From 8a9a5abe2ec3e39789a9cd5ea8cd457e3e7ce2c3 Mon Sep 17 00:00:00 2001 From: Kevin Froman Date: Sun, 16 Jun 2019 12:55:48 -0500 Subject: [PATCH] * phrase security.md better * display correct number of peers in stats * hopefully fix sigpipe issue --- SECURITY.md | 6 ++++-- onionr/logger.py | 5 ++++- onionr/onionrcommands/onionrstatistics.py | 2 +- onionr/onionrutils.py | 2 +- 4 files changed, 10 insertions(+), 5 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index ce612cca..47a7f806 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -1,5 +1,7 @@ # Security Policy +We welcome responsible and constructive security review. + # Scope The Onionr software and any nodes you control are within scope. @@ -14,7 +16,7 @@ The following exploits are of particular interest: * Easily associating public keys with server addresses * Discovering true server IPs when behind Tor/I2P (aside from Tor/i2p-level attacks) * Easily discovering which nodes are the block creator -* XSS, CSRF, clickjacking +* XSS, CSRF, clickjacking, DNS rebinding * Timing attacks against the local http server ([see blog post](https://www.chaoswebs.net/blog/timebleed-breaking-privacy-with-a-simple-timing-attack.html)) * Discovering direct connection servers as a non participant. * Cryptography/protocol issues @@ -26,7 +28,7 @@ We do not consider non-network based same-machine attacks to be very significant Onionr is a student-owned hobby project, resources are not available for large rewards. -Stickers or other reasonable & negotiable rewards are available. We reserve the right to refuse rewards for any reason. +Stickers or other small rewards are available. We reserve the right to refuse rewards for any reason. Public recognition can be given upon request. diff --git a/onionr/logger.py b/onionr/logger.py index 34dc4d06..a7abf715 100644 --- a/onionr/logger.py +++ b/onionr/logger.py @@ -132,7 +132,10 @@ def raw(data, fd = sys.stdout, sensitive = False): ''' if get_settings() & OUTPUT_TO_CONSOLE: - ts = fd.write('%s\n' % data) + try: + ts = fd.write('%s\n' % data) + except OSError: + pass if get_settings() & OUTPUT_TO_FILE and not sensitive: try: with open(_outputfile, "a+") as f: diff --git a/onionr/onionrcommands/onionrstatistics.py b/onionr/onionrcommands/onionrstatistics.py index 0974b290..88643b0c 100644 --- a/onionr/onionrcommands/onionrstatistics.py +++ b/onionr/onionrcommands/onionrstatistics.py @@ -39,7 +39,7 @@ def show_stats(o_inst): # count stats 'div2' : True, - 'Known Peers' : str(len(o_inst.onionrCore.listPeers()) - 1), + 'Known Peers' : str(len(o_inst.onionrCore.listPeers())), 'Enabled Plugins' : str(len(o_inst.onionrCore.config.get('plugins.enabled', list()))) + ' / ' + str(len(os.listdir(o_inst.dataDir + 'plugins/'))), 'Stored Blocks' : str(totalBlocks), 'Percent Blocks Signed' : str(round(100 * signedBlocks / max(totalBlocks, 1), 2)) + '%' diff --git a/onionr/onionrutils.py b/onionr/onionrutils.py index c5546d09..e2a5964d 100644 --- a/onionr/onionrutils.py +++ b/onionr/onionrutils.py @@ -438,7 +438,7 @@ class OnionrUtils: else: logger.warn('Failed to verify hash for %s' % block) if not exist: - print('No blocks found to import') + logger.info('No blocks found to import') def progressBar(self, value = 0, endvalue = 100, width = None): '''