Merge commit 'sebastian/hostnamewarn'

5 files changed, 33 insertions, 12 deletions

diff --git a/changes/nohostnamewarn b/changes/nohostnamewarn
new file mode 100644
index 0000000000..4cb56ea307
--- /dev/null
+++ b/changes/nohostnamewarn
@@ -0,0 +1,5 @@
+  o Minor features:
+    - Allow disabling the warning that occurs whenever Tor receives only
+      an IP address instead of a hostname. Setups that do DNS locally over
+      Tor are fine, and we shouldn't spam the logs in that case.
+
diff --git a/doc/tor.1.txt b/doc/tor.1.txt
index 50283aa5eb..15ecb79eba 100644
--- a/doc/tor.1.txt
+++ b/doc/tor.1.txt
@@ -632,6 +632,12 @@ The following options are useful only for clients (that is, if
     helps to determine whether an application using Tor is possibly leaking
     DNS requests. (Default: 0)
 
+**WarnUnsafeSocks** **0**|**1**::
+    When this option is enabled, Tor will warn whenever a request is
+    received that only contains an IP address instead of a hostname. Allowing
+    applications to do DNS resolves themselves is usually a bad idea and
+    can leak your location to attackers. (Default: 1)
+
 **VirtualAddrNetwork** __Address__/__bits__::
     When a controller asks for a virtual (unused) address with the MAPADDRESS
     command, Tor picks an unassigned address from this range. (Default:
diff --git a/src/or/buffers.c b/src/or/buffers.c
index 4dbd9a7a0b..970c1888c1 100644
--- a/src/or/buffers.c
+++ b/src/or/buffers.c
@@ -1402,19 +1402,21 @@ fetch_from_buf_socks(buf_t *buf, socks_request_t *req,
           if (req->command != SOCKS_COMMAND_RESOLVE_PTR &&
               !addressmap_have_mapping(req->address,0) &&
               !have_warned_about_unsafe_socks) {
-            log_warn(LD_APP,
-                "Your application (using socks5 to port %d) is giving "
-                "Tor only an IP address. Applications that do DNS resolves "
-                "themselves may leak information. Consider using Socks4A "
-                "(e.g. via privoxy or socat) instead. For more information, "
-                "please see https://wiki.torproject.org/TheOnionRouter/"
-                "TorFAQ#SOCKSAndDNS.%s", req->port,
-                safe_socks ? " Rejecting." : "");
-            /*have_warned_about_unsafe_socks = 1;*/
+            if (get_options()->WarnUnsafeSocks) {
+              log_warn(LD_APP,
+                  "Your application (using socks5 to port %d) is giving "
+                  "Tor only an IP address. Applications that do DNS resolves "
+                  "themselves may leak information. Consider using Socks4A "
+                  "(e.g. via privoxy or socat) instead. For more information, "
+                  "please see https://wiki.torproject.org/TheOnionRouter/"
+                  "TorFAQ#SOCKSAndDNS.%s", req->port,
+                  safe_socks ? " Rejecting." : "");
+              /*have_warned_about_unsafe_socks = 1;*/
                                       /*(for now, warn every time)*/
             control_event_client_status(LOG_WARN,
                           "DANGEROUS_SOCKS PROTOCOL=SOCKS5 ADDRESS=%s:%d",
                           req->address, req->port);
+            }
             if (safe_socks)
               return -1;
           }
@@ -1516,7 +1518,8 @@ fetch_from_buf_socks(buf_t *buf, socks_request_t *req,
       if (socks4_prot != socks4a &&
           !addressmap_have_mapping(tmpbuf,0) &&
           !have_warned_about_unsafe_socks) {
-        log_warn(LD_APP,
+        if (get_options()->WarnUnsafeSocks) {
+          log_warn(LD_APP,
                  "Your application (using socks4 to port %d) is giving Tor "
                  "only an IP address. Applications that do DNS resolves "
                  "themselves may leak information. Consider using Socks4A "
@@ -1524,10 +1527,12 @@ fetch_from_buf_socks(buf_t *buf, socks_request_t *req,
                  "please see https://wiki.torproject.org/TheOnionRouter/"
                  "TorFAQ#SOCKSAndDNS.%s", req->port,
                  safe_socks ? " Rejecting." : "");
-        /*have_warned_about_unsafe_socks = 1;*/  /*(for now, warn every time)*/
-        control_event_client_status(LOG_WARN,
+          /*have_warned_about_unsafe_socks = 1;*/
+          /*(for now, warn every time)*/
+          control_event_client_status(LOG_WARN,
                         "DANGEROUS_SOCKS PROTOCOL=SOCKS4 ADDRESS=%s:%d",
                         tmpbuf, req->port);
+        }
         if (safe_socks)
           return -1;
       }
diff --git a/src/or/config.c b/src/or/config.c
index efd8a27b3f..954ada6379 100644
--- a/src/or/config.c
+++ b/src/or/config.c
@@ -280,6 +280,7 @@ static config_var_t _option_vars[] = {
   V(NatdListenAddress,           LINELIST, NULL),
   V(NatdPort,                    UINT,     "0"),
   V(Nickname,                    STRING,   NULL),
+  V(WarnUnsafeSocks,              BOOL,     "1"),
   V(NoPublish,                   BOOL,     "0"),
   VAR("NodeFamily",              LINELIST, NodeFamilies,         NULL),
   V(NumCpus,                     UINT,     "1"),
diff --git a/src/or/or.h b/src/or/or.h
index 832bdd6961..f922de2d8a 100644
--- a/src/or/or.h
+++ b/src/or/or.h
@@ -2701,6 +2701,10 @@ typedef struct {
    * selection. */
   int AllowDotExit;
 
+  /** If true, we will warn if a user gives us only an IP address
+   * instead of a hostname. */
+  int WarnUnsafeSocks;
+
   /** If true, the user wants us to collect statistics on clients
    * requesting network statuses from us as directory. */
   int DirReqStatistics;