diff options
-rw-r--r-- | ChangeLog | 9 | ||||
-rw-r--r-- | src/or/relay.c | 7 |
2 files changed, 13 insertions, 3 deletions
@@ -1,4 +1,11 @@ Changes in version 0.2.1.7-alpha - 2008-10-xx + o Security fixes: + - The "ClientDNSRejectInternalAddresses" config option wasn't being + consistently obeyed: if an exit relay refuses a stream because its + exit policy doesn't allow it, we would remember what IP address + the relay said the destination address resolves to, even if it's + an internal IP address. Bugfix on 0.2.0.7-alpha; patch by rovv. + o Minor features: - Now NodeFamily and MyFamily config options allow spaces in identity fingerprints, so it's easier to paste them in. @@ -122,7 +129,7 @@ Changes in version 0.2.1.6-alpha - 2008-09-30 - If we overrun our per-second write limits a little, count this as having used up our write allocation for the second, and choke outgoing directory writes. Previously, we had only counted this when - we had met our limits precisely. Fixes bug 824. Patch from by rovv. + we had met our limits precisely. Fixes bug 824. Patch by rovv. Bugfix on 0.2.0.x (??). - Avoid a "0 divided by 0" calculation when calculating router uptime at directory authorities. Bugfix on 0.2.0.8-alpha. diff --git a/src/or/relay.c b/src/or/relay.c index 8b68c8cf7..5bb712bf1 100644 --- a/src/or/relay.c +++ b/src/or/relay.c @@ -630,8 +630,11 @@ connection_edge_process_end_not_open( ttl = (int)ntohl(get_uint32(cell->payload+RELAY_HEADER_SIZE+5)); else ttl = -1; - client_dns_set_addressmap(conn->socks_request->address, addr, - conn->chosen_exit_name, ttl); + + if (!(get_options()->ClientDNSRejectInternalAddresses && + is_internal_IP(addr, 0))) + client_dns_set_addressmap(conn->socks_request->address, addr, + conn->chosen_exit_name, ttl); } /* check if he *ought* to have allowed it */ if (exitrouter && |