[tor-bugs] #18938 [Core Tor/Tor]: Authorities should reject non-UTF-8 content in ExtraInfo descriptors

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu Aug 30 02:39:17 UTC 2018 

#18938: Authorities should reject non-UTF-8 content in ExtraInfo descriptors
-------------------------------------------------+-------------------------
 Reporter:  teor                                 |          Owner:  neel
     Type:  defect                               |         Status:  closed
 Priority:  Medium                               |      Milestone:  Tor:
                                                 |  unspecified
Component:  Core Tor/Tor                         |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:  needs-proposal, tor-dirauth, needs-  |  duplicate
  spec, easy, 034-triage-20180328,               |  Actual Points:
  034-removed-20180328                           |
Parent ID:  #27367                               |         Points:  1
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------
Changes (by teor):

 * status:  assigned => closed
 * resolution:   => duplicate
 * parent:  #24033 => #27367


Comment:

 Hi,

 It turns out that the branch in #27367 already implements the extrainfo
 check.
 Would you like to review it? (Please put your review on #27367.)

 Please feel free to pick up any of the similar tickets that are children
 of #24033.

 I had answered some of your questions before I realised. I hope the
 answers are still helpful.

 Replying to [comment:38 neel]:
 > I have a few questions:
 >
 > 1. As prop285 already exists, I assume I don't need to make a proposal.
 Is this correct?

 You don't need to make a proposal. But please read prop285, and tell us if
 it doesn't make sense.

 The proposal also contains some extra rules on top of UTF-8 for:
 * C string compatibility, and
 * compatibility with older Tor versions that expect ASCII

 https://gitweb.torproject.org/torspec.git/tree/proposals/285-utf-8.txt#n70

 > ...
 > 4. I don't think there is any library for checking for UTF-8 text in
 Tor. Can I include external library from GitHub (I am thinking about using
 https://github.com/chansen/c-utf8-valid) and modify it to fit with Tor
 (meaning including it in `src/ext`, not linking to another library an
 adding a dependency)? Is there going to be a security issue with a third-
 party library?

 There's a branch in #27373 that implements a UTF-8 string check function.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/18938#comment:39>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list