GNU bug report logs -
#53941
27.2; socks + tor dont work with https
Previous Next
Full log
View this message in rfc822 format
>>>>> On Sun, 15 Sep 2024 18:59:10 -0700, "J.P." <jp <at> neverwas.me> said:
JP> As I've struggled to explain up thread, the DNS leakage issue is larger
JP> than any prospective integration, `nsm' or otherwise. But, for the sake
JP> of discussion, if we were to zoom in on that library in particular, the
JP> reason for the leakage should be pretty clear. AFAICT, the function
JP> `nsm-should-check' always performs a lookup in order to support the
JP> `nsm-trust-local-network' feature (original author Robert Cc'd). One
JP> possible workaround might be to rework the function slightly to prevent
JP> that, as shown in the first of the attached patches (0001).
More information hiding by default is a good thing. (Iʼm not the
original author, I just changed it to look at the actual local
addresses instead of hardcoding them)
JP> Anyway, to truly tackle this issue, I still contend we'd need to
JP> intercept calls to any glibc GAI-related functions and gate them with
JP> some kind of async-friendly mechanism (perhaps a process property) that
JP> suppresses their invocation for the lifetime of the process. The API
JP> could be as simple as:
JP> (make-network-process ... :nolookup t ...)
Iʼm not sure what suppressing DNS lookups would get us apart from more
failure modes, but I havenʼt thought about it deeply.
JP> But for this, we'd surely need help from someone familiar with that part
JP> of Emacs.
JP> * lisp/net/nsm.el (nsm-should-check): Rework in a functionally
JP> equivalent way, except forgo calling both `network-lookup-address-info'
JP> and `network-interface-list' unless the various conditions regarding
JP> `nsm-trust-local-network' are first satisfied. Replace `mapc' with
JP> `dolist' to align with modern sensibilities. (Bug#53941)
Careful now, somebody even more modern might come along and replace `dolist' with
`seq-do' ☺️
JP> ---
JP> lisp/net/nsm.el | 33 ++++++++++++---------------------
JP> 1 file changed, 12 insertions(+), 21 deletions(-)
JP> diff --git a/lisp/net/nsm.el b/lisp/net/nsm.el
JP> index e8fdb9b183b..a8a3abb6a2d 100644
JP> --- a/lisp/net/nsm.el
JP> +++ b/lisp/net/nsm.el
JP> @@ -226,27 +226,18 @@ nsm-should-check
JP> host address is a localhost address, or in the same subnet as one
JP> of the local interfaces, this function returns nil. Non-nil
JP> otherwise."
JP> - (let ((addresses (network-lookup-address-info host))
JP> - (network-interface-list (network-interface-list t))
JP> - (off-net t))
JP> - (when
JP> - (or (and (functionp nsm-trust-local-network)
JP> - (funcall nsm-trust-local-network))
JP> - nsm-trust-local-network)
JP> - (mapc
JP> - (lambda (ip)
JP> - (mapc
JP> - (lambda (info)
JP> - (let ((local-ip (nth 1 info))
JP> - (mask (nth 3 info)))
JP> - (when
JP> - (nsm-network-same-subnet (substring local-ip 0 -1)
JP> - (substring mask 0 -1)
JP> - (substring ip 0 -1))
JP> - (setq off-net nil))))
JP> - network-interface-list))
JP> - addresses))
JP> - off-net))
JP> + (not (and-let* (((or (and (functionp nsm-trust-local-network)
JP> + (funcall nsm-trust-local-network))
JP> + nsm-trust-local-network))
JP> + (addresses (network-lookup-address-info host))
JP> + (network-interface-list (network-interface-list t)))
JP> + (catch 'off-net
JP> + (dolist (ip addresses)
JP> + (dolist (info network-interface-list)
JP> + (when (nsm-network-same-subnet (substring (nth 1 info) 0 -1)
JP> + (substring (nth 3 info) 0 -1)
JP> + (substring ip 0 -1))
JP> + (throw 'off-net t))))))))
Since youʼve inverted the test, you should probably invert the name of
`off-net'.
Robert
--
This bug report was last modified 274 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.