Don't allow tor2web-mode Tors to connect to non-HS addresses

The client's anonymity when accessing a non-HS address in tor2web-mode would be easily nuked by inserting an inline image with a .onion URL, so don't even pretend to access non-HS addresses through Tor.
author: Robert Ransom <rransom.8774@gmail.com> 2011-05-31 07:05:40 -0700
committer: Nick Mathewson <nickm@torproject.org> 2011-11-30 14:54:15 -0500
commit: ebf524b48b0340ed3b2bfc1d652e3d65b3aee11c (patch)
tree: fe25dead4b9b185c9ab5d4013f72db0bca911449 /src
parent: 5f3e6eb0b9b450c81bd54d5dd87ff786a6d1ffea (diff)
download: tor-ebf524b48b0340ed3b2bfc1d652e3d65b3aee11c.tar
tor-ebf524b48b0340ed3b2bfc1d652e3d65b3aee11c.tar.gz
1 files changed, 8 insertions, 0 deletions
diff --git a/src/or/connection_edge.c b/src/or/connection_edge.c
index efaad79b6..bba666d3b 100644
--- a/src/or/connection_edge.c
+++ b/src/or/connection_edge.c
@@ -1892,6 +1892,14 @@ connection_ap_handshake_rewrite_and_attach(entry_connection_t *conn,
       return -1;
     }
 
+    if (options->Tor2webMode) {
+      log_warn(LD_APP, "Refusing to connect to non-hidden-service hostname %s "
+               "because tor2web mode is enabled.",
+               safe_str_client(socks->address));
+      connection_mark_unattached_ap(conn, END_STREAM_REASON_ENTRYPOLICY);
+      return -1;
+    }
+
     if (socks->command == SOCKS_COMMAND_RESOLVE) {
       uint32_t answer;
       struct in_addr in;
author	Robert Ransom <rransom.8774@gmail.com>	2011-05-31 07:05:40 -0700
committer	Nick Mathewson <nickm@torproject.org>	2011-11-30 14:54:15 -0500
commit	ebf524b48b0340ed3b2bfc1d652e3d65b3aee11c (patch)
tree	fe25dead4b9b185c9ab5d4013f72db0bca911449 /src
parent	5f3e6eb0b9b450c81bd54d5dd87ff786a6d1ffea (diff)
download	tor-ebf524b48b0340ed3b2bfc1d652e3d65b3aee11c.tar tor-ebf524b48b0340ed3b2bfc1d652e3d65b3aee11c.tar.gz