summaryrefslogtreecommitdiff
path: root/src/or/config.c
diff options
context:
space:
mode:
authorNick Mathewson <nickm@torproject.org>2007-08-27 15:33:58 +0000
committerNick Mathewson <nickm@torproject.org>2007-08-27 15:33:58 +0000
commitd3224bad42957bf2e1751c7a1731c8956e003530 (patch)
tree02b92176af96af5ce487d47adfffe5d3fefba5f3 /src/or/config.c
parent0608ec71fdbd25da4195fd0e40ccd1bec7f3a0a5 (diff)
downloadtor-d3224bad42957bf2e1751c7a1731c8956e003530.tar.gz
tor-d3224bad42957bf2e1751c7a1731c8956e003530.zip
r14227@Kushana: nickm | 2007-08-27 11:33:28 -0400
Add a new ClientDNSRejectInternalAddresses option (default: on) to refuse to believe that any address can map to or from an internal address. This blocks some kinds of potential browser-based attacks, especially on hosts using DNSPort. Also clarify behavior in some comments. Backport candiate? svn:r11287
Diffstat (limited to 'src/or/config.c')
-rw-r--r--src/or/config.c5
1 files changed, 4 insertions, 1 deletions
diff --git a/src/or/config.c b/src/or/config.c
index 3c7341efc9..6f747ed473 100644
--- a/src/or/config.c
+++ b/src/or/config.c
@@ -143,6 +143,8 @@ static config_var_t _option_vars[] = {
VAR("Bridge", LINELIST, Bridges, NULL),
VAR("CircuitBuildTimeout", INTERVAL, CircuitBuildTimeout, "1 minute"),
VAR("CircuitIdleTimeout", INTERVAL, CircuitIdleTimeout, "1 hour"),
+ VAR("ClientDNSRejectInternalAddresses", BOOL,
+ ClientDNSRejectInternalAddresses, "1"),
VAR("ClientOnly", BOOL, ClientOnly, "0"),
VAR("ConnLimit", UINT, ConnLimit, "1000"),
VAR("ConstrainedSockets", BOOL, ConstrainedSockets, "0"),
@@ -827,7 +829,8 @@ options_act_reversible(or_options_t *old_options, char **msg)
int logs_marked = 0;
/* Daemonize _first_, since we only want to open most of this stuff in
- * the subprocess. */
+ * the subprocess. Libevent bases can't be reliably inherited across
+ * processes. */
if (running_tor && options->RunAsDaemon) {
/* No need to roll back, since you can't change the value. */
start_daemon();