summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorteor (Tim Wilson-Brown) <teor2345@gmail.com>2016-04-01 00:29:46 +1100
committerDavid Goulet <dgoulet@torproject.org>2016-08-24 14:40:54 -0400
commit382a28951fc4830bc0cbc1ad781a5ba1e9d323cc (patch)
treea4707e23047d0bf88272e33e3af16f623ca93626
parentb311f82026d51141a2ef6dd4a709d41a0dd3c388 (diff)
downloadtor-382a28951fc4830bc0cbc1ad781a5ba1e9d323cc.tar.gz
tor-382a28951fc4830bc0cbc1ad781a5ba1e9d323cc.zip
Check onion hostnames against client port flags
Check NoOnionTraffic before attaching a stream. NoOnionTraffic refuses connections to all onion hostnames, but permits non-onion hostnames and IP addresses.
-rw-r--r--src/or/connection_edge.c8
1 files changed, 8 insertions, 0 deletions
diff --git a/src/or/connection_edge.c b/src/or/connection_edge.c
index 32272ecbe7..4d615e8e2b 100644
--- a/src/or/connection_edge.c
+++ b/src/or/connection_edge.c
@@ -1708,6 +1708,14 @@ connection_ap_handshake_rewrite_and_attach(entry_connection_t *conn,
/* If we get here, it's a request for a .onion address! */
tor_assert(!automap);
+ /* If .onion address requests are disabled, refuse the request */
+ if (!conn->entry_cfg.onion_traffic) {
+ log_warn(LD_APP, "Onion address %s requested from a port with .onion "
+ "disabled", safe_str_client(socks->address));
+ connection_mark_unattached_ap(conn, END_STREAM_REASON_ENTRYPOLICY);
+ return -1;
+ }
+
/* Check whether it's RESOLVE or RESOLVE_PTR. We don't handle those
* for hidden service addresses. */
if (SOCKS_COMMAND_IS_RESOLVE(socks->command)) {