Re: [tor-dev] [PATCH] Log malformed hostnames in socks5 request respecting SafeLogging

To: "tor-dev@xxxxxxxxxxxxxxxxxxxx" <tor-dev@xxxxxxxxxxxxxxxxxxxx>

Subject: Re: [tor-dev] [PATCH] Log malformed hostnames in socks5 request respecting SafeLogging

Date: Tue, 25 Aug 2015 23:19:42 +1000

Delivery-date: Tue, 25 Aug 2015 09:20:01 -0400

Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:references:from:content-type:in-reply-to:message-id:date:to :content-transfer-encoding:mime-version; bh=m0M6/oxdzYkD8U4kAXVNQs4EoyTVh2q0GgUH4MDsC0U=; b=cvcEH8aoYWWYU2trxyDr57/lEnZVhqLPRfKj0Z1nkMCdBAqZUAOETRCjm0tt6RfLX2 I6mRmylotXCLjNFXS8VT2mBgn0mAaSsAs05OqQ1XO8KCr654oPTRsqeKmgTeNJyI5S3v 5KJGmbYdrhkZHiDCZ4y8smXCxUkfVQYnNJqZDpGTWI96WFs3nQh+5BGhaq8XWeZS1afH Nvb7SaqtKKdUOEfd3wTDKcnV+GmT5nXuHfqoaXpzIzM4RSUPW5LqwqsB3FfI2HfDAT8n dwKgawH0V2cZ+y56YE+Q4srDul32AKL0gZlxdXJSOln7kysZ9b0zloaOZxYztpqIwwEf v/bg==

In-reply-to: <55DC5097.1000007@xxxxxxxx>

List-archive: <http://lists.torproject.org/pipermail/tor-dev/>

List-help: <mailto:tor-dev-request@lists.torproject.org?subject=help>

List-id: discussion regarding Tor development <tor-dev.lists.torproject.org>

List-post: <mailto:tor-dev@lists.torproject.org>

List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=subscribe>

List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=unsubscribe>

References: <55DA534E.9090303@xxxxxxxx> <8EBEA4ED-3EB6-4CDD-A7C2-685A341ECCB1@xxxxxxxxx> <55DC5097.1000007@xxxxxxxx>

Reply-to: tor-dev@xxxxxxxxxxxxxxxxxxxx

Sender: "tor-dev" <tor-dev-bounces@xxxxxxxxxxxxxxxxxxxx>

On 25 Aug 2015, at 21:25, Andreas Stieger <astieger@xxxxxxxx> wrote:

Hello,

On 08/25/2015 08:16 AM, teor wrote:
On 24 Aug 2015, at 09:12, Andreas Stieger <astieger@xxxxxxxx
<mailto:astieger@xxxxxxxx>> wrote:
I found a warning-level message in socks5 code relating to malformed
hostnames that did not respect the SafeLogging setting, breaking the
rule of least surprise. Please review the attached simple patch.

Thank you for submitting this patch - is there a corresponding Trac ticket?
(Patches without Trac tickets can get lost easily.)

I created #16891 and attached the patch.
https://trac.torproject.org/projects/tor/ticket/16891

Thanks, Andreas, I have reviewed your patch, and tagged it with the keywords PostFreeze027 (so it gets merged before / during the 0.2.7 freeze) and TorCoreTeam201508 (so it's included in this month's work).

I have also filed #16894 to do a review of similar logging issues elsewhere in the Tor codebase.

If anyone wants to help review the places where Tor logs externally-provided strings, and particularly logging sensitive client information, please add your findings to the ticket.

https://trac.torproject.org/projects/tor/ticket/16894

Thanks again,

Tim (teor)

Tim Wilson-Brown (teor)

teor2345 at gmail dot com
pgp 0xABFED1AC
https://gist.github.com/teor2345/d033b8ce0a99adbc89c5

teor at blah dot im
OTR D5BE4EC2 255D7585 F3874930 DB130265 7C9EBBC7

_______________________________________________ tor-dev mailing list tor-dev@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev