? BlockNumericIPRequests.patch
Index: doc/tor.1.in
===================================================================
RCS file: /home/or/cvsroot/tor/doc/tor.1.in,v
retrieving revision 1.137
diff -u -r1.137 tor.1.in
--- doc/tor.1.in	9 Mar 2006 01:47:04 -0000	1.137
+++ doc/tor.1.in	10 Mar 2006 21:18:19 -0000
@@ -372,6 +372,13 @@
 The policies have the same form as exit policies below.
 .LP
 .TP
+\fBBlockNumericIPRequests \fR\fI0|1\fP
+If this option is enabled, SOCKS will reject requests which specify
+the destination as a numeric IP address rather than a domain name.  Useful
+for blocking applications which might leak their destination by looking
+it up via local DNS rather than using tor for lookups.
+.LP
+.TP
 \fBTrackHostExits \fR\fIhost\fR,\fI.domain\fR,\fI...\fR\fP
 For each value in the comma separated list, Tor will track recent connections
 to hosts that match this value and attempt to
Index: src/config/torrc.complete.in
===================================================================
RCS file: /home/or/cvsroot/tor/src/config/torrc.complete.in,v
retrieving revision 1.4
diff -u -r1.4 torrc.complete.in
--- src/config/torrc.complete.in	5 Nov 2005 20:20:51 -0000	1.4
+++ src/config/torrc.complete.in	10 Mar 2006 21:18:19 -0000
@@ -276,6 +276,11 @@
 ## exit policies below.
 #SOCKSPolicy policy,policy,...
 
+## If you're worried about accidentally using an application which
+## fails to use tor to resolve domain names, set this option to
+## reject SOCKS requests specified as a numeric address
+#BlockNumericIPRequests 0|1
+
 ## For each value in the comma separated list, Tor will	track
 ## recent connections to hosts that match this value and attempt
 ## to reuse the same exit node for each. If the value is prepended
Index: src/config/torrc.sample.in
===================================================================
RCS file: /home/or/cvsroot/tor/src/config/torrc.sample.in,v
retrieving revision 1.74
diff -u -r1.74 torrc.sample.in
--- src/config/torrc.sample.in	12 Feb 2006 01:12:52 -0000	1.74
+++ src/config/torrc.sample.in	10 Mar 2006 21:18:20 -0000
@@ -31,6 +31,11 @@
 #SocksPolicy accept 192.168.0.0/16
 #SocksPolicy reject *
 
+## If you're worried about accidentally using an application which
+## fails to use tor to resolve domain names, set this option to
+## reject SOCKS requests specified as a numeric address
+#BlockNumericIPRequests 0|1
+
 ## Logs go to stdout at level "notice" unless redirected by something
 ## else, like one of the below lines. You can have as many Log lines as
 ## you want.
Index: src/or/buffers.c
===================================================================
RCS file: /home/or/cvsroot/tor/src/or/buffers.c,v
retrieving revision 1.186
diff -u -r1.186 buffers.c
--- src/or/buffers.c	5 Mar 2006 09:50:25 -0000	1.186
+++ src/or/buffers.c	10 Mar 2006 21:18:20 -0000
@@ -977,9 +977,9 @@
           strlcpy(req->address,tmpbuf,sizeof(req->address));
           req->port = ntohs(*(uint16_t*)(buf->cur+8));
           buf_remove_from_front(buf, 10);
-          if (!address_is_in_virtual_range(req->address) &&
-              !have_warned_about_unsafe_socks) {
-            log_warn(LD_APP,
+          if (!address_is_in_virtual_range(req->address)) {
+            if(!have_warned_about_unsafe_socks) {
+              log_warn(LD_APP,
                 "Your application (using socks5 on port %d) is giving "
                 "Tor only an IP address. Applications that do DNS resolves "
                 "themselves may leak information. Consider using Socks4A "
@@ -987,6 +987,12 @@
                 "please see http://wiki.noreply.org/noreply/TheOnionRouter/"
                 "TorFAQ#SOCKSAndDNS", req->port);
 //            have_warned_about_unsafe_socks = 1; // (for now, warn every time)
+            }
+            if(get_options()->BlockNumericIPRequests) {
+              log_warn(LD_APP, "BlockNumericIPRequests enabled in torrc."
+                "  Refusing connection.");
+              return -1;
+            }
           }
           return 1;
         case 3: /* fqdn */
Index: src/or/config.c
===================================================================
RCS file: /home/or/cvsroot/tor/src/or/config.c,v
retrieving revision 1.523
diff -u -r1.523 config.c
--- src/or/config.c	5 Mar 2006 09:50:25 -0000	1.523
+++ src/or/config.c	10 Mar 2006 21:18:23 -0000
@@ -135,6 +135,7 @@
   VAR("AuthoritativeDirectory",BOOL,   AuthoritativeDir,     "0"),
   VAR("BandwidthBurst",      MEMUNIT,  BandwidthBurst,       "6 MB"),
   VAR("BandwidthRate",       MEMUNIT,  BandwidthRate,        "3 MB"),
+	VAR("BlockNumericIPRequests",BOOL,   BlockNumericIPRequests,"0"),
   VAR("ClientOnly",          BOOL,     ClientOnly,           "0"),
   VAR("ConnLimit",           UINT,     ConnLimit,            "1024"),
   VAR("ContactInfo",         STRING,   ContactInfo,          NULL),
Index: src/or/or.h
===================================================================
RCS file: /home/or/cvsroot/tor/src/or/or.h,v
retrieving revision 1.801
diff -u -r1.801 or.h
--- src/or/or.h	9 Mar 2006 00:18:16 -0000	1.801
+++ src/or/or.h	10 Mar 2006 21:18:26 -0000
@@ -1278,6 +1278,11 @@
   int VersioningAuthoritativeDir; /**< Boolean: is this an authoritative
                                    * directory that's willing to recommend
                                    * versions? */
+	int BlockNumericIPRequests; /**< Boolean: refuse connection requests
+																specified by IP rather than domain name?
+																(Useful for preventing accidental use of
+																applications which don't use tor for DNS
+																lookups). */
   int ClientOnly; /**< Boolean: should we never evolve into a server role? */
   int NoPublish; /**< Boolean: should we never publish a descriptor? */
   int PublishServerDescriptor; /**< Do we publish our descriptor as normal? */