ClientDNSRejectInternalAddresses in non-default networks

Once again allow the flag to be set, unless the default network is used. Thanks to nickm for a suggestion for the workaround to a test failure.
2017-11-04 16:37:41 +01:00 · 2017-11-04 16:37:41 +01:00 · d3fee8b823
parent e491c05f96
commit d3fee8b823
4 changed files with 15 additions and 5 deletions
--- a/changes/ticket21031
+++ b/changes/ticket21031
@ -0,0 +1,5 @@
+  o New/reanimated features
+   - The ClientDNSRejectInternalAddresses flag can once again be set in
+     non-default tor networks. This also remves a deprecation of this
+     flag in 0.2.9.2-alpha. Closes ticket 21031.
+
--- a/doc/tor.1.txt
+++ b/doc/tor.1.txt
@ -1443,12 +1443,12 @@ The following options are useful only for clients (that is, if
 [[ClientDNSRejectInternalAddresses]] **ClientDNSRejectInternalAddresses** **0**|**1**::
    If true, Tor does not believe any anonymously retrieved DNS answer that
    tells it that an address resolves to an internal address (like 127.0.0.1 or
-    192.168.0.1). This option prevents certain browser-based attacks; don't
-    turn it off unless you know what you're doing. (Default: 1)
+    192.168.0.1). This option prevents certain browser-based attacks; it
+    is not allowed to be set on the default network. (Default: 1)

 [[ClientRejectInternalAddresses]] **ClientRejectInternalAddresses** **0**|**1**::
    If true, Tor does not try to fulfill requests to connect to an internal
-    address (like 127.0.0.1 or 192.168.0.1) __unless a exit node is
+    address (like 127.0.0.1 or 192.168.0.1) __unless an exit node is
    specifically requested__ (for example, via a .exit hostname, or a
    controller request).  If true, multicast DNS hostnames for machines on the
    local network (of the form *.local) are also rejected.  (Default: 1)
--- a/src/or/config.c
+++ b/src/or/config.c
@ -4216,6 +4216,10 @@ options_validate(or_options_t *old_options, or_options_t *options,
  CHECK_DEFAULT(TestingLinkKeySlop);
 #undef CHECK_DEFAULT

+  if (!options->ClientDNSRejectInternalAddresses &&
+      !(options->DirAuthorities ||
+        (options->AlternateDirAuthority && options->AlternateBridgeAuthority)))
+    REJECT("ClientDNSRejectInternalAddresses used for default network.");
  if (options->SigningKeyLifetime < options->TestingSigningKeySlop*2)
    REJECT("SigningKeyLifetime is too short.");
  if (options->TestingLinkCertLifetime < options->TestingAuthKeySlop*2)
--- a/src/test/test_options.c
+++ b/src/test/test_options.c
@ -398,11 +398,12 @@ fixed_get_uname(void)
  "V3AuthVoteDelay 20\n"                                                \
  "V3AuthDistDelay 20\n"                                                \
  "V3AuthNIntervalsValid 3\n"                                           \
-  "ClientUseIPv4 1\n"                                                     \
+  "ClientUseIPv4 1\n"                                                   \
  "VirtualAddrNetworkIPv4 127.192.0.0/10\n"                             \
  "VirtualAddrNetworkIPv6 [FE80::]/10\n"                                \
  "UseEntryGuards 1\n"                                                  \
-  "Schedulers Vanilla\n"
+  "Schedulers Vanilla\n"                                                \
+  "ClientDNSRejectInternalAddresses 1\n"

 typedef struct {
  or_options_t *old_opt;