summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--ChangeLog9
-rw-r--r--src/or/relay.c7
2 files changed, 13 insertions, 3 deletions
diff --git a/ChangeLog b/ChangeLog
index fb5324ddc2..d331c7ccbf 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,4 +1,11 @@
Changes in version 0.2.1.7-alpha - 2008-10-xx
+ o Security fixes:
+ - The "ClientDNSRejectInternalAddresses" config option wasn't being
+ consistently obeyed: if an exit relay refuses a stream because its
+ exit policy doesn't allow it, we would remember what IP address
+ the relay said the destination address resolves to, even if it's
+ an internal IP address. Bugfix on 0.2.0.7-alpha; patch by rovv.
+
o Minor features:
- Now NodeFamily and MyFamily config options allow spaces in
identity fingerprints, so it's easier to paste them in.
@@ -122,7 +129,7 @@ Changes in version 0.2.1.6-alpha - 2008-09-30
- If we overrun our per-second write limits a little, count this as
having used up our write allocation for the second, and choke
outgoing directory writes. Previously, we had only counted this when
- we had met our limits precisely. Fixes bug 824. Patch from by rovv.
+ we had met our limits precisely. Fixes bug 824. Patch by rovv.
Bugfix on 0.2.0.x (??).
- Avoid a "0 divided by 0" calculation when calculating router uptime
at directory authorities. Bugfix on 0.2.0.8-alpha.
diff --git a/src/or/relay.c b/src/or/relay.c
index 8b68c8cf75..5bb712bf19 100644
--- a/src/or/relay.c
+++ b/src/or/relay.c
@@ -630,8 +630,11 @@ connection_edge_process_end_not_open(
ttl = (int)ntohl(get_uint32(cell->payload+RELAY_HEADER_SIZE+5));
else
ttl = -1;
- client_dns_set_addressmap(conn->socks_request->address, addr,
- conn->chosen_exit_name, ttl);
+
+ if (!(get_options()->ClientDNSRejectInternalAddresses &&
+ is_internal_IP(addr, 0)))
+ client_dns_set_addressmap(conn->socks_request->address, addr,
+ conn->chosen_exit_name, ttl);
}
/* check if he *ought* to have allowed it */
if (exitrouter &&