https://bugs.gentoo.org/887287
https://github.com/curl/curl/pull/10705

From: Matt Jolly <Matt.Jolly@footclan.ninja>
Date: Wed, 8 Mar 2023 02:16:45 +1100
Subject: [PATCH] Refuse to resolve the .onion TLD.

RFC 7686 states that:

> Applications that do not implement the Tor
> protocol SHOULD generate an error upon the use of .onion and
> SHOULD NOT perform a DNS lookup.

Let's do that.

See curl/curl#543
https://www.rfc-editor.org/rfc/rfc7686#section-2
--- a/lib/hostip.c
+++ b/lib/hostip.c
@@ -652,6 +652,14 @@ enum resolve_t Curl_resolv(struct Curl_easy *data,
   CURLcode result;
   enum resolve_t rc = CURLRESOLV_ERROR; /* default to failure */
   struct connectdata *conn = data->conn;
+  /* We should intentionally error and not resolve .onion TLDs */
+  size_t hostname_len = strlen(hostname);
+  if(hostname_len >= 7 &&
+  (curl_strequal(&hostname[hostname_len-6], ".onion") ||
+  curl_strequal(&hostname[hostname_len-7], ".onion."))) {
+    failf(data, "Not resolving .onion address (RFC 7686)");
+    return CURLRESOLV_ERROR;
+  }
   *entry = NULL;
 #ifndef CURL_DISABLE_DOH
   conn->bits.doh = FALSE; /* default is not */
--- a/tests/data/Makefile.inc
+++ b/tests/data/Makefile.inc
@@ -186,8 +186,8 @@ test1432 test1433 test1434 test1435 test1436 test1437 test1438 test1439 \
 test1440 test1441 test1442 test1443 test1444 test1445 test1446 test1447 \
 test1448 test1449 test1450 test1451 test1452 test1453 test1454 test1455 \
 test1456 test1457 test1458 test1459 test1460 test1461 test1462 test1463 \
-test1464 test1465 test1466 test1467 test1468 test1469 \
-\
+test1464 test1465 test1466 test1467 test1468 test1469 test1471 \
+test1472 \
 test1500 test1501 test1502 test1503 test1504 test1505 test1506 test1507 \
 test1508 test1509 test1510 test1511 test1512 test1513 test1514 test1515 \
 test1516 test1517 test1518 test1519 test1520 test1521 test1522 test1523 \
--- /dev/null
+++ b/tests/data/test1471
@@ -0,0 +1,39 @@
+<testcase>
+<info>
+<keywords>
+Onion
+Tor
+FAILURE
+</keywords>
+</info>
+#
+# Server-side
+<reply>
+</reply>
+
+#
+# Client-side
+<client>
+<server>
+none
+</server>
+<name>
+Fail to resolve .onion TLD
+</name>
+<command>
+red.onion
+</command>
+</client>
+
+#
+# Verify data after the test has been "shot"
+<verify>
+# Couldn't resolve host name
+<errorcode>
+6
+</errorcode>
+<stderr mode="text">
+curl: (6) Not resolving .onion address (RFC 7686)
+</stderr>
+</verify>
+</testcase>
--- /dev/null
+++ b/tests/data/test1472
@@ -0,0 +1,39 @@
+<testcase>
+<info>
+<keywords>
+Onion
+Tor
+FAILURE
+</keywords>
+</info>
+#
+# Server-side
+<reply>
+</reply>
+
+#
+# Client-side
+<client>
+<server>
+none
+</server>
+<name>
+Fail to resolve .onion. TLD
+</name>
+<command>
+tasty.onion.
+</command>
+</client>
+
+#
+# Verify data after the test has been "shot"
+<verify>
+# Couldn't resolve host name
+<errorcode>
+6
+</errorcode>
+<stderr mode="text">
+curl: (6) Not resolving .onion address (RFC 7686)
+</stderr>
+</verify>
+</testcase>
-- 
2.39.2