From 8c2855527695a3525f018de128bd19c0350fed4f Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Mon, 29 Aug 2016 15:59:28 -0400 Subject: [PATCH] check size of cookie file The documentation notes that the cookie file is always 32 bytes, and requires that any other size file not be used as an auth cookie. This is a very basic guard against tor asking for any file as a cookie. It's not sufficient to really secure the cookie auth method. This is a stopgap measure until SECURECOOKIE can be implemented. --- src/Network/Anonymous/Tor/Protocol.hs | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/Network/Anonymous/Tor/Protocol.hs b/src/Network/Anonymous/Tor/Protocol.hs index 99c6f2e..786d67e 100644 --- a/src/Network/Anonymous/Tor/Protocol.hs +++ b/src/Network/Anonymous/Tor/Protocol.hs @@ -233,7 +233,11 @@ authenticate s = do readCookie :: Maybe FilePath -> IO HS.HexString readCookie Nothing = E.torError (E.mkTorError . E.protocolErrorType $ "No cookie path specified.") - readCookie (Just file) = return . HS.fromBytes =<< BS.readFile file + readCookie (Just file) = do + b <- BS.readFile file + if BS.length b == 32 + then return (HS.fromBytes b) + else E.torError (E.mkTorError . E.protocolErrorType $ "Invalid cookie file specified.") errorF :: Ast.Line -> Maybe E.TorErrorType errorF (Ast.Line 250 _) = Nothing