[tbb-commits] [tor-browser-bundle/maint-4.5] Bug 16430: Backport Tor patch to allow DNS names with _
mikeperry at torproject.org
mikeperry at torproject.org
Thu Jun 25 19:59:45 UTC 2015
commit 2c3f85664eda04e9a942d56d1c56ff2cc7d2de83
Author: Mike Perry <mikeperry-git at torproject.org>
Date: Thu Jun 25 12:58:44 2015 -0700
Bug 16430: Backport Tor patch to allow DNS names with _
---
gitian/descriptors/linux/gitian-tor.yml | 2 +
gitian/descriptors/mac/gitian-tor.yml | 2 +
gitian/descriptors/windows/gitian-tor.yml | 2 +
gitian/patches/bug16430.patch | 93 +++++++++++++++++++++++++++++
4 files changed, 99 insertions(+)
diff --git a/gitian/descriptors/linux/gitian-tor.yml b/gitian/descriptors/linux/gitian-tor.yml
index b218486..b95bcf5 100644
--- a/gitian/descriptors/linux/gitian-tor.yml
+++ b/gitian/descriptors/linux/gitian-tor.yml
@@ -22,6 +22,7 @@ files:
- "bug8402-master.patch"
- "bug8405.patch"
- "bug15482.patch"
+- "bug16430.patch"
- "dzip.sh"
- "openssl-linux32-utils.zip"
- "openssl-linux64-utils.zip"
@@ -83,6 +84,7 @@ script: |
git am ~/build/bug8402-master.patch
else
git am ~/build/bug15482.patch
+ git am ~/build/bug16430.patch
fi
mkdir -p $OUTDIR/src
#git archive HEAD | tar -x -C $OUTDIR/src
diff --git a/gitian/descriptors/mac/gitian-tor.yml b/gitian/descriptors/mac/gitian-tor.yml
index 3d0e0c6..8a7d333 100644
--- a/gitian/descriptors/mac/gitian-tor.yml
+++ b/gitian/descriptors/mac/gitian-tor.yml
@@ -18,6 +18,7 @@ files:
- "bug8402-master.patch"
- "bug8405.patch"
- "bug15482.patch"
+- "bug16430.patch"
- "apple-uni-sdk-10.6_20110407-0.flosoft1_i386.deb"
- "multiarch-darwin11-cctools127.2-gcc42-5666.3-llvmgcc42-2336.1-Linux-120724.tar.xz"
- "dzip.sh"
@@ -61,6 +62,7 @@ script: |
git am ~/build/bug8402-master.patch
else
git am ~/build/bug15482.patch
+ git am ~/build/bug16430.patch
fi
mkdir -p $OUTDIR/src
#git archive HEAD | tar -x -C $OUTDIR/src
diff --git a/gitian/descriptors/windows/gitian-tor.yml b/gitian/descriptors/windows/gitian-tor.yml
index 87e1dc2..c47982e 100644
--- a/gitian/descriptors/windows/gitian-tor.yml
+++ b/gitian/descriptors/windows/gitian-tor.yml
@@ -18,6 +18,7 @@ files:
- "bug8402-master.patch"
- "bug8405.patch"
- "bug15482.patch"
+- "bug16430.patch"
- "binutils.tar.bz2"
- "dzip.sh"
- "mingw-w64-win32-utils.zip"
@@ -61,6 +62,7 @@ script: |
git am ~/build/bug8402-master.patch
else
git am ~/build/bug15482.patch
+ git am ~/build/bug16430.patch
fi
mkdir -p $OUTDIR/src
#git archive HEAD | tar -x -C $OUTDIR/src
diff --git a/gitian/patches/bug16430.patch b/gitian/patches/bug16430.patch
new file mode 100644
index 0000000..81bbe3e
--- /dev/null
+++ b/gitian/patches/bug16430.patch
@@ -0,0 +1,93 @@
+From 3f336966a264d7cd7c6dab08fb85d85273f06d68 Mon Sep 17 00:00:00 2001
+From: Yawning Angel <yawning at schwanenlied.me>
+Date: Wed, 24 Jun 2015 13:52:29 +0000
+Subject: [PATCH] Work around nytimes.com's broken hostnames in our SOCKS
+ checks.
+
+RFC 952 is approximately 30 years old, and people are failing to comply,
+by serving A records with '_' as part of the hostname. Since relaxing
+the check is a QOL improvement for our userbase, relax the check to
+allow such abominations as destinations, especially since there are
+likely to be other similarly misconfigured domains out there.
+---
+ changes/bug16430 | 4 ++++
+ src/common/util.c | 7 +++++--
+ src/test/test_util.c | 9 +++++++--
+ 3 files changed, 16 insertions(+), 4 deletions(-)
+ create mode 100644 changes/bug16430
+
+diff --git a/changes/bug16430 b/changes/bug16430
+new file mode 100644
+index 0000000..ca7b874
+--- /dev/null
++++ b/changes/bug16430
+@@ -0,0 +1,4 @@
++ o Minor features (client):
++ - Relax the validation done to hostnames in SOCKS5 requests, and allow
++ '_' to cope with domains observed in the wild that are serving non-RFC
++ compliant records. Resolves ticket 16430.
+diff --git a/src/common/util.c b/src/common/util.c
+index 942d0c2..4490150 100644
+--- a/src/common/util.c
++++ b/src/common/util.c
+@@ -1036,6 +1036,9 @@ string_is_valid_ipv6_address(const char *string)
+
+ /** Return true iff <b>string</b> matches a pattern of DNS names
+ * that we allow Tor clients to connect to.
++ *
++ * Note: This allows certain technically invalid characters ('_') to cope
++ * with misconfigured zones that have been encountered in the wild.
+ */
+ int
+ string_is_valid_hostname(const char *string)
+@@ -1048,7 +1051,7 @@ string_is_valid_hostname(const char *string)
+ smartlist_split_string(components,string,".",0,0);
+
+ SMARTLIST_FOREACH_BEGIN(components, char *, c) {
+- if (c[0] == '-') {
++ if ((c[0] == '-') || (*c == '_')) {
+ result = 0;
+ break;
+ }
+@@ -1057,7 +1060,7 @@ string_is_valid_hostname(const char *string)
+ if ((*c >= 'a' && *c <= 'z') ||
+ (*c >= 'A' && *c <= 'Z') ||
+ (*c >= '0' && *c <= '9') ||
+- (*c == '-'))
++ (*c == '-') || (*c == '_'))
+ c++;
+ else
+ result = 0;
+diff --git a/src/test/test_util.c b/src/test/test_util.c
+index b0366db..0f64c26 100644
+--- a/src/test/test_util.c
++++ b/src/test/test_util.c
+@@ -4268,18 +4268,23 @@ test_util_hostname_validation(void *arg)
+ tt_assert(string_is_valid_hostname("stanford.edu"));
+ tt_assert(string_is_valid_hostname("multiple-words-with-hypens.jp"));
+
+- // Subdomain name cannot start with '-'.
++ // Subdomain name cannot start with '-' or '_'.
+ tt_assert(!string_is_valid_hostname("-torproject.org"));
+ tt_assert(!string_is_valid_hostname("subdomain.-domain.org"));
+ tt_assert(!string_is_valid_hostname("-subdomain.domain.org"));
++ tt_assert(!string_is_valid_hostname("___abc.org"));
+
+ // Hostnames cannot contain non-alphanumeric characters.
+ tt_assert(!string_is_valid_hostname("%%domain.\\org."));
+ tt_assert(!string_is_valid_hostname("***x.net"));
+- tt_assert(!string_is_valid_hostname("___abc.org"));
+ tt_assert(!string_is_valid_hostname("\xff\xffxyz.org"));
+ tt_assert(!string_is_valid_hostname("word1 word2.net"));
+
++ // Test workaround for nytimes.com stupidity, technically invalid,
++ // but we allow it since they are big, even though they are failing to
++ // comply with a ~30 year old standard.
++ tt_assert(string_is_valid_hostname("core3_euw1.fabrik.nytimes.com"));
++
+ // XXX: do we allow single-label DNS names?
+
+ done:
+--
+1.9.1
+
More information about the tbb-commits
mailing list