Skip to content

check size of cookie file#12

Open
joeyh wants to merge 1 commit intosolatis:masterfrom
joeyh:master
Open

check size of cookie file#12
joeyh wants to merge 1 commit intosolatis:masterfrom
joeyh:master

Conversation

@joeyh
Copy link

@joeyh joeyh commented Aug 29, 2016

The documentation notes that the cookie file is always 32 bytes, and
requires that any other size file not be used as an auth cookie.

This is a very basic guard against tor asking for any file as a cookie.
It's not sufficient to really secure the cookie auth method. This is a
stopgap measure until SECURECOOKIE can be implemented.

@joeyh
check size of cookie file
8c28555 
The documentation notes that the cookie file is always 32 bytes, and
requires that any other size file not be used as an auth cookie.

This is a very basic guard against tor asking for any file as a cookie.
It's not sufficient to really secure the cookie auth method. This is a
stopgap measure until SECURECOOKIE can be implemented.
@sternenseemann
Copy link

sternenseemann commented Aug 29, 2016

I guess this solves the issue of #10 until the cookie auth method gets removed from tor eventually.

@joeyh
Copy link
Author

joeyh commented Aug 29, 2016

This does not solve the issue at all. The user could have a 32 byte secret file and tor could still read it. This is only a quick patch that reduces the attack space significantly, it's not a fix.

@sternenseemann
Copy link

sternenseemann commented Aug 29, 2016

Yeah of course but better than nothing.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@joeyh @sternenseemann