bug#53941: 27.2; socks + tor dont work with https

unofficial mirror of bug-gnu-emacs@gnu.org 
 help / color / mirror / code / Atom feed

From: Robert Pluim <rpluim@gmail.com>
To: "J.P." <jp@neverwas.me>
Cc: Christopher Howard <christopher@librehacker.com>,
	53941@debbugs.gnu.org, Stefan Kangas <stefankangas@gmail.com>,
	larsi@gnus.org, Eli Zaretskii <eliz@gnu.org>,
	gnuhacker@member.fsf.org
Subject: bug#53941: 27.2; socks + tor dont work with https
Date: Mon, 16 Sep 2024 15:34:19 +0200	[thread overview]
Message-ID: <87msk7k9ic.fsf@gmail.com> (raw)
In-Reply-To: <87ldzss6j5.fsf@neverwas.me> (J. P.'s message of "Sun, 15 Sep 2024 18:59:10 -0700")

>>>>> On Sun, 15 Sep 2024 18:59:10 -0700, "J.P." <jp@neverwas.me> said:

    JP> As I've struggled to explain up thread, the DNS leakage issue is larger
    JP> than any prospective integration, `nsm' or otherwise. But, for the sake
    JP> of discussion, if we were to zoom in on that library in particular, the
    JP> reason for the leakage should be pretty clear. AFAICT, the function
    JP> `nsm-should-check' always performs a lookup in order to support the
    JP> `nsm-trust-local-network' feature (original author Robert Cc'd). One
    JP> possible workaround might be to rework the function slightly to prevent
    JP> that, as shown in the first of the attached patches (0001).

More information hiding by default is a good thing. (Iʼm not the
original author, I just changed it to look at the actual local
addresses instead of hardcoding them)

    JP> Anyway, to truly tackle this issue, I still contend we'd need to
    JP> intercept calls to any glibc GAI-related functions and gate them with
    JP> some kind of async-friendly mechanism (perhaps a process property) that
    JP> suppresses their invocation for the lifetime of the process. The API
    JP> could be as simple as:

    JP>   (make-network-process ... :nolookup t ...)

Iʼm not sure what suppressing DNS lookups would get us apart from more
failure modes, but I havenʼt thought about it deeply.

    JP> But for this, we'd surely need help from someone familiar with that part
    JP> of Emacs.

    JP> * lisp/net/nsm.el (nsm-should-check): Rework in a functionally
    JP> equivalent way, except forgo calling both `network-lookup-address-info'
    JP> and `network-interface-list' unless the various conditions regarding
    JP> `nsm-trust-local-network' are first satisfied.  Replace `mapc' with
    JP> `dolist' to align with modern sensibilities.   (Bug#53941)

Careful now, somebody even more modern might come along and replace `dolist' with
`seq-do' ☺️

    JP> ---
    JP>  lisp/net/nsm.el | 33 ++++++++++++---------------------
    JP>  1 file changed, 12 insertions(+), 21 deletions(-)

    JP> diff --git a/lisp/net/nsm.el b/lisp/net/nsm.el
    JP> index e8fdb9b183b..a8a3abb6a2d 100644
    JP> --- a/lisp/net/nsm.el
    JP> +++ b/lisp/net/nsm.el
    JP> @@ -226,27 +226,18 @@ nsm-should-check
    JP>  host address is a localhost address, or in the same subnet as one
    JP>  of the local interfaces, this function returns nil.  Non-nil
    JP>  otherwise."
    JP> -  (let ((addresses (network-lookup-address-info host))
    JP> -        (network-interface-list (network-interface-list t))
    JP> -        (off-net t))
    JP> -    (when
    JP> -     (or (and (functionp nsm-trust-local-network)
    JP> -              (funcall nsm-trust-local-network))
    JP> -         nsm-trust-local-network)
    JP> -     (mapc
    JP> -      (lambda (ip)
    JP> -        (mapc
    JP> -         (lambda (info)
    JP> -           (let ((local-ip (nth 1 info))
    JP> -                 (mask (nth 3 info)))
    JP> -             (when
    JP> -                 (nsm-network-same-subnet (substring local-ip 0 -1)
    JP> -                                          (substring mask 0 -1)
    JP> -                                          (substring ip 0 -1))
    JP> -               (setq off-net nil))))
    JP> -         network-interface-list))
    JP> -      addresses))
    JP> -     off-net))
    JP> +  (not (and-let* (((or (and (functionp nsm-trust-local-network)
    JP> +                            (funcall nsm-trust-local-network))
    JP> +                       nsm-trust-local-network))
    JP> +                  (addresses (network-lookup-address-info host))
    JP> +                  (network-interface-list (network-interface-list t)))
    JP> +         (catch 'off-net
    JP> +           (dolist (ip addresses)
    JP> +             (dolist (info network-interface-list)
    JP> +               (when (nsm-network-same-subnet (substring (nth 1 info) 0 -1)
    JP> +                                              (substring (nth 3 info) 0 -1)
    JP> +                                              (substring ip 0 -1))
    JP> +                 (throw 'off-net t))))))))

Since youʼve inverted the test, you should probably invert the name of
`off-net'.

Robert
--

next prev parent reply	other threads:[~2024-09-16 13:34 UTC|newest]

Thread overview: 33+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-02-11 11:09 bug#53941: 27.2; socks + tor dont work with https Jacobo
2022-02-14 12:37 ` J.P.
2022-02-19 21:04   ` Jacobo
2022-02-21 15:01     ` J.P.
2022-03-01 14:29       ` J.P.
2022-03-02  2:37         ` J.P.
2022-03-06  2:40           ` Jacobo
2022-03-06  2:58             ` J.P.
2022-03-07  7:09               ` J.P.
2022-03-10  8:58                 ` J.P.
2022-11-28 15:30                   ` bug#53941: Last-minute socks.el improvements for Emacs 29? J.P.
2022-11-28 17:12                     ` Eli Zaretskii
2022-11-29 14:24                       ` J.P.
2022-11-29 14:36                         ` Eli Zaretskii
2023-09-06 22:25                           ` bug#53941: 27.2; socks + tor dont work with https Stefan Kangas
2023-09-07  5:53                             ` Eli Zaretskii
2023-09-07 13:25                               ` J.P.
2023-09-07 13:47                                 ` Stefan Kangas
2023-09-08  2:55                                   ` J.P.
2023-09-08 11:04                                     ` Stefan Kangas
2023-10-18 13:38                                     ` J.P.
2023-12-19 16:29                                       ` J.P.
2023-09-08 13:28                                 ` J.P.
2023-09-09 14:05                                   ` J.P.
2024-08-23 21:46 ` Christopher Howard
2024-09-14 13:33   ` Stefan Kangas
2024-09-16  1:59     ` J.P.
2024-09-16 13:34       ` Robert Pluim [this message]
2024-09-17  1:52         ` J.P.
2024-09-17  7:29           ` Robert Pluim
2024-09-17 12:41             ` Eli Zaretskii
2024-09-17 13:54               ` Robert Pluim
2024-09-18  1:10                 ` J.P.

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://www.gnu.org/software/emacs/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=87msk7k9ic.fsf@gmail.com \
    --to=rpluim@gmail.com \
    --cc=53941@debbugs.gnu.org \
    --cc=christopher@librehacker.com \
    --cc=eliz@gnu.org \
    --cc=gnuhacker@member.fsf.org \
    --cc=jp@neverwas.me \
    --cc=larsi@gnus.org \
    --cc=stefankangas@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/emacs.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).