Opened 8 years ago

Closed 7 years ago

#4303 closed project (fixed)

Tor controllers should check the length of authentication-cookie files

Reported by: rransom Owned by:
Priority: High Milestone:
Component: Torctl Version:
Severity: Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description (last modified by karsten)

Right now, our Tor controllers will send any file readable by the user to whatever is listening to the control port they try to connect to (usually 127.0.0.1:9051). This sucks. They should only send any file that is exactly 32 bytes long and readable by the user to whatever is listening on that port. (Hopefully no one stores AES-256, Salsa20, or Curve25519 secret keys (or other actually sensitive pieces of data) in raw 32-byte binary files.)


Child Tickets

TicketStatusOwnerSummaryComponent
#4304closedchiiphVidalia should check the length of authentication-cookie filesArchived/Vidalia
#4305closedatagararm should check the length of authentication-cookie filesCore Tor/Nyx
#4306closedPyTorCtl should check the length of authentication-cookie filesTorctl
#4307closedcontrol-spec.txt should say that controllers should check the length of authentication-cookie filesCore Tor/Tor
#4308closedkatmagicRTorCtl should check the length of authentication-cookie files- Select a component

Change History (8)

comment:1 in reply to:  description Changed 8 years ago by rransom

Type: taskproject

Replying to rransom:

Marking this as a ‘task’, not a ‘defect’, so it'll get a child ticket list.

Hmm. Let's try ‘project’ then.

comment:2 Changed 8 years ago by phobos

This probably doesn't belong in Company. Perhaps Tor Client?

comment:3 Changed 8 years ago by karsten

Description: modified (diff)
Type: projectdefect

Changed ticket type to defect and added child ticket list to the description.

comment:4 Changed 8 years ago by phobos

Component: CompanyTorctl

comment:5 Changed 8 years ago by phobos

Owner: phobos deleted
Status: newassigned

comment:6 Changed 8 years ago by nickm

Type: defectproject

Changing this to "project" so I can edit a child ticket. Bug #4435 again.

comment:8 Changed 7 years ago by atagar

Resolution: fixed
Status: assignedclosed

Child tickets have all been resolved. Closing this one.

Note: See TracTickets for help on using tickets.