From: Robert Pluim <rpluim@gmail.com>
To: "J.P." <jp@neverwas.me>
Cc: Christopher Howard <christopher@librehacker.com>,
53941@debbugs.gnu.org, Stefan Kangas <stefankangas@gmail.com>,
larsi@gnus.org, Eli Zaretskii <eliz@gnu.org>,
gnuhacker@member.fsf.org
Subject: bug#53941: 27.2; socks + tor dont work with https
Date: Mon, 16 Sep 2024 15:34:19 +0200 [thread overview]
Message-ID: <87msk7k9ic.fsf@gmail.com> (raw)
In-Reply-To: <87ldzss6j5.fsf@neverwas.me> (J. P.'s message of "Sun, 15 Sep 2024 18:59:10 -0700")
>>>>> On Sun, 15 Sep 2024 18:59:10 -0700, "J.P." <jp@neverwas.me> said:
JP> As I've struggled to explain up thread, the DNS leakage issue is larger
JP> than any prospective integration, `nsm' or otherwise. But, for the sake
JP> of discussion, if we were to zoom in on that library in particular, the
JP> reason for the leakage should be pretty clear. AFAICT, the function
JP> `nsm-should-check' always performs a lookup in order to support the
JP> `nsm-trust-local-network' feature (original author Robert Cc'd). One
JP> possible workaround might be to rework the function slightly to prevent
JP> that, as shown in the first of the attached patches (0001).
More information hiding by default is a good thing. (Iʼm not the
original author, I just changed it to look at the actual local
addresses instead of hardcoding them)
JP> Anyway, to truly tackle this issue, I still contend we'd need to
JP> intercept calls to any glibc GAI-related functions and gate them with
JP> some kind of async-friendly mechanism (perhaps a process property) that
JP> suppresses their invocation for the lifetime of the process. The API
JP> could be as simple as:
JP> (make-network-process ... :nolookup t ...)
Iʼm not sure what suppressing DNS lookups would get us apart from more
failure modes, but I havenʼt thought about it deeply.
JP> But for this, we'd surely need help from someone familiar with that part
JP> of Emacs.
JP> * lisp/net/nsm.el (nsm-should-check): Rework in a functionally
JP> equivalent way, except forgo calling both `network-lookup-address-info'
JP> and `network-interface-list' unless the various conditions regarding
JP> `nsm-trust-local-network' are first satisfied. Replace `mapc' with
JP> `dolist' to align with modern sensibilities. (Bug#53941)
Careful now, somebody even more modern might come along and replace `dolist' with
`seq-do' ☺️
JP> ---
JP> lisp/net/nsm.el | 33 ++++++++++++---------------------
JP> 1 file changed, 12 insertions(+), 21 deletions(-)
JP> diff --git a/lisp/net/nsm.el b/lisp/net/nsm.el
JP> index e8fdb9b183b..a8a3abb6a2d 100644
JP> --- a/lisp/net/nsm.el
JP> +++ b/lisp/net/nsm.el
JP> @@ -226,27 +226,18 @@ nsm-should-check
JP> host address is a localhost address, or in the same subnet as one
JP> of the local interfaces, this function returns nil. Non-nil
JP> otherwise."
JP> - (let ((addresses (network-lookup-address-info host))
JP> - (network-interface-list (network-interface-list t))
JP> - (off-net t))
JP> - (when
JP> - (or (and (functionp nsm-trust-local-network)
JP> - (funcall nsm-trust-local-network))
JP> - nsm-trust-local-network)
JP> - (mapc
JP> - (lambda (ip)
JP> - (mapc
JP> - (lambda (info)
JP> - (let ((local-ip (nth 1 info))
JP> - (mask (nth 3 info)))
JP> - (when
JP> - (nsm-network-same-subnet (substring local-ip 0 -1)
JP> - (substring mask 0 -1)
JP> - (substring ip 0 -1))
JP> - (setq off-net nil))))
JP> - network-interface-list))
JP> - addresses))
JP> - off-net))
JP> + (not (and-let* (((or (and (functionp nsm-trust-local-network)
JP> + (funcall nsm-trust-local-network))
JP> + nsm-trust-local-network))
JP> + (addresses (network-lookup-address-info host))
JP> + (network-interface-list (network-interface-list t)))
JP> + (catch 'off-net
JP> + (dolist (ip addresses)
JP> + (dolist (info network-interface-list)
JP> + (when (nsm-network-same-subnet (substring (nth 1 info) 0 -1)
JP> + (substring (nth 3 info) 0 -1)
JP> + (substring ip 0 -1))
JP> + (throw 'off-net t))))))))
Since youʼve inverted the test, you should probably invert the name of
`off-net'.
Robert
--
next prev parent reply other threads:[~2024-09-16 13:34 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-02-11 11:09 bug#53941: 27.2; socks + tor dont work with https Jacobo
2022-02-14 12:37 ` J.P.
2022-02-19 21:04 ` Jacobo
2022-02-21 15:01 ` J.P.
2022-03-01 14:29 ` J.P.
2022-03-02 2:37 ` J.P.
2022-03-06 2:40 ` Jacobo
2022-03-06 2:58 ` J.P.
2022-03-07 7:09 ` J.P.
2022-03-10 8:58 ` J.P.
2022-11-28 15:30 ` bug#53941: Last-minute socks.el improvements for Emacs 29? J.P.
2022-11-28 17:12 ` Eli Zaretskii
2022-11-29 14:24 ` J.P.
2022-11-29 14:36 ` Eli Zaretskii
2023-09-06 22:25 ` bug#53941: 27.2; socks + tor dont work with https Stefan Kangas
2023-09-07 5:53 ` Eli Zaretskii
2023-09-07 13:25 ` J.P.
2023-09-07 13:47 ` Stefan Kangas
2023-09-08 2:55 ` J.P.
2023-09-08 11:04 ` Stefan Kangas
2023-10-18 13:38 ` J.P.
2023-12-19 16:29 ` J.P.
2023-09-08 13:28 ` J.P.
2023-09-09 14:05 ` J.P.
2024-08-23 21:46 ` Christopher Howard
2024-09-14 13:33 ` Stefan Kangas
2024-09-16 1:59 ` J.P.
2024-09-16 13:34 ` Robert Pluim [this message]
2024-09-17 1:52 ` J.P.
2024-09-17 7:29 ` Robert Pluim
2024-09-17 12:41 ` Eli Zaretskii
2024-09-17 13:54 ` Robert Pluim
2024-09-18 1:10 ` J.P.
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.gnu.org/software/emacs/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87msk7k9ic.fsf@gmail.com \
--to=rpluim@gmail.com \
--cc=53941@debbugs.gnu.org \
--cc=christopher@librehacker.com \
--cc=eliz@gnu.org \
--cc=gnuhacker@member.fsf.org \
--cc=jp@neverwas.me \
--cc=larsi@gnus.org \
--cc=stefankangas@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).