ClientDNSRejectInternalAddresses in non-default networks

Once again allow the flag to be set, unless the default network is used.
Thanks to nickm for a suggestion for the workaround to a test failure.

4 files changed, 15 insertions, 5 deletions

diff --git a/changes/ticket21031 b/changes/ticket21031
new file mode 100644
index 0000000000..1f97c45993
--- /dev/null
+++ b/changes/ticket21031
@@ -0,0 +1,5 @@
+  o New/reanimated features
+   - The ClientDNSRejectInternalAddresses flag can once again be set in
+     non-default tor networks. This also remves a deprecation of this
+     flag in 0.2.9.2-alpha. Closes ticket 21031.
+
diff --git a/doc/tor.1.txt b/doc/tor.1.txt
index d701288af7..f052464332 100644
--- a/doc/tor.1.txt
+++ b/doc/tor.1.txt
@@ -1443,12 +1443,12 @@ The following options are useful only for clients (that is, if
 [[ClientDNSRejectInternalAddresses]] **ClientDNSRejectInternalAddresses** **0**|**1**::
     If true, Tor does not believe any anonymously retrieved DNS answer that
     tells it that an address resolves to an internal address (like 127.0.0.1 or
-    192.168.0.1). This option prevents certain browser-based attacks; don't
-    turn it off unless you know what you're doing. (Default: 1)
+    192.168.0.1). This option prevents certain browser-based attacks; it
+    is not allowed to be set on the default network. (Default: 1)
 
 [[ClientRejectInternalAddresses]] **ClientRejectInternalAddresses** **0**|**1**::
     If true, Tor does not try to fulfill requests to connect to an internal
-    address (like 127.0.0.1 or 192.168.0.1) __unless a exit node is
+    address (like 127.0.0.1 or 192.168.0.1) __unless an exit node is
     specifically requested__ (for example, via a .exit hostname, or a
     controller request).  If true, multicast DNS hostnames for machines on the
     local network (of the form *.local) are also rejected.  (Default: 1)
diff --git a/src/or/config.c b/src/or/config.c
index bba2532000..d6e1abaa10 100644
--- a/src/or/config.c
+++ b/src/or/config.c
@@ -4216,6 +4216,10 @@ options_validate(or_options_t *old_options, or_options_t *options,
   CHECK_DEFAULT(TestingLinkKeySlop);
 #undef CHECK_DEFAULT
 
+  if (!options->ClientDNSRejectInternalAddresses &&
+      !(options->DirAuthorities ||
+        (options->AlternateDirAuthority && options->AlternateBridgeAuthority)))
+    REJECT("ClientDNSRejectInternalAddresses used for default network.");
   if (options->SigningKeyLifetime < options->TestingSigningKeySlop*2)
     REJECT("SigningKeyLifetime is too short.");
   if (options->TestingLinkCertLifetime < options->TestingAuthKeySlop*2)
diff --git a/src/test/test_options.c b/src/test/test_options.c
index c55be35845..62732cabf7 100644
--- a/src/test/test_options.c
+++ b/src/test/test_options.c
@@ -398,11 +398,12 @@ fixed_get_uname(void)
   "V3AuthVoteDelay 20\n"                                                \
   "V3AuthDistDelay 20\n"                                                \
   "V3AuthNIntervalsValid 3\n"                                           \
-  "ClientUseIPv4 1\n"                                                     \
+  "ClientUseIPv4 1\n"                                                   \
   "VirtualAddrNetworkIPv4 127.192.0.0/10\n"                             \
   "VirtualAddrNetworkIPv6 [FE80::]/10\n"                                \
   "UseEntryGuards 1\n"                                                  \
-  "Schedulers Vanilla\n"
+  "Schedulers Vanilla\n"                                                \
+  "ClientDNSRejectInternalAddresses 1\n"
 
 typedef struct {
   or_options_t *old_opt;