diff options
| author | teor (Tim Wilson-Brown) <teor2345@gmail.com> | 2015-09-15 18:34:18 +1000 |
|---|---|---|
| committer | teor (Tim Wilson-Brown) <teor2345@gmail.com> | 2015-09-16 02:56:50 +1000 |
| commit | 098b82c7b2a6bb711e3616eb5b7e7e5e7401f01d (patch) | |
| tree | bc40d90c97de2a09a6c1e277ea3c5f2c455f8787 /src/test/test_policy.c | |
| parent | 31eb486c4624d1437d982ffdfc1f9d7d83c5ffd6 (diff) | |
| download | tor-098b82c7b2a6bb711e3616eb5b7e7e5e7401f01d.tar.gz tor-098b82c7b2a6bb711e3616eb5b7e7e5e7401f01d.zip | |
ExitPolicyRejectPrivate rejects local IPv6 address and interface addresses
ExitPolicyRejectPrivate now rejects more local addresses by default:
* the relay's published IPv6 address (if any), and
* any publicly routable IPv4 or IPv6 addresses on any local interfaces.
This resolves a security issue for IPv6 Exits and multihomed Exits that
trust connections originating from localhost.
Resolves ticket 17027. Patch by "teor".
Patch on 42b8fb5a1523 (11 Nov 2007), released in 0.2.0.11-alpha.
Diffstat (limited to 'src/test/test_policy.c')
| -rw-r--r-- | src/test/test_policy.c | 20 |
1 files changed, 16 insertions, 4 deletions
diff --git a/src/test/test_policy.c b/src/test/test_policy.c index 33f90c7da5..d7d3cf0c0d 100644 --- a/src/test/test_policy.c +++ b/src/test/test_policy.c @@ -49,7 +49,7 @@ test_policy_summary_helper(const char *policy_str, r = policies_parse_exit_policy(&line, &policy, EXIT_POLICY_IPV6_ENABLED | - EXIT_POLICY_ADD_DEFAULT ,0); + EXIT_POLICY_ADD_DEFAULT, 0, NULL, 0); tt_int_op(r,OP_EQ, 0); summary = policy_summarize(policy, AF_INET); @@ -77,7 +77,7 @@ test_policies_general(void *arg) int i; smartlist_t *policy = NULL, *policy2 = NULL, *policy3 = NULL, *policy4 = NULL, *policy5 = NULL, *policy6 = NULL, - *policy7 = NULL; + *policy7 = NULL, *policy12 = NULL; addr_policy_t *p; tor_addr_t tar; config_line_t line; @@ -112,10 +112,20 @@ test_policies_general(void *arg) tt_int_op(0, OP_EQ, policies_parse_exit_policy(NULL, &policy2, EXIT_POLICY_IPV6_ENABLED | EXIT_POLICY_REJECT_PRIVATE | - EXIT_POLICY_ADD_DEFAULT, 0)); + EXIT_POLICY_ADD_DEFAULT, 0, + NULL, 0)); tt_assert(policy2); + tor_addr_parse(&tar, "[2000::1234]"); + tt_int_op(0, OP_EQ, policies_parse_exit_policy(NULL, &policy12, + EXIT_POLICY_IPV6_ENABLED | + EXIT_POLICY_REJECT_PRIVATE | + EXIT_POLICY_ADD_DEFAULT, + 0x0306090cu, &tar, 1)); + + tt_assert(policy12); + policy3 = smartlist_new(); p = router_parse_addr_policy_item_from_string("reject *:*",-1); tt_assert(p != NULL); @@ -202,7 +212,8 @@ test_policies_general(void *arg) line.next = NULL; tt_int_op(0, OP_EQ, policies_parse_exit_policy(&line,&policy, EXIT_POLICY_IPV6_ENABLED | - EXIT_POLICY_ADD_DEFAULT,0)); + EXIT_POLICY_ADD_DEFAULT, 0, + NULL, 0)); tt_assert(policy); //test_streq(policy->string, "accept *:80"); @@ -347,6 +358,7 @@ test_policies_general(void *arg) addr_policy_list_free(policy5); addr_policy_list_free(policy6); addr_policy_list_free(policy7); + addr_policy_list_free(policy12); tor_free(policy_str); if (sm) { SMARTLIST_FOREACH(sm, char *, s, tor_free(s)); |