From ebf524b48b0340ed3b2bfc1d652e3d65b3aee11c Mon Sep 17 00:00:00 2001 From: Robert Ransom Date: Tue, 31 May 2011 07:05:40 -0700 Subject: Don't allow tor2web-mode Tors to connect to non-HS addresses The client's anonymity when accessing a non-HS address in tor2web-mode would be easily nuked by inserting an inline image with a .onion URL, so don't even pretend to access non-HS addresses through Tor. --- src/or/connection_edge.c | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'src') diff --git a/src/or/connection_edge.c b/src/or/connection_edge.c index efaad79b6..bba666d3b 100644 --- a/src/or/connection_edge.c +++ b/src/or/connection_edge.c @@ -1892,6 +1892,14 @@ connection_ap_handshake_rewrite_and_attach(entry_connection_t *conn, return -1; } + if (options->Tor2webMode) { + log_warn(LD_APP, "Refusing to connect to non-hidden-service hostname %s " + "because tor2web mode is enabled.", + safe_str_client(socks->address)); + connection_mark_unattached_ap(conn, END_STREAM_REASON_ENTRYPOLICY); + return -1; + } + if (socks->command == SOCKS_COMMAND_RESOLVE) { uint32_t answer; struct in_addr in; -- cgit v1.2.3