- Fix a logic bug that could cause Privoxy to reuse a tainted
- server socket.
- It could happen for server sockets that got tainted by a
- server-header-tagger-induced block, in which case Privoxy
- doesn't necessarily read the whole server response.
- If keep-alive was enabled and the request following the
- blocked one was to the same host and using the same
- forwarding settings, Privoxy would send it on the tainted
- server socket.
+ If the redirect URL contains characters RFC 3986 doesn't permit,
+ they are (re)encoded. Not doing this makes Privoxy versions from
+ 3.0.5 to 3.0.17 susceptible to HTTP response splitting (CWE-113)
+ attacks if the +fast-redirects{check-decoded-url} action is used.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Fix a logic bug that could cause Privoxy to reuse a server
+ socket after it got tainted by a server-header-tagger-induced
+ block that was triggered before the whole server response had
+ been read. If keep-alive was enabled and the request following
+ the blocked one was to the same host and using the same forwarding
+ settings, Privoxy would send it on the tainted server socket.