[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #17027 [Tor]: policies_parse_exit_policy_internal should block all IPv4 and IPv6 local addresses
#17027: policies_parse_exit_policy_internal should block all IPv4 and IPv6 local
addresses
------------------------+----------------------------------------
Reporter: teor | Owner:
Type: defect | Status: new
Priority: major | Milestone:
Component: Tor | Version: Tor: 0.2.7.2-alpha
Resolution: | Keywords: TorCoreTeam201509 security
Actual Points: | Parent ID:
Points: |
------------------------+----------------------------------------
Changes (by teor):
* keywords: TorCoreTeam201509 security 026-backport => TorCoreTeam201509
security
* milestone: Tor: 0.2.7.x-final =>
Comment:
Anything we do here will always have edge cases, like (multihomed) NAT, or
NAT without an autodetected IP address.
That said, I think I can fix this by:
* refactoring `get_interface_address6` as a wrapper for a new
`get_interface_address6_list`, which produces a smartlist of local
addresses. (Similarly, create `get_interface_address_list`, a wrapper
which produces a list of IPv4 addresses.)
* blocking connections to all IPv4 addresses from
`get_interface_address_list`, as long as rejectprivate and local_address
are non-zero.
* blocking connections to all IPv6 addresses from
`get_interface_address6_list`, as long as rejectprivate and local_address
and ipv6_exit are non-zero. (Otherwise, we're blocking all IPv6 addresses
anyway.)
* Creating or updating unit tests for `get_interface_address6_list`,
`get_interface_address_list`, and `policies_parse_exit_policy_internal`.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/17027#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs