comment:12 rransom]:

 Thanks for looking this over!

 > You must not output the SOCKS4 auth string without escaping it.

 Stupid mistake. Fixed.

 > Either use `esc_for_log_len` (and add it if it hasn't already been added
 to Tor somewhere) like I did or use `base16_encode`.

 > At the very least, be aware that hexifying strings makes it harder for a
 human to read the control-port output.

 > Remember that some people will think that a hex-encoded string is
 encrypted.

 Yes, I originally wanted to use esc_for_log, but it doesn't currently
 escape all possible dangerous characters. Examples include \= and \space.
 A client with a good parser that correctly recognizes a quoted string
 likely won't have any problem, but I didn't want to inadvertently break
 any existing naive parsers. So what do you think is the best option? (1)
 Use esc_for_log as is and assume good client parsers, (2) make esc_for_log
 safer, or (3) use base16_encode?

 > Consider dynamically allocating the hex-encoding buffers for SOCKS5 auth
 strings, or at least not allocating a full kilobyte on the stack -- you're
 about to `smartlist_add_asprintf` the contents anyway, so 512 bytes of
 buffer should be eno

 Fixed.

 > Remember to update `control-spec.txt` to document at least what is
 actually being used by other applications.

 Will do, once we settle on a final patch.

 I've now posted a new version with the fixes mentioned.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/8405#comment:14>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Prev by Author: [tor-bugs] #12648 [Tor bundles/installation]: Upgrade go to 1.3
Next by Author: Re: [tor-bugs] #12648 [Tor bundles/installation]: Upgrade go to 1.3
Previous by thread: Re: [tor-bugs] #8405 [Tor]: Provide a control port command to query the circuit used for SOCKS u+p
Next by thread: Re: [tor-bugs] #8405 [Tor]: Provide a control port command to query the circuit used for SOCKS u+p
Index(es):
- Author
- Thread