--------------------------------------------------------------------
ChangeLog for Privoxy
--------------------------------------------------------------------
+*** Version 3.0.33 UNRELEASED ***
+
+- Bug fixes:
+ - handle_established_connection(): Skip the poll()/select() calls
+ if TLS data is pending on the server socket. The TLS library may
+ have already consumed all the data from the server response in
+ which case poll() and select() will not detect that data is
+ available to be read.
+ Fixes SF bug #926 reported by Wen Yue.
+ - continue_https_chat(): Update csp->server_connection.request_sent
+ after sending the request to make sure the latency is calculated
+ correctly. Previously https connections were not reused after
+ timeout seconds after the first request made on the connection.
+ - free_pattern_spec(): Don't try to free an invalid pointer
+ when unloading an action file with a TAG pattern while
+ Privoxy has been compiled without FEATURE_PCRE_HOST_PATTERNS.
+ Closes: SF patch request #147. Patch by Maxim Antonov.
+ - Establish the TLS connection with the client earlier and decide
+ how to route the request afterwards. This allows to change the
+ forwarding settings based on information from the https-inspected
+ request, for example the path.
+ Adjust build_request_line() to create a CONNECT request line when
+ https-inspecting and forwarding to a HTTP proxy.
+ Fixes SF bug #925 reported by Wen Yue.
+ - load_config(): Add a space that was missing in a log message.
+
+- General improvements:
+ - serve(): Close the client socket as well if the server socket
+ for an inspected connection has been closed. Privoxy currently
+ can't establish a new server connection when the client socket
+ is reused and would drop the connection in continue_https_chat()
+ anyway.
+ - Don't disable redirect checkers in redirect_url()
+ Disable them in handle_established_connection() instead.
+ Doing it in redirect_url() prevented the +redirect{} and
+ +fast-redirects{} actions from being logged with LOG_LEVEL_ACTIONS.
+ - handle_established_connection(): Slightly improve a comment
+ - handle_established_connection(): Fix a comment
+ - socks5_connect(): Fix indentation.
+ - handle_established_connection(): Improve an error message
+ - create_pattern_spec(): Fix ifdef indentation
+ - Fix comment typos
+
+- Action file improvements:
+ - Disable fast-redirects for .microsoftonline.com/.
+ - Disable fast-redirects for idp.springer.com/.
+
+- Privoxy-Regression-Test:
+ - Remove duplicated word in a comment.
+
+- Documentation:
+ - contacting: Remove obsolete reference to announce.sgml.
+ - contacting: Request that the browser cache is cleared before
+ producing a log file for submission.
+ - Sponsor FAQ: Note that Privoxy users may follow sponsor links
+ without Referer header set.
+ - newfeatures: Clarify that https inspection also allows to
+ filter https responses.
+ - developer-manual: Mention that announce.txt should be updated
+ when doing a release.
+
*** Version 3.0.32 stable ***
- Security/Reliability:
PCRS_OBJS = @STATIC_PCRS_ONLY@$(PCRS_SRC:.c=.@OBJEXT@)
PCRS_HDRS = @STATIC_PCRS_ONLY@$(PCRS_SRC:.c=.h)
-PCRE_SRC = @STATIC_PCRE_ONLY@pcre/get.c pcre/maketables.c pcre/study.c pcre/pcre.c
-PCRE_OBJS = @STATIC_PCRE_ONLY@$(PCRE_SRC:.c=.@OBJEXT@)
-PCRE_HDRS = @STATIC_PCRE_ONLY@pcre/config.h pcre/chartables.c pcre/internal.h pcre/pcre.h
-
# No REGEX (maybe because dynamically linked pcreposix):
REGEX_SRC =
-@STATIC_PCRE_ONLY@REGEX_SRC = pcre/pcreposix.c
REGEX_OBJS = $(REGEX_SRC:.c=.@OBJEXT@)
REGEX_HDRS = $(REGEX_SRC:.c=.h)
# Dependencies introduced by #include "project.h".
-PROJECT_H_DEPS = project.h $(REGEX_HDRS) $(PCRS_HDRS) @STATIC_PCRE_ONLY@pcre/pcre.h
+PROJECT_H_DEPS = project.h $(REGEX_HDRS) $(PCRS_HDRS)
# Socket libraries for platforms that need them explicitly defined
SOCKET_LIB = @SOCKET_LIB@
# PThreads library, if needed.
PTHREAD_LIB = @PTHREAD_ONLY@@PTHREAD_LIB@
-SRCS = $(C_SRC) $(CLIENT_TAG_SRC) $(FUZZ_SRC) $(W32_SRC) $(PCRS_SRC) $(PCRE_SRC) $(REGEX_SRC) $(SSL_SRC) $(MBEDTLS_SRC) $(OPENSSL_SRC)
-OBJS = $(C_OBJS) $(CLIENT_TAG_OBJS) $(FUZZ_OBJS) $(W32_OBJS) $(PCRS_OBJS) $(PCRE_OBJS) $(REGEX_OBJS) $(SSL_OBJS) $(MBEDTLS_OBJS) $(OPENSSL_OBJS)
-HDRS = $(C_HDRS) $(W32_HDRS) $(PCRS_HDRS) $(PCRE_OBJS) $(REGEX_HDRS) $(SSL_HDRS) $(MBEDTLS_HDRS) $(OPENSSL_HDRS)
+SRCS = $(C_SRC) $(CLIENT_TAG_SRC) $(FUZZ_SRC) $(W32_SRC) $(PCRS_SRC) $(REGEX_SRC) $(SSL_SRC) $(MBEDTLS_SRC) $(OPENSSL_SRC)
+OBJS = $(C_OBJS) $(CLIENT_TAG_OBJS) $(FUZZ_OBJS) $(W32_OBJS) $(PCRS_OBJS) $(REGEX_OBJS) $(SSL_OBJS) $(MBEDTLS_OBJS) $(OPENSSL_OBJS)
+HDRS = $(C_HDRS) $(W32_HDRS) $(PCRS_HDRS) $(REGEX_HDRS) $(SSL_HDRS) $(MBEDTLS_HDRS) $(OPENSSL_HDRS)
LIBS = @LIBS@ $(W32_LIB) $(SOCKET_LIB) $(PTHREAD_LIB)
# Add your flags here
OTHER_CFLAGS =
-CFLAGS = @CFLAGS@ @CPPFLAGS@ $(OTHER_CFLAGS) $(SPECIAL_CFLAGS) -Wall \
- @STATIC_PCRE_ONLY@ -Ipcre
+CFLAGS = @CFLAGS@ @CPPFLAGS@ $(OTHER_CFLAGS) $(SPECIAL_CFLAGS) -Wall
LDFLAGS = @LDFLAGS@ $(DEBUG_CFLAGS) $(SPECIAL_CFLAGS)
ssl_common.@OBJEXT@: ssl_common.c ssl.h ssl_common.h config.h $(PROJECT_H_DEPS) errlog.h miscutil.h
# PCRS
-pcrs.@OBJEXT@: pcrs.c pcrs.h config.h @STATIC_PCRE_ONLY@pcre/pcre.h
-
-# PCRE
-pcre/get.@OBJEXT@: pcre/get.c pcre/config.h pcre/internal.h pcre/pcre.h
-pcre/maketables.@OBJEXT@: pcre/maketables.c pcre/config.h pcre/internal.h pcre/pcre.h
-pcre/pcre.@OBJEXT@: pcre/pcre.c pcre/config.h pcre/internal.h pcre/pcre.h pcre/chartables.c
-pcre/pcreposix.@OBJEXT@: pcre/pcreposix.c pcre/config.h pcre/internal.h pcre/pcre.h pcre/pcreposix.h
-pcre/study.@OBJEXT@: pcre/study.c pcre/config.h pcre/internal.h pcre/pcre.h
-
-# An auxiliary program makes the PCRE default character table source
-
-pcre/chartables.c: pcre/dftables@EXEEXT@
- pcre/dftables@EXEEXT@ >pcre/chartables.c
-
-pcre/dftables@EXEEXT@: pcre/dftables.c pcre/maketables.c pcre/pcre.h pcre/internal.h pcre/config.h
- $(CC) -o pcre/dftables@EXEEXT@ $(CFLAGS) pcre/dftables.c
+pcrs.@OBJEXT@: pcrs.c pcrs.h config.h
# Win32
-w32log.@OBJEXT@: w32log.c errlog.h config.h jcc.h loadcfg.h miscutil.h pcre/pcre.h pcre/pcreposix.h pcrs.h project.h w32log.h w32taskbar.h win32.h
+w32log.@OBJEXT@: w32log.c errlog.h config.h jcc.h loadcfg.h miscutil.h pcrs.h project.h w32log.h w32taskbar.h win32.h
w32taskbar.@OBJEXT@: w32taskbar.c config.h w32log.h w32taskbar.h
-win32.@OBJEXT@: win32.c config.h jcc.h loadcfg.h pcre/pcre.h pcre/pcreposix.h pcrs.h project.h w32log.h win32.h w32svrapi.h
+win32.@OBJEXT@: win32.c config.h jcc.h loadcfg.h pcrs.h project.h w32log.h win32.h w32svrapi.h
w32.res: w32.rc w32res.h icons/radar-01.ico icons/radar-02.ico icons/radar-03.ico icons/radar-04.ico icons/radar-05.ico icons/radar-06.ico icons/radar-07.ico icons/radar-08.ico icons/idle.ico icons/privoxy.ico config.h
windres -F pe-i386 -D__MINGW32__=0.2 -O coff -i $< -o $@
75) Create a tool that creates Privoxy action (and filter?) files
out of adblock files. Could be implemented as option for
- url-pattern-translator.pl.
+ url-pattern-translator.pl. Before doing that, the already
+ existing solutions should probably be evaluated to see if
+ they do the job already or could be improved.
76) Cache DNS responses. Note that this has been requested
several times by users, but is not a developer priority.
165) Add a max-connections-per-client directive.
-166) Figure out how to ship Windows binaries with external libraries
- like pcre and MbedTLS. Required for #142. Somewhat related:
- https://lists.privoxy.org/pipermail/privoxy-devel/2020-November/000400.html
-
167) Set up a public Privoxy-Filter-Test instance.
168) Add a privacy policy.
177) Support https-inspection for intercepted requests.
178) Warn on http://config.privoxy.org/client-tags if a Tag name
- has't at least one matching action section.
+ hasn't at least one matching action section.
179) Add a add-server-header{} action to add headers to the response
sent to the client (including responses generated by Privoxy itself).
198) Add a config directive that prevent's IP addresses from being logged
(when logging is enabled).
+199) In actions.c the "#define DEFINE_ACTION_ALIAS 0" lines should probably
+ be changed to "#undef DEFINE_ACTION_ALIAS" or removed.
+
+200) Add a config directive that causes Privoxy to remove all
+ host certificates before exiting.
+
##########################################################################
Hosting wish list (relevant for #53)
])
dnl Checks for library functions.
-dnl bcopy is for PCRE
-AC_CHECK_FUNCS([bcopy])
AC_PROG_GCC_TRADITIONAL
AC_TYPE_SIGNAL
AC_CHECK_FUNCS([ \
AC_DEFINE(FEATURE_DYNAMIC_PCRE,1,[Define to dynamically link to pcre.])
fi
else
- AC_MSG_WARN([You are using the static PCRE code which is out of date and scheduled for removal, for details see:
- https://sourceforge.net/p/ijbswa/mailman/ijbswa-developers/thread/20080511195555.2dc6cfdc@fabiankeil.de/])
- AC_MSG_WARN([The removal will likely occur before the 3.0.33 release.])
- pcre_dyn=no
- # STATIC_PCRE is a name pcre needs to statically link on Windows.
- # Privoxy itself no longer uses it.
- AC_DEFINE(STATIC_PCRE,1,[Define to statically link to internal outdated pcre on Windows.])
- STATIC_PCRE_ONLY=
+ AC_MSG_ERROR(pcre library not detected.)
fi
AC_DEFINE(FEATURE_CONNECTION_KEEP_ALIVE)
ada*.
# URL = https://www.adrianschmutzler.net/
adri*.
+# URL = https://adguard.com/
+adguard.com/
#############################################################################
# Generic block patterns by path:
.tagesschau.de/
# URL = https://metrics.sr.ht/graph
metrics.sr.ht/
+# URL = https://nlnet.nl/logo/banner.png
+nlnet.nl/
#############################################################################
* Function : handle_established_connection
*
* Description : Shuffle data between client and server once the
- * connection has been established.
+ * connection has been established and the request
+ * has been sent.
*
* Parameters :
* 1 : csp = Current client state (buffers, headers, etc...)
*********************************************************************/
static int ssl_store_cert(struct client_state *csp, X509 *crt)
{
- long len = 0;
+ long len;
struct certs_chain *last = &(csp->server_certs_chain);
int ret = 0;
BIO *bio = BIO_new(BIO_s_mem());
EVP_PKEY *pkey = NULL;
- char *bio_mem_data = 0;
+ char *bio_mem_data = NULL;
char *encoded_text;
long l;
const ASN1_INTEGER *bs;
case EVP_PKEY_DSA:
ret = BIO_printf(bio, "\n%-" BC "s: %d bits", "DSA key size", EVP_PKEY_bits(pkey));
break;
+ case EVP_PKEY_EC:
+ ret = BIO_printf(bio, "\n%-" BC "s: %d bits", "EC key size", EVP_PKEY_bits(pkey));
+ break;
default:
- ret = BIO_printf(bio, "\n%-" BC "s: %d bits", "non-RSA/DSA key size", EVP_PKEY_bits(pkey));
+ ret = BIO_printf(bio, "\n%-" BC "s: %d bits", "non-RSA/DSA/EC key size",
+ EVP_PKEY_bits(pkey));
break;
}
if (ret <= 0)
cert_options cert_opt;
char cert_valid_from[VALID_DATETIME_BUFLEN];
char cert_valid_to[VALID_DATETIME_BUFLEN];
+ const char *common_name;
+ enum { CERT_PARAM_COMMON_NAME_MAX = 64 };
/* Paths to keys and certificates needed to create certificate */
cert_opt.issuer_key = NULL;
subject_name = X509_NAME_new();
if (!subject_name)
{
- log_ssl_errors(LOG_LEVEL_ERROR, "RSA key memory allocation failure");
+ log_ssl_errors(LOG_LEVEL_ERROR, "X509 memory allocation failure");
ret = -1;
goto exit;
}
+ /*
+ * Make sure OpenSSL doesn't reject the common name due to its length.
+ * The clients should only care about the Subject Alternative Name anyway
+ * and we always use the real host name for that.
+ */
+ common_name = (strlen(csp->http->host) > CERT_PARAM_COMMON_NAME_MAX) ?
+ CGI_SITE_2_HOST : csp->http->host;
if (!X509_NAME_add_entry_by_txt(subject_name, CERT_PARAM_COMMON_NAME_FCODE,
- MBSTRING_ASC, (void *)csp->http->host, -1, -1, 0))
+ MBSTRING_ASC, (void *)common_name, -1, -1, 0))
{
log_ssl_errors(LOG_LEVEL_ERROR,
"X509 subject name (code: %s, val: %s) error",
goto exit;
}
if (!X509_NAME_add_entry_by_txt(subject_name, CERT_PARAM_ORGANIZATION_FCODE,
- MBSTRING_ASC, (void *)csp->http->host, -1, -1, 0))
+ MBSTRING_ASC, (void *)common_name, -1, -1, 0))
{
log_ssl_errors(LOG_LEVEL_ERROR,
"X509 subject name (code: %s, val: %s) error",
goto exit;
}
if (!X509_NAME_add_entry_by_txt(subject_name, CERT_PARAM_ORG_UNIT_FCODE,
- MBSTRING_ASC, (void *)csp->http->host, -1, -1, 0))
+ MBSTRING_ASC, (void *)common_name, -1, -1, 0))
{
log_ssl_errors(LOG_LEVEL_ERROR,
"X509 subject name (code: %s, val: %s) error",
{
log_ssl_errors(LOG_LEVEL_ERROR,
"X509 subject name (code: %s, val: %s) error",
- CERT_PARAM_COUNTRY_FCODE, csp->http->host);
+ CERT_PARAM_COUNTRY_FCODE, CERT_PARAM_COUNTRY_CODE);
ret = -1;
goto exit;
}