7 files changed, 33 insertions, 18 deletions

diff --git a/ChangeLog b/ChangeLog
index b74693dd96..4fe3a76341 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,4 +1,11 @@
 Changes in version 0.1.2.19 - 2007-??-??
+  o Security fixes:
+    - Exit policies now reject connections that are addressed to a
+      relay's public (external) IP address too, unless
+      ExitPolicyRejectPrivate is turned off. We do this because too
+      many relays are running nearby to services that trust them based
+      on network address.
+
   o Major bugfixes:
     - When the clock jumps forward a lot, do not allow the bandwidth
       buckets to become negative.  Fixes Bug 544.
diff --git a/doc/TODO.012 b/doc/TODO.012
index 2ce05d8bf2..0ad093ff6d 100644
--- a/doc/TODO.012
+++ b/doc/TODO.012
@@ -7,12 +7,11 @@ Backport items for 0.1.2:
   o r11882: Avoid crash-bug 451.
   o r11886: Consider family as well as identity when cannibalizing circuits.
   - backport the osx privoxy.config changes
-  - no need to backport the windows privoxy.config changes because they're
+  X no need to backport the windows privoxy.config changes because they're
     not in SVN??
   - r12339: rlim_t may be wider than unsigned long.
   - r12341: Work if the real open-file limit is OPEN_FILES.
-
-  - r12459: Exit policies reject public IP address too
+  o r12459: Exit policies reject public IP address too
 
 Backport for 0.1.2.x once better tested:
   D r11287: Reject address mappings to internal addresses. (??)
@@ -20,7 +19,8 @@ Backport for 0.1.2.x once better tested:
   o r11499, r11500, r11501: hidserv hexdigests rather than nicknames
   o r11829: Don't warn when cancel_pending_resolve() finds a cached failure.
   o r11915: just because you hup, don't publish a near-duplicate descriptor
-  - r11994: Call routerlist_remove_old_routers() less.  This will be a
-	    tricky backport.
+  d r11994: Call routerlist_remove_old_routers() less.  This will be a
+            tricky backport.
   - r12153 and r12154: Give better warnings when we fail to mmap a descriptor
             store that we just wrote.
+
diff --git a/doc/tor.1.in b/doc/tor.1.in
index ab5b535877..a5c27b490a 100644
--- a/doc/tor.1.in
+++ b/doc/tor.1.in
@@ -621,11 +621,13 @@ To specify all internal and link-local networks (including 0.0.0.0/8,
 169.254.0.0/16, 127.0.0.0/8, 192.168.0.0/16, 10.0.0.0/8, and
 172.16.0.0/12), you can use the "private" alias instead of an address.
 These addresses are rejected by default (at the beginning of your
-exit policy) unless you set the ExitPolicyRejectPrivate config option
+exit policy), along with your public IP address, unless you set the
+ExitPolicyRejectPrivate config option
 to 0. For example, once you've done that, you could allow HTTP to
 127.0.0.1 and block all other connections to internal networks with
-"accept
-127.0.0.1:80,reject private:*".  See RFC 1918 and RFC 3330 for more
+"accept 127.0.0.1:80,reject private:*", though that may also allow
+connections to your own computer that are addressed to its public
+(external) IP address. See RFC 1918 and RFC 3330 for more
 details about internal and reserved IP address space.
 
 This directive can be specified multiple times so you don't have to put
@@ -655,7 +657,8 @@ either a reject *:* or an accept *:*. Otherwise, you're _augmenting_
 .LP
 .TP
 \fBExitPolicyRejectPrivate \fR\fB0\fR|\fB1\fR\fP
-Reject all private (local) networks at the beginning of your exit
+Reject all private (local) networks, along with your own public IP
+address, at the beginning of your exit
 policy. See above entry on ExitPolicy. (Default: 1)
 .LP
 .TP
diff --git a/src/or/or.h b/src/or/or.h
index 50e73c0263..400b80a9d5 100644
--- a/src/or/or.h
+++ b/src/or/or.h
@@ -2600,9 +2600,8 @@ void policies_parse_from_options(or_options_t *options);
 int cmp_addr_policies(addr_policy_t *a, addr_policy_t *b);
 addr_policy_result_t compare_addr_to_addr_policy(uint32_t addr,
                               uint16_t port, addr_policy_t *policy);
-int policies_parse_exit_policy(config_line_t *cfg,
-                               addr_policy_t **dest,
-                               int rejectprivate);
+int policies_parse_exit_policy(config_line_t *cfg, addr_policy_t **dest,
+                               int rejectprivate, const char *local_address);
 int exit_policy_is_general_exit(addr_policy_t *policy);
 int policy_is_reject_star(addr_policy_t *policy);
 int getinfo_helper_policies(control_connection_t *conn,
diff --git a/src/or/policies.c b/src/or/policies.c
index 3129ea35f7..53b3f2bfaf 100644
--- a/src/or/policies.c
+++ b/src/or/policies.c
@@ -232,7 +232,7 @@ validate_addr_policies(or_options_t *options, char **msg)
   *msg = NULL;
 
   if (policies_parse_exit_policy(options->ExitPolicy, &addr_policy,
-                                 options->ExitPolicyRejectPrivate))
+                                 options->ExitPolicyRejectPrivate, NULL))
     REJECT("Error in ExitPolicy entry.");
 
   /* The rest of these calls *append* to addr_policy. So don't actually
@@ -554,10 +554,16 @@ exit_policy_remove_redundancies(addr_policy_t **dest)
  */
 int
 policies_parse_exit_policy(config_line_t *cfg, addr_policy_t **dest,
-                           int rejectprivate)
+                           int rejectprivate, const char *local_address)
 {
-  if (rejectprivate)
+  if (rejectprivate) {
     append_exit_policy_string(dest, "reject private:*");
+    if (local_address) {
+      char buf[POLICY_BUF_LEN];
+      tor_snprintf(buf, sizeof(buf), "reject %s:*", local_address);
+      append_exit_policy_string(dest, buf);
+    }
+  }
   if (parse_addr_policy(cfg, dest, -1))
     return -1;
   append_exit_policy_string(dest, DEFAULT_EXIT_POLICY);
diff --git a/src/or/router.c b/src/or/router.c
index 2b9e047cc4..8cd828852f 100644
--- a/src/or/router.c
+++ b/src/or/router.c
@@ -895,7 +895,7 @@ router_rebuild_descriptor(int force)
   }
 
   policies_parse_exit_policy(options->ExitPolicy, &ri->exit_policy,
-                             options->ExitPolicyRejectPrivate);
+                             options->ExitPolicyRejectPrivate, ri->address);
 
   if (desc_routerinfo) { /* inherit values */
     ri->is_valid = desc_routerinfo->is_valid;
diff --git a/src/or/test.c b/src/or/test.c
index a5c00b753a..dd41e15771 100644
--- a/src/or/test.c
+++ b/src/or/test.c
@@ -1753,7 +1753,7 @@ test_policies(void)
           compare_addr_to_addr_policy(0xc0a80102, 2, policy));
 
   policy2 = NULL;
-  test_assert(0 == policies_parse_exit_policy(NULL, &policy2, 1));
+  test_assert(0 == policies_parse_exit_policy(NULL, &policy2, 1, NULL));
   test_assert(policy2);
 
   test_assert(!exit_policy_is_general_exit(policy));
@@ -1773,7 +1773,7 @@ test_policies(void)
   line.key = (char*)"foo";
   line.value = (char*)"accept *:80,reject private:*,reject *:*";
   line.next = NULL;
-  test_assert(0 == policies_parse_exit_policy(&line, &policy, 0));
+  test_assert(0 == policies_parse_exit_policy(&line, &policy, 0, NULL));
   test_assert(policy);
   test_streq(policy->string, "accept *:80");
   test_streq(policy->next->string, "reject *:*");