X-Git-Url: https://git.saurik.com/apt.git/blobdiff_plain/c29dbdffcb6f67812f823f1f844b87320cf6b437..2906182db398419a9c59a928b7ae73cf7c7aa307:/methods/connect.cc?ds=inline diff --git a/methods/connect.cc b/methods/connect.cc index 5612af6ec..f6fb14769 100644 --- a/methods/connect.cc +++ b/methods/connect.cc @@ -45,7 +45,6 @@ static struct addrinfo *LastHostAddr = 0; static struct addrinfo *LastUsed = 0; static std::vector SrvRecords; -static int LastSrvRecord = 0; // Set of IP/hostnames that we timed out before or couldn't resolve static std::set bad_addr; @@ -62,10 +61,25 @@ void RotateDNS() LastUsed = LastHostAddr; } /*}}}*/ +static bool ConnectionAllowed(char const * const Service, std::string const &Host)/*{{{*/ +{ + if (unlikely(Host.empty())) // the only legal empty host (RFC2782 '.' target) is detected by caller + return false; + if (APT::String::Endswith(Host, ".onion") && _config->FindB("Acquire::BlockDotOnion", true)) + { + // TRANSLATOR: %s is e.g. Tor's ".onion" which would likely fail or leak info (RFC7686) + _error->Error(_("Direct connection to %s domains is blocked by default."), ".onion"); + if (strcmp(Service, "http") == 0) + _error->Error(_("If you meant to use Tor remember to use %s instead of %s."), "tor+http", "http"); + return false; + } + return true; +} + /*}}}*/ // DoConnect - Attempt a connect operation /*{{{*/ // --------------------------------------------------------------------- /* This helper function attempts a connection to a single address. */ -static bool DoConnect(struct addrinfo *Addr,std::string Host, +static bool DoConnect(struct addrinfo *Addr,std::string const &Host, unsigned long TimeOut,int &Fd,pkgAcqMethod *Owner) { // Show a status indicator @@ -134,12 +148,13 @@ static bool DoConnect(struct addrinfo *Addr,std::string Host, return true; } /*}}}*/ - -// Connect to a given Hostname -bool ConnectToHostname(std::string Host,int Port,const char *Service, - int DefPort,int &Fd, - unsigned long TimeOut,pkgAcqMethod *Owner) +// Connect to a given Hostname /*{{{*/ +static bool ConnectToHostname(std::string const &Host, int const Port, + const char * const Service, int DefPort, int &Fd, + unsigned long const TimeOut, pkgAcqMethod * const Owner) { + if (ConnectionAllowed(Service, Host) == false) + return false; // Convert the port name/number char ServStr[300]; if (Port != 0) @@ -166,7 +181,16 @@ bool ConnectToHostname(std::string Host,int Port,const char *Service, struct addrinfo Hints; memset(&Hints,0,sizeof(Hints)); Hints.ai_socktype = SOCK_STREAM; - Hints.ai_flags = AI_ADDRCONFIG; + Hints.ai_flags = 0; +#ifdef AI_IDN + if (_config->FindB("Acquire::Connect::IDN", true) == true) + Hints.ai_flags |= AI_IDN; +#endif + // see getaddrinfo(3): only return address if system has such a address configured + // useful if system is ipv4 only, to not get ipv6, but that fails if the system has + // no address configured: e.g. offline and trying to connect to localhost. + if (_config->FindB("Acquire::Connect::AddrConfig", true) == true) + Hints.ai_flags |= AI_ADDRCONFIG; Hints.ai_protocol = 0; if(_config->FindB("Acquire::ForceIPv4", false) == true) @@ -269,27 +293,50 @@ bool Connect(std::string Host,int Port,const char *Service, if (_error->PendingError() == true) return false; + if (ConnectionAllowed(Service, Host) == false) + return false; + if(LastHost != Host || LastPort != Port) { SrvRecords.clear(); - if (_config->FindB("Acquire::EnableSrvRecods", true) == true) + if (_config->FindB("Acquire::EnableSrvRecords", true) == true) + { GetSrvRecords(Host, DefPort, SrvRecords); + // RFC2782 defines that a lonely '.' target is an abort reason + if (SrvRecords.size() == 1 && SrvRecords[0].target.empty()) + return _error->Error("SRV records for %s indicate that " + "%s service is not available at this domain", Host.c_str(), Service); + } } - // we have no SrvRecords for this host, connect right away - if(SrvRecords.size() == 0) - return ConnectToHostname(Host, Port, Service, DefPort, Fd, - TimeOut, Owner); + size_t stackSize = 0; // try to connect in the priority order of the srv records - while(SrvRecords.size() > 0) + std::string initialHost{std::move(Host)}; + while(SrvRecords.empty() == false) { + _error->PushToStack(); + ++stackSize; + // PopFromSrvRecs will also remove the server Host = PopFromSrvRecs(SrvRecords).target; - if(ConnectToHostname(Host, Port, Service, DefPort, Fd, TimeOut, Owner)) + auto const ret = ConnectToHostname(Host, Port, Service, DefPort, Fd, TimeOut, Owner); + if (ret) + { + while(stackSize--) + _error->RevertToStack(); return true; - - // we couldn't connect to this one, use the next - SrvRecords.erase(SrvRecords.begin()); + } } + Host = std::move(initialHost); - return false; + // we have no (good) SrvRecords for this host, connect right away + _error->PushToStack(); + ++stackSize; + auto const ret = ConnectToHostname(Host, Port, Service, DefPort, Fd, + TimeOut, Owner); + while(stackSize--) + if (ret) + _error->RevertToStack(); + else + _error->MergeWithStack(); + return ret; }