The client addr is essentially meaningless in this context (yes, it is
possible to explicitly `bind()` AF_LOCAL client side sockets to a path,
but no one does it, and there are better ways to grant that sort of
feature if people want it like using `SO_PASSCRED`).
--- /dev/null
+ o Minor bugfixes (client, unix domain sockets):
+ - Disable IsolateClientAddr when using AF_UNIX backed SocksPorts
+ as the client address is meaningless. Fixes bug 20261; bugfix on
+ 0.2.6.3-alpha.
another. Recognized isolation flags are:
**IsolateClientAddr**;;
Don't share circuits with streams from a different
- client address. (On by default and strongly recommended;
- you can disable it with **NoIsolateClientAddr**.)
+ client address. (On by default and strongly recommended when
+ supported; you can disable it with **NoIsolateClientAddr**.
+ Unsupported and force-disabled when using Unix domain sockets.)
**IsolateSOCKSAuth**;;
Don't share circuits with streams for which different
SOCKS authentication was provided. (On by default;
goto err;
}
+ if (unix_socket_path && (isolation & ISO_CLIENTADDR)) {
+ /* `IsolateClientAddr` is nonsensical in the context of AF_LOCAL.
+ * just silently remove the isolation flag.
+ */
+ isolation &= ~ISO_CLIENTADDR;
+ }
+
if (out && port) {
size_t namelen = unix_socket_path ? strlen(unix_socket_path) : 0;
port_cfg_t *cfg = port_cfg_new(namelen);
projects / thirdparty / tor.git / commitdiff
