AUTHENTICATE is really mandatory. No authentication is not quite the default.

svn:r18024
This commit is contained in:
Nick Mathewson 2009-01-08 14:07:05 +00:00
parent da6ee5da73
commit bd0e400bc3

View File

@ -253,6 +253,10 @@ $Id$
command, or sends PROTOCOLINFO more than once, Tor sends an error reply and
closes the connection.
To prevent some cross-protocol attacks, the AUTHENTICATE command is still
required even if all authentication methods in Tor are disabled. In this
case, the controller should just send "AUTHENTICATE" CRLF.
(Versions of Tor before 0.1.2.16 and 0.2.0.4-alpha did not close the
connection after an authentication failure.)
@ -1591,7 +1595,9 @@ $Id$
5.1. Authentication
By default, the current Tor implementation trusts all local users.
If the control port is open and no authentication operation is enabled, Tor
trusts any local user that connects to the control port. This is generally
a poor idea.
If the 'CookieAuthentication' option is true, Tor writes a "magic cookie"
file named "control_auth_cookie" into its data directory. To authenticate,