[Pkg-privacy-commits] [obfs4proxy] 62/151: Validate the host component of the proxy URI.

Ximin Luo infinity0 at moszumanska.debian.org
Sat Aug 22 12:59:39 UTC 2015 

This is an automated email from the git hooks/post-receive script.

infinity0 pushed a commit to branch master
in repository obfs4proxy.

commit b3d17c327b3d0f8cfd3ebf91e776e1f99bb81004
Author: Yawning Angel <yawning at schwanenlied.me>
Date:   Sun May 25 08:20:20 2014 +0000

    Validate the host component of the proxy URI.
    
    Part of issue #7.
---
 obfs4proxy/pt_extra.go | 33 +++++++++++++++++++++++++++++++++
 1 file changed, 33 insertions(+)

diff --git a/obfs4proxy/pt_extra.go b/obfs4proxy/pt_extra.go
index 4d629e8..56e16cb 100644
--- a/obfs4proxy/pt_extra.go
+++ b/obfs4proxy/pt_extra.go
@@ -30,8 +30,10 @@ package main
 import (
 	"errors"
 	"fmt"
+	"net"
 	"net/url"
 	"os"
+	"strconv"
 
 	"git.torproject.org/pluggable-transports/goptlib"
 )
@@ -131,5 +133,36 @@ func ptGetProxy() (*url.URL, error) {
 		return nil, ptProxyError(fmt.Sprintf("proxy URI has invalid scheme: %s", spec.Scheme))
 	}
 
+	err = validateAddrStr(spec.Host)
+	if err != nil {
+		return nil, ptProxyError(fmt.Sprintf("proxy URI has invalid host: %s", err))
+	}
+
 	return spec, nil
 }
+
+// Sigh, pt.resolveAddr() isn't exported.  Include our own getto version that
+// doesn't work around #7011, because we don't work with pre-0.2.5.x tor, and
+// all we care about is validation anyway.
+func validateAddrStr(addrStr string) error {
+	ipStr, portStr, err := net.SplitHostPort(addrStr)
+	if err != nil {
+		return err
+	}
+
+	if ipStr == "" {
+		return net.InvalidAddrError(fmt.Sprintf("address string %q lacks a host part", addrStr))
+	}
+	if portStr == "" {
+		return net.InvalidAddrError(fmt.Sprintf("address string %q lacks a port part", addrStr))
+	}
+	if net.ParseIP(ipStr) == nil {
+		return net.InvalidAddrError(fmt.Sprintf("not an IP string: %q", ipStr))
+	}
+	_, err = strconv.ParseUint(portStr, 10, 16)
+	if err != nil {
+		return net.InvalidAddrError(fmt.Sprintf("not a Port string: %q", portStr))
+	}
+
+	return nil
+}

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-privacy/packages/obfs4proxy.git

More information about the Pkg-privacy-commits mailing list