1 files changed, 15 insertions, 0 deletions

diff --git a/src/or/directory.c b/src/or/directory.c
index 29022fab4f..a3aa276df7 100644
--- a/src/or/directory.c
+++ b/src/or/directory.c
@@ -3404,6 +3404,13 @@ handle_get_hs_descriptor_v3(dir_connection_t *conn,
   const char *pubkey_str = NULL;
   const char *url = args->url;
 
+  /* Don't serve v3 descriptors if next gen onion service is disabled. */
+  if (!hs_v3_protocol_is_enabled()) {
+    /* 404 is used for an unrecognized URL so send back the same. */
+    write_http_status_line(conn, 404, "Not found");
+    goto done;
+  }
+
   /* Reject unencrypted dir connections */
   if (!connection_dir_is_encrypted(conn)) {
     write_http_status_line(conn, 404, "Not found");
@@ -3620,6 +3627,14 @@ directory_handle_command_post(dir_connection_t *conn, const char *headers,
    * the prop224 be deployed and thus use. */
   if (connection_dir_is_encrypted(conn) && !strcmpstart(url, "/tor/hs/")) {
     const char *msg = "HS descriptor stored successfully.";
+    /* Don't accept v3 and onward publish request if next gen onion service is
+     * disabled. */
+    if (!hs_v3_protocol_is_enabled()) {
+      /* 404 is used for an unrecognized URL so send back the same. */
+      write_http_status_line(conn, 404, "Not found");
+      goto done;
+    }
+
     /* We most probably have a publish request for an HS descriptor. */
     int code = handle_post_hs_descriptor(url, body);
     if (code != 200) {