New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Refuse to resolve the .onion
TLD.
#10705
Conversation
I'll fix up that CI after some sleep. 😄 |
I haven't had time to read this one yet, but we've been down this rabbithole before so it's worth making sure we're not repeating issues discovered in #5159 |
55e60e6
to
8b20956
Compare
The following is still technically an issue here:
While that's strictly correct, how many people are actually using two subdomains and relying on DNS search suffixes to fill in the rest? 😛 On a more serious note, to actually be RFC compliant we should never request a DNS lookup for a request ending in A bug report from a user who reported that they could sometimes make curl resolve Edit: Can't see any other obvious issues when compared to the other PR; this is a far simpler implementation. I'm a terrible C (and particularly C89) coder though, so any feedback is welcome. Edit the second: Bedtime thought, |
Results of my investigation from Gentoo Bugzilla:
|
Yes! |
cf2600d
to
9522cbd
Compare
If I understand test syntax correctly this is looking pretty good now. I'm not sure about checking the Happy to address any feedback you may have! |
I'll see what I can do about that over the weekend! |
ea9874e
to
cd0a5c7
Compare
RFC 7686 states that: > Applications that do not implement the Tor > protocol SHOULD generate an error upon the use of .onion and > SHOULD NOT perform a DNS lookup. Let's do that. See curl#543 https://www.rfc-editor.org/rfc/rfc7686#section-2
Thanks! |
curl bails out early with a different error message if http support is compiled out. Ref: #10705
RFC 7686 states that: > Applications that do not implement the Tor > protocol SHOULD generate an error upon the use of .onion and > SHOULD NOT perform a DNS lookup. Let's do that. https://www.rfc-editor.org/rfc/rfc7686#section-2 Add test 1471 and 1472 to verify Fixes curl#543 Closes curl#10705
curl bails out early with a different error message if http support is compiled out. Ref: curl#10705
RFC 7686 states that:
Let's do that.
See #543
https://www.rfc-editor.org/rfc/rfc7686#section-2
I'm certain that this will inconvenience some people; I feel that any inconvenience is far outweighed by the benefits for those using (or trying to use) Tor.
I initially made this change into a default-on feature but decided against it. We're not Tor-aware, we should just refuse to resolve the
.onion
TLD.If there's interest in making this a feature I'm willing to go back and do that so that anyone with a valid use case will be able to disable RFC 7686 protections while those that need to be sure that we won't accidentally leak information can clearly see that their binary has this 'feature'.