[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #17027 [Tor]: policies_parse_exit_policy_internal should block all IPv4 and IPv6 local addresses

Subject: Re: [tor-bugs] #17027 [Tor]: policies_parse_exit_policy_internal should block all IPv4 and IPv6 local addresses
From: "Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>
Date: Sun, 11 Oct 2015 10:29:41 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Sun, 11 Oct 2015 06:29:50 -0400
In-reply-to: <044.59b3f3200082aac0fa715411c328d816@xxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-bugs/>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: "auto: Tor bug tracker status mails" <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
References: <044.59b3f3200082aac0fa715411c328d816@xxxxxxxxxxxxxx>
Reply-to: tor-assistants@xxxxxxxxxxxxxx
Sender: "tor-bugs" <tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx>

#17027: policies_parse_exit_policy_internal should block all IPv4 and IPv6 local
addresses
-------------------------+-------------------------------------------------
     Reporter:  teor     |      Owner:
         Type:  defect   |     Status:  needs_revision
     Priority:  major    |  Milestone:  Tor: 0.2.6.x-final
    Component:  Tor      |    Version:  Tor: unspecified
   Resolution:           |   Keywords:  TorCoreTeam201509 security
Actual Points:           |  026-backport
       Points:           |  Parent ID:
                         |    Sponsor:
-------------------------+-------------------------------------------------
Changes (by teor):

 * status:  reopened => needs_revision


Comment:

 I agree, let's backport to 0.2.6, if the required function(s) or data
 structures exist to support each address discovery method. But can we make
 the following changes first?

 In addition to blocking:
 * the configured or autodiscovered IPv4 address (Address or
 resolve_my_address()),
 * the configured IPv6 address (first IPv6 ORPort entry),
 * the publicly routable IPv4 or IPv6 address(es) of every interface on the
 server, if available.

 We could also block the following configured addresses by looking at
 OutboundBindAddressIPv4_/OutboundBindAddressIPv6_ and
 get_configured_ports():
 * OutboundBindAddress
 * ControlPort / ControlListenAddress
 * SOCKSPort / SOCKSListenAddress
 * TransPort / TransListenAddress
 * NATDPort / NATDListenAddress
 * DNSPort / DNSListenAddress
 * ORPort / ORListenAddress (IPv4 entries or subsequent IPv6 entries)
 * DirPort / DirListenAddress

 Ideally, we'd do this out of two smartlists of unique IPv4 and IPv6
 addresses, to avoid rejecting the same address multiple times. Duplicates
 will be removed by exit_policy_remove_redundancies() in any case.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/17027#comment:18>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Prev by Author: [tor-bugs] #17317 [Website]: Update manual page on Tor website
Next by Author: Re: [tor-bugs] #17027 [Tor]: policies_parse_exit_policy_internal should block all IPv4 and IPv6 local addresses
Previous by thread: Re: [tor-bugs] #17027 [Tor]: policies_parse_exit_policy_internal should block all IPv4 and IPv6 local addresses
Next by thread: Re: [tor-bugs] #17027 [Tor]: policies_parse_exit_policy_internal should block all IPv4 and IPv6 local addresses
Index(es):
- Author
- Thread