Doing a direct connect to an .onion address (if you don't happen to use
it as a local domain, which you shouldn't) is bound to fail and does
leak the information that you do use Tor and which hidden service you
wanted to connect to to a DNS server. Worse, if the DNS is poisoned and
actually resolves tricking a user into believing the setup would work
correctly…
This does block also the usage of wrappers like torsocks with apt, but
with native support available and advertised in the error message this
shouldn't really be an issue.
Inspired-by: https://bugzilla.mozilla.org/show_bug.cgi?id=1228457
LastUsed = LastHostAddr;
}
/*}}}*/
LastUsed = LastHostAddr;
}
/*}}}*/
+static bool ConnectionAllowed(char const * const Service, std::string const &Host)/*{{{*/
+{
+ if (APT::String::Endswith(Host, ".onion") && _config->FindB("Acquire::BlockDotOnion", true))
+ {
+ // TRANSLATOR: %s is e.g. Tor's ".onion" which would likely fail or leak info (RFC7686)
+ _error->Error(_("Direct connection to %s domains is blocked by default."), ".onion");
+ if (strcmp(Service, "http") == 0)
+ _error->Error(_("If you meant to use Tor remember to use %s instead of %s."), "tor+http", "http");
+ return false;
+ }
+ return true;
+}
+ /*}}}*/
// DoConnect - Attempt a connect operation /*{{{*/
// ---------------------------------------------------------------------
/* This helper function attempts a connection to a single address. */
// DoConnect - Attempt a connect operation /*{{{*/
// ---------------------------------------------------------------------
/* This helper function attempts a connection to a single address. */
-static bool DoConnect(struct addrinfo *Addr,std::string Host,
+static bool DoConnect(struct addrinfo *Addr,std::string const &Host,
unsigned long TimeOut,int &Fd,pkgAcqMethod *Owner)
{
// Show a status indicator
unsigned long TimeOut,int &Fd,pkgAcqMethod *Owner)
{
// Show a status indicator
const char * const Service, int DefPort, int &Fd,
unsigned long const TimeOut, pkgAcqMethod * const Owner)
{
const char * const Service, int DefPort, int &Fd,
unsigned long const TimeOut, pkgAcqMethod * const Owner)
{
+ if (ConnectionAllowed(Service, Host) == false)
+ return false;
// Convert the port name/number
char ServStr[300];
if (Port != 0)
// Convert the port name/number
char ServStr[300];
if (Port != 0)
if (_error->PendingError() == true)
return false;
if (_error->PendingError() == true)
return false;
+ if (ConnectionAllowed(Service, Host) == false)
+ return false;
+
if(LastHost != Host || LastPort != Port)
{
SrvRecords.clear();
if(LastHost != Host || LastPort != Port)
{
SrvRecords.clear();
--- /dev/null
+#!/bin/sh
+set -e
+
+TESTDIR="$(readlink -f "$(dirname "$0")")"
+. "$TESTDIR/framework"
+
+setupenvironment
+
+cd downloaded
+testfailureequal 'Err:1 http://vwakviie2ienjx6t.onion/
+ Direct connection to .onion domains is blocked by default. If you meant to use Tor remember to use tor+http instead of http.
+E: Failed to fetch http://vwakviie2ienjx6t.onion/ Direct connection to .onion domains is blocked by default. If you meant to use Tor remember to use tor+http instead of http.
+E: Download Failed' apthelper download-file 'http://vwakviie2ienjx6t.onion/' ftp.debian.org.html
projects / apt.git / commitdiff
