diff options
| author | rofl0r <retnyg@gmx.net> | 2018-12-31 22:25:04 +0000 |
|---|---|---|
| committer | rofl0r <rofl0r@users.noreply.github.com> | 2019-12-21 00:43:45 +0000 |
| commit | cd005a94cec38e73ca796f1d142c193f48aaa27f (patch) | |
| tree | 5d52094f8d2b207d5ae851fa86c1e86da498394d /src/Makefile.am | |
| parent | f6d4da5d81694721bf50b2275621e7ce84e6da30 (diff) | |
implement detection and denial of endless connection loops
it is quite easy to bring down a proxy server by forcing it to make
connections to one of its own ports, because this will result in an endless
loop spawning more and more connections, until all available fds are exhausted.
since there's a potentially infinite number of potential DNS/ip addresses
resolving to the proxy, it is impossible to detect an endless loop by simply
looking at the destination ip address and port.
what *is* possible though is to record the ip/port tuples assigned to outgoing
connections, and then compare them against new incoming connections. if they
match, the sender was the proxy itself and therefore needs to reject that
connection.
fixes #199.
Diffstat (limited to 'src/Makefile.am')
| -rw-r--r-- | src/Makefile.am | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/src/Makefile.am b/src/Makefile.am index 3924909..50e645b 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -49,6 +49,7 @@ tinyproxy_SOURCES = \ basicauth.c basicauth.h \ base64.c base64.h \ sblist.c sblist.h \ + loop.c loop.h \ connect-ports.c connect-ports.h EXTRA_tinyproxy_SOURCES = filter.c filter.h \ |