ClientDNSRejectInternalAddresses in non-default networks
Once again allow the flag to be set, unless the default network is used. Thanks to nickm for a suggestion for the workaround to a test failure.
This commit is contained in:
parent
e491c05f96
commit
d3fee8b823
|
@ -0,0 +1,5 @@
|
|||
o New/reanimated features
|
||||
- The ClientDNSRejectInternalAddresses flag can once again be set in
|
||||
non-default tor networks. This also remves a deprecation of this
|
||||
flag in 0.2.9.2-alpha. Closes ticket 21031.
|
||||
|
|
@ -1443,12 +1443,12 @@ The following options are useful only for clients (that is, if
|
|||
[[ClientDNSRejectInternalAddresses]] **ClientDNSRejectInternalAddresses** **0**|**1**::
|
||||
If true, Tor does not believe any anonymously retrieved DNS answer that
|
||||
tells it that an address resolves to an internal address (like 127.0.0.1 or
|
||||
192.168.0.1). This option prevents certain browser-based attacks; don't
|
||||
turn it off unless you know what you're doing. (Default: 1)
|
||||
192.168.0.1). This option prevents certain browser-based attacks; it
|
||||
is not allowed to be set on the default network. (Default: 1)
|
||||
|
||||
[[ClientRejectInternalAddresses]] **ClientRejectInternalAddresses** **0**|**1**::
|
||||
If true, Tor does not try to fulfill requests to connect to an internal
|
||||
address (like 127.0.0.1 or 192.168.0.1) __unless a exit node is
|
||||
address (like 127.0.0.1 or 192.168.0.1) __unless an exit node is
|
||||
specifically requested__ (for example, via a .exit hostname, or a
|
||||
controller request). If true, multicast DNS hostnames for machines on the
|
||||
local network (of the form *.local) are also rejected. (Default: 1)
|
||||
|
|
|
@ -4216,6 +4216,10 @@ options_validate(or_options_t *old_options, or_options_t *options,
|
|||
CHECK_DEFAULT(TestingLinkKeySlop);
|
||||
#undef CHECK_DEFAULT
|
||||
|
||||
if (!options->ClientDNSRejectInternalAddresses &&
|
||||
!(options->DirAuthorities ||
|
||||
(options->AlternateDirAuthority && options->AlternateBridgeAuthority)))
|
||||
REJECT("ClientDNSRejectInternalAddresses used for default network.");
|
||||
if (options->SigningKeyLifetime < options->TestingSigningKeySlop*2)
|
||||
REJECT("SigningKeyLifetime is too short.");
|
||||
if (options->TestingLinkCertLifetime < options->TestingAuthKeySlop*2)
|
||||
|
|
|
@ -398,11 +398,12 @@ fixed_get_uname(void)
|
|||
"V3AuthVoteDelay 20\n" \
|
||||
"V3AuthDistDelay 20\n" \
|
||||
"V3AuthNIntervalsValid 3\n" \
|
||||
"ClientUseIPv4 1\n" \
|
||||
"ClientUseIPv4 1\n" \
|
||||
"VirtualAddrNetworkIPv4 127.192.0.0/10\n" \
|
||||
"VirtualAddrNetworkIPv6 [FE80::]/10\n" \
|
||||
"UseEntryGuards 1\n" \
|
||||
"Schedulers Vanilla\n"
|
||||
"Schedulers Vanilla\n" \
|
||||
"ClientDNSRejectInternalAddresses 1\n"
|
||||
|
||||
typedef struct {
|
||||
or_options_t *old_opt;
|
||||
|
|
Loading…
Reference in New Issue