[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[or-cvs] r12611: backport r12459 (in tor/branches/tor-0_1_2-patches: . doc src/or)
Author: arma
Date: 2007-11-30 02:49:49 -0500 (Fri, 30 Nov 2007)
New Revision: 12611
Modified:
tor/branches/tor-0_1_2-patches/ChangeLog
tor/branches/tor-0_1_2-patches/doc/TODO.012
tor/branches/tor-0_1_2-patches/doc/tor.1.in
tor/branches/tor-0_1_2-patches/src/or/or.h
tor/branches/tor-0_1_2-patches/src/or/policies.c
tor/branches/tor-0_1_2-patches/src/or/router.c
tor/branches/tor-0_1_2-patches/src/or/test.c
Log:
backport r12459
Modified: tor/branches/tor-0_1_2-patches/ChangeLog
===================================================================
--- tor/branches/tor-0_1_2-patches/ChangeLog 2007-11-29 16:16:50 UTC (rev 12610)
+++ tor/branches/tor-0_1_2-patches/ChangeLog 2007-11-30 07:49:49 UTC (rev 12611)
@@ -1,4 +1,11 @@
Changes in version 0.1.2.19 - 2007-??-??
+ o Security fixes:
+ - Exit policies now reject connections that are addressed to a
+ relay's public (external) IP address too, unless
+ ExitPolicyRejectPrivate is turned off. We do this because too
+ many relays are running nearby to services that trust them based
+ on network address.
+
o Major bugfixes:
- When the clock jumps forward a lot, do not allow the bandwidth
buckets to become negative. Fixes Bug 544.
Modified: tor/branches/tor-0_1_2-patches/doc/TODO.012
===================================================================
--- tor/branches/tor-0_1_2-patches/doc/TODO.012 2007-11-29 16:16:50 UTC (rev 12610)
+++ tor/branches/tor-0_1_2-patches/doc/TODO.012 2007-11-30 07:49:49 UTC (rev 12611)
@@ -7,20 +7,20 @@
o r11882: Avoid crash-bug 451.
o r11886: Consider family as well as identity when cannibalizing circuits.
- backport the osx privoxy.config changes
- - no need to backport the windows privoxy.config changes because they're
+ X no need to backport the windows privoxy.config changes because they're
not in SVN??
- r12339: rlim_t may be wider than unsigned long.
- r12341: Work if the real open-file limit is OPEN_FILES.
+ o r12459: Exit policies reject public IP address too
- - r12459: Exit policies reject public IP address too
-
Backport for 0.1.2.x once better tested:
D r11287: Reject address mappings to internal addresses. (??)
(this will break some existing test-network configurations, yes?)
o r11499, r11500, r11501: hidserv hexdigests rather than nicknames
o r11829: Don't warn when cancel_pending_resolve() finds a cached failure.
o r11915: just because you hup, don't publish a near-duplicate descriptor
- - r11994: Call routerlist_remove_old_routers() less. This will be a
- tricky backport.
+ d r11994: Call routerlist_remove_old_routers() less. This will be a
+ tricky backport.
- r12153 and r12154: Give better warnings when we fail to mmap a descriptor
store that we just wrote.
+
Modified: tor/branches/tor-0_1_2-patches/doc/tor.1.in
===================================================================
--- tor/branches/tor-0_1_2-patches/doc/tor.1.in 2007-11-29 16:16:50 UTC (rev 12610)
+++ tor/branches/tor-0_1_2-patches/doc/tor.1.in 2007-11-30 07:49:49 UTC (rev 12611)
@@ -621,11 +621,13 @@
169.254.0.0/16, 127.0.0.0/8, 192.168.0.0/16, 10.0.0.0/8, and
172.16.0.0/12), you can use the "private" alias instead of an address.
These addresses are rejected by default (at the beginning of your
-exit policy) unless you set the ExitPolicyRejectPrivate config option
+exit policy), along with your public IP address, unless you set the
+ExitPolicyRejectPrivate config option
to 0. For example, once you've done that, you could allow HTTP to
127.0.0.1 and block all other connections to internal networks with
-"accept
-127.0.0.1:80,reject private:*". See RFC 1918 and RFC 3330 for more
+"accept 127.0.0.1:80,reject private:*", though that may also allow
+connections to your own computer that are addressed to its public
+(external) IP address. See RFC 1918 and RFC 3330 for more
details about internal and reserved IP address space.
This directive can be specified multiple times so you don't have to put
@@ -655,7 +657,8 @@
.LP
.TP
\fBExitPolicyRejectPrivate \fR\fB0\fR|\fB1\fR\fP
-Reject all private (local) networks at the beginning of your exit
+Reject all private (local) networks, along with your own public IP
+address, at the beginning of your exit
policy. See above entry on ExitPolicy. (Default: 1)
.LP
.TP
Modified: tor/branches/tor-0_1_2-patches/src/or/or.h
===================================================================
--- tor/branches/tor-0_1_2-patches/src/or/or.h 2007-11-29 16:16:50 UTC (rev 12610)
+++ tor/branches/tor-0_1_2-patches/src/or/or.h 2007-11-30 07:49:49 UTC (rev 12611)
@@ -2600,9 +2600,8 @@
int cmp_addr_policies(addr_policy_t *a, addr_policy_t *b);
addr_policy_result_t compare_addr_to_addr_policy(uint32_t addr,
uint16_t port, addr_policy_t *policy);
-int policies_parse_exit_policy(config_line_t *cfg,
- addr_policy_t **dest,
- int rejectprivate);
+int policies_parse_exit_policy(config_line_t *cfg, addr_policy_t **dest,
+ int rejectprivate, const char *local_address);
int exit_policy_is_general_exit(addr_policy_t *policy);
int policy_is_reject_star(addr_policy_t *policy);
int getinfo_helper_policies(control_connection_t *conn,
Modified: tor/branches/tor-0_1_2-patches/src/or/policies.c
===================================================================
--- tor/branches/tor-0_1_2-patches/src/or/policies.c 2007-11-29 16:16:50 UTC (rev 12610)
+++ tor/branches/tor-0_1_2-patches/src/or/policies.c 2007-11-30 07:49:49 UTC (rev 12611)
@@ -232,7 +232,7 @@
*msg = NULL;
if (policies_parse_exit_policy(options->ExitPolicy, &addr_policy,
- options->ExitPolicyRejectPrivate))
+ options->ExitPolicyRejectPrivate, NULL))
REJECT("Error in ExitPolicy entry.");
/* The rest of these calls *append* to addr_policy. So don't actually
@@ -554,10 +554,16 @@
*/
int
policies_parse_exit_policy(config_line_t *cfg, addr_policy_t **dest,
- int rejectprivate)
+ int rejectprivate, const char *local_address)
{
- if (rejectprivate)
+ if (rejectprivate) {
append_exit_policy_string(dest, "reject private:*");
+ if (local_address) {
+ char buf[POLICY_BUF_LEN];
+ tor_snprintf(buf, sizeof(buf), "reject %s:*", local_address);
+ append_exit_policy_string(dest, buf);
+ }
+ }
if (parse_addr_policy(cfg, dest, -1))
return -1;
append_exit_policy_string(dest, DEFAULT_EXIT_POLICY);
Modified: tor/branches/tor-0_1_2-patches/src/or/router.c
===================================================================
--- tor/branches/tor-0_1_2-patches/src/or/router.c 2007-11-29 16:16:50 UTC (rev 12610)
+++ tor/branches/tor-0_1_2-patches/src/or/router.c 2007-11-30 07:49:49 UTC (rev 12611)
@@ -895,7 +895,7 @@
}
policies_parse_exit_policy(options->ExitPolicy, &ri->exit_policy,
- options->ExitPolicyRejectPrivate);
+ options->ExitPolicyRejectPrivate, ri->address);
if (desc_routerinfo) { /* inherit values */
ri->is_valid = desc_routerinfo->is_valid;
Modified: tor/branches/tor-0_1_2-patches/src/or/test.c
===================================================================
--- tor/branches/tor-0_1_2-patches/src/or/test.c 2007-11-29 16:16:50 UTC (rev 12610)
+++ tor/branches/tor-0_1_2-patches/src/or/test.c 2007-11-30 07:49:49 UTC (rev 12611)
@@ -1753,7 +1753,7 @@
compare_addr_to_addr_policy(0xc0a80102, 2, policy));
policy2 = NULL;
- test_assert(0 == policies_parse_exit_policy(NULL, &policy2, 1));
+ test_assert(0 == policies_parse_exit_policy(NULL, &policy2, 1, NULL));
test_assert(policy2);
test_assert(!exit_policy_is_general_exit(policy));
@@ -1773,7 +1773,7 @@
line.key = (char*)"foo";
line.value = (char*)"accept *:80,reject private:*,reject *:*";
line.next = NULL;
- test_assert(0 == policies_parse_exit_policy(&line, &policy, 0));
+ test_assert(0 == policies_parse_exit_policy(&line, &policy, 0, NULL));
test_assert(policy);
test_streq(policy->string, "accept *:80");
test_streq(policy->next->string, "reject *:*");