[tor-commits] [stem/master] ExitPolicy's behavior around 'strictness' was incorrect
atagar at torproject.org
atagar at torproject.org
Wed Jan 28 18:20:23 UTC 2015
commit db0518c03e2b79500a9132fa82e077fa978972fa
Author: Damian Johnson <atagar at torproject.org>
Date: Wed Jan 28 10:15:51 2015 -0800
ExitPolicy's behavior around 'strictness' was incorrect
Our docs state that...
* 'strict' is true: we can exit to *all* instances of the given address or port
* 'strict' is false: we can exit to *any* instances of the given address or port
Caught thanks to nskinkel...
https://trac.torproject.org/projects/tor/ticket/14314
---
docs/change_log.rst | 4 ++++
stem/exit_policy.py | 19 ++++++++++++++-----
test/unit/exit_policy/policy.py | 11 +++++++++++
test/unit/exit_policy/rule.py | 32 ++++++++++++++++----------------
4 files changed, 45 insertions(+), 21 deletions(-)
diff --git a/docs/change_log.rst b/docs/change_log.rst
index e60dd35..21c2105 100644
--- a/docs/change_log.rst
+++ b/docs/change_log.rst
@@ -49,6 +49,10 @@ performance
Stem also now runs directly under both python2 and python3 without a 2to3
conversion (:trac:`14075`).
+ * **Controller**
+
+ * The 'strict' argument of :func:`~stem.exit_policy.ExitPolicy.can_exit_to` didn't behave as documented (:trac:`14314`)
+
* **Descriptors**
* Lazy-loading descriptors, improving performance by 25-70% depending on what type it is (:trac:`14011`)
diff --git a/stem/exit_policy.py b/stem/exit_policy.py
index 53d0043..16f8721 100644
--- a/stem/exit_policy.py
+++ b/stem/exit_policy.py
@@ -748,14 +748,21 @@ class ExitPolicyRule(object):
if port is not None and not stem.util.connection.is_valid_port(port):
raise ValueError("'%s' isn't a valid port" % port)
+ # If we're not matching against an address or port but the rule has one
+ # then we're a fuzzy match. When that happens...
+ #
+ # * If strict and a reject rule then we're a match ('can exit to *all* instances').
+ # * If not strict and an accept rule then match ('an exit ot *any* instance').
+
+ fuzzy_match = False
+
if not self.is_address_wildcard():
# Already got the integer representation of our mask and our address
# with the mask applied. Just need to check if this address with the
# mask applied matches.
if address is None:
- if strict:
- return False
+ fuzzy_match = True
else:
comparison_addr_bin = int(stem.util.connection._get_address_binary(address), 2)
comparison_addr_bin &= self._get_mask_bin()
@@ -765,12 +772,14 @@ class ExitPolicyRule(object):
if not self.is_port_wildcard():
if port is None:
- if strict:
- return False
+ fuzzy_match = True
elif port < self.min_port or port > self.max_port:
return False
- return True
+ if fuzzy_match:
+ return strict != self.is_accept
+ else:
+ return True
def get_address_type(self):
"""
diff --git a/test/unit/exit_policy/policy.py b/test/unit/exit_policy/policy.py
index d4eaa75..79f99e1 100644
--- a/test/unit/exit_policy/policy.py
+++ b/test/unit/exit_policy/policy.py
@@ -65,6 +65,17 @@ class TestExitPolicy(unittest.TestCase):
self.assertEqual(expected_result, policy.can_exit_to(ip_addr, index))
self.assertEqual(expected_result, policy.can_exit_to(port = index))
+ def test_can_exit_to_strictness(self):
+ # Check our 'strict' argument.
+
+ policy = ExitPolicy('reject 1.0.0.0/8:80', 'accept *:*')
+ self.assertEqual(False, policy.can_exit_to(None, 80, strict = True)) # can't exit to *all* instances of port 80
+ self.assertEqual(True, policy.can_exit_to(None, 80, strict = False)) # can exit to *an* instance of port 80
+
+ policy = ExitPolicy('accept 1.0.0.0/8:80', 'reject *:*')
+ self.assertEqual(False, policy.can_exit_to(None, 80, strict = True)) # can't exit to *all* instances of port 80
+ self.assertEqual(True, policy.can_exit_to(None, 80, strict = False)) # can exit to *an* instance of port 80
+
def test_is_exiting_allowed(self):
test_inputs = {
(): True,
diff --git a/test/unit/exit_policy/rule.py b/test/unit/exit_policy/rule.py
index 1661442..5458c10 100644
--- a/test/unit/exit_policy/rule.py
+++ b/test/unit/exit_policy/rule.py
@@ -239,10 +239,10 @@ class TestExitPolicyRule(unittest.TestCase):
('FE80:0000:0000:0000:0202:B3FF:FE1E:8329', 80): False,
('[FE80:0000:0000:0000:0202:B3FF:FE1E:8329]', 80): False,
('192.168.0.1', None): True,
- (None, 80, False): True,
- (None, 80, True): False,
- (None, None, False): True,
- (None, None, True): False,
+ (None, 80, False): False,
+ (None, 80, True): True,
+ (None, None, False): False,
+ (None, None, True): True,
},
}
@@ -265,8 +265,8 @@ class TestExitPolicyRule(unittest.TestCase):
('192.168.0.50', 80): True,
('192.168.0.51', 80): False,
('192.168.0.49', 80): False,
- (None, 80, False): True,
- (None, 80, True): False,
+ (None, 80, False): False,
+ (None, 80, True): True,
('192.168.0.50', None): True,
},
'reject 0.0.0.0/24:*': {
@@ -276,8 +276,8 @@ class TestExitPolicyRule(unittest.TestCase):
('0.0.1.0', 80): False,
('0.1.0.0', 80): False,
('1.0.0.0', 80): False,
- (None, 80, False): True,
- (None, 80, True): False,
+ (None, 80, False): False,
+ (None, 80, True): True,
('0.0.0.0', None): True,
},
}
@@ -296,8 +296,8 @@ class TestExitPolicyRule(unittest.TestCase):
('[FE80:0000:0000:0000:0202:B3FF:FE1E:8329]', 80): True,
('FE80:0000:0000:0000:0202:B3FF:FE1E:8330', 80): False,
('FE80:0000:0000:0000:0202:B3FF:FE1E:8328', 80): False,
- (None, 80, False): True,
- (None, 80, True): False,
+ (None, 80, False): False,
+ (None, 80, True): True,
('FE80:0000:0000:0000:0202:B3FF:FE1E:8329', None): True,
},
'reject [FE80:0000:0000:0000:0202:B3FF:FE1E:8329]/112:*': {
@@ -306,8 +306,8 @@ class TestExitPolicyRule(unittest.TestCase):
('FE80:0000:0000:0000:0202:B3FF:FE1E:FFFF', 80): True,
('FE80:0000:0000:0000:0202:B3FF:FE1F:8329', 80): False,
('FE81:0000:0000:0000:0202:B3FF:FE1E:8329', 80): False,
- (None, 80, False): True,
- (None, 80, True): False,
+ (None, 80, False): False,
+ (None, 80, True): True,
('FE80:0000:0000:0000:0202:B3FF:FE1E:8329', None, False): True,
('FE80:0000:0000:0000:0202:B3FF:FE1E:8329', None, True): True,
},
@@ -326,8 +326,8 @@ class TestExitPolicyRule(unittest.TestCase):
('192.168.0.50', 81): False,
('192.168.0.50', 79): False,
(None, 80): True,
- ('192.168.0.50', None, False): True,
- ('192.168.0.50', None, True): False,
+ ('192.168.0.50', None, False): False,
+ ('192.168.0.50', None, True): True,
},
'reject *:80-85': {
('192.168.0.50', 79): False,
@@ -336,8 +336,8 @@ class TestExitPolicyRule(unittest.TestCase):
('192.168.0.50', 85): True,
('192.168.0.50', 86): False,
(None, 83): True,
- ('192.168.0.50', None, False): True,
- ('192.168.0.50', None, True): False,
+ ('192.168.0.50', None, False): False,
+ ('192.168.0.50', None, True): True,
},
}
More information about the tor-commits
mailing list