From: Fabian Keil <fk@fabiankeil.de>
Date: Sat, 4 Aug 2007 09:56:23 +0000 (+0000)
Subject: - Log rejected CONNECT requests with LOG_LEVEL_INFO
X-Git-Tag: v_3_0_7~188
X-Git-Url: http://www.privoxy.org/gitweb/%22https:/developer-manual/faq/static/@default-cgi@/diff?a=commitdiff_plain;h=c99004f42d542f48f114285cd862f519280824a4;p=privoxy.git
- Log rejected CONNECT requests with LOG_LEVEL_INFO
and explain why they were rejected in the first place.
- Fix the LOG_LEVEL_CLF message for crunches of unallowed
CONNECT requests. The request line was missing.
- Add two more XXX reminders as we don't have enough already.
---
diff --git a/ChangeLog b/ChangeLog
index 32985277..2e1176ea 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -115,6 +115,8 @@ ChangeLog for Privoxy
specify a Content-Type. Bug reported by Amuro Namie.
- Allow to rewrite the request destination behind the client's back.
- Fix socks requests on big-endian platforms. Patch provided by Song Weijia.
+- Rejected CONNECT requests are logged with log level info
+ (enabled by default) and the reason for the block.
- Minor code clean-ups, filter and action file updates.
(Some of them reported by Davide Alberani, Markus Elfring
and Adam Piggott)
diff --git a/jcc.c b/jcc.c
index 408612bb..e82e95c1 100644
--- a/jcc.c
+++ b/jcc.c
@@ -1,4 +1,4 @@
-const char jcc_rcs[] = "$Id: jcc.c,v 1.139 2007/07/14 07:46:41 fabiankeil Exp $";
+const char jcc_rcs[] = "$Id: jcc.c,v 1.140 2007/07/21 11:51:36 fabiankeil Exp $";
/*********************************************************************
*
* File : $Source: /cvsroot/ijbswa/current/jcc.c,v $
@@ -33,6 +33,12 @@ const char jcc_rcs[] = "$Id: jcc.c,v 1.139 2007/07/14 07:46:41 fabiankeil Exp $"
*
* Revisions :
* $Log: jcc.c,v $
+ * Revision 1.140 2007/07/21 11:51:36 fabiankeil
+ * As Hal noticed, checking dispatch_cgi() as the last cruncher
+ * looks like a bug if CGI requests are blocked unintentionally,
+ * so don't do it unless the user enabled the new config option
+ * "allow-cgi-request-crunching".
+ *
* Revision 1.139 2007/07/14 07:46:41 fabiankeil
* - Allow to rewrite the request destination behind the client's back.
* - Turn the weird-looking unconditional for loop that
@@ -2161,20 +2167,31 @@ static void chat(struct client_state *csp)
/*
* The response may confuse some clients,
* but makes unblocking easier.
+ *
+ * XXX: It seems to work with all major browsers,
+ * so we should consider returning a body by default someday ...
*/
- log_error(LOG_LEVEL_ERROR, "Marking suspicious CONNECT request from %s for blocking.",
- csp->ip_addr_str);
+ log_error(LOG_LEVEL_INFO, "Request from %s marked for blocking. "
+ "limit-connect{%s} doesn't allow CONNECT requests to port %d.",
+ csp->ip_addr_str, csp->action->string[ACTION_STRING_LIMIT_CONNECT],
+ csp->http->port);
csp->action->flags |= ACTION_BLOCK;
http->ssl = 0;
}
else
{
write_socket(csp->cfd, CFORBIDDEN, strlen(CFORBIDDEN));
- log_error(LOG_LEVEL_CONNECT, "Denying suspicious CONNECT request from %s", csp->ip_addr_str);
- log_error(LOG_LEVEL_CLF, "%s - - [%T] \" \" 403 0", csp->ip_addr_str);
+ log_error(LOG_LEVEL_INFO, "Request from %s denied. "
+ "limit-connect{%s} doesn't allow CONNECT requests to port %d.",
+ csp->ip_addr_str, csp->action->string[ACTION_STRING_LIMIT_CONNECT],
+ csp->http->port);
+ assert(NULL != csp->http->ocmd);
+ log_error(LOG_LEVEL_CLF, "%s - - [%T] \"%s\" 403 0", csp->ip_addr_str, csp->http->ocmd);
list_remove_all(csp->headers);
-
+ /*
+ * XXX: For consistency we might want to log a crunch message here.
+ */
return;
}
}