[or-cvs] r24236: {arm} fix: Relay may have exiting dns queries if it allows exiting (arm/trunk/src/util)

Damian Johnson atagar1 at gmail.com
Fri Feb 18 02:54:31 UTC 2011 

Author: atagar
Date: 2011-02-18 02:54:30 +0000 (Fri, 18 Feb 2011)
New Revision: 24236

Modified:
   arm/trunk/src/util/torTools.py
Log:
fix: Relay may have exiting dns queries if it allows exiting of any kind.



Modified: arm/trunk/src/util/torTools.py
===================================================================
--- arm/trunk/src/util/torTools.py	2011-02-16 22:39:31 UTC (rev 24235)
+++ arm/trunk/src/util/torTools.py	2011-02-18 02:54:30 UTC (rev 24236)
@@ -252,6 +252,7 @@
     self.lastHeartbeat = 0              # time of the last tor event
     
     self._exitPolicyChecker = None
+    self._isExitingAllowed = False
     self._exitPolicyLookupCache = {}    # mappings of ip/port tuples to if they were accepted by the policy or not
     
     # Logs issues and notices when fetching the path prefix if true. This is
@@ -300,6 +301,7 @@
       self._nicknameLookupCache = {}
       
       self._exitPolicyChecker = self.getExitPolicy()
+      self._isExitingAllowed = self._exitPolicyChecker.isExitingAllowed()
       self._exitPolicyLookupCache = {}
       
       # sets the events listened for by the new controller (incompatible events
@@ -568,6 +570,7 @@
         # special caches for the exit policy
         if param.lower() == "exitpolicy":
           self._exitPolicyChecker = self.getExitPolicy()
+          self._isExitingAllowed = self._exitPolicyChecker.isExitingAllowed()
           self._exitPolicyLookupCache = {}
       except (socket.error, TorCtl.ErrorReply, TorCtl.TorCtlClosed), exc:
         if type(exc) == TorCtl.TorCtlClosed: self.close()
@@ -746,7 +749,11 @@
     if self.isAlive():
       # query the policy if it isn't yet cached
       if not (ipAddress, port) in self._exitPolicyLookupCache:
-        isAccepted = self._exitPolicyChecker.check(ipAddress, port)
+        # If we allow any exiting then this could be relayed DNS queries,
+        # otherwise the policy is checked.
+        
+        if self._isExitingAllowed and port == "53": isAccepted = True
+        else: isAccepted = self._exitPolicyChecker.check(ipAddress, port)
         self._exitPolicyLookupCache[(ipAddress, port)] = isAccepted
       
       result = self._exitPolicyLookupCache[(ipAddress, port)]
@@ -1616,6 +1623,16 @@
     if self.isIpWildcard and self.isPortWildcard:
       self.nextRule = None
   
+  def isExitingAllowed(self):
+    """
+    Provides true if the policy allows exiting whatsoever, false otherwise.
+    """
+    
+    if self.isAccept: return True
+    elif self.isIpWildcard and self.isPortWildcard: return False
+    elif not self.nextRule: return False # fell off policy (shouldn't happen)
+    else: return self.nextRule.isExitingAllowed()
+  
   def check(self, ipAddress, port):
     """
     Checks if the rule chain allows exiting to this address, returning true if

More information about the tor-commits mailing list