+ Check requests more carefully before serving them forcefully
+ when blocks aren't enforced. Privoxy always adds the force token
+ at the beginning of the path, but would previously accept it anywhere
+ in the request line. This could result in requests being served that
+ should be blocked. For example in case of pages that were loaded with
+ force and contained JavaScript to create additionally requests that
+ embed the origin URL (thus inheriting the force prefix).
+ The bug is not considered a security issue and the fix does not make
+ it harder for remote sites to intentionally circumvent blocks if
+ Privoxy isn't configured to enforce them.
+ Fixes #1695 reported by Korda.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Normalize the request line in intercepted requests to make rewriting
+ the destination more convenient. Previously rewrites for intercepted
+ requests were expected to fail unless $hostport was being used, but
+ they failed "the wrong way" and would result in an out-of-memory
+ message (vanilla host patterns) or a crash (extended host patterns).
+ Reported by "Guybrush Threepwood" in #1694.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Enable socket lingering for the correct socket.
+ Previously it was repeatedly enabled for the listen socket
+ instead of for the accepted socket. The bug was found by
+ code inspection and did not cause any (reported) issues.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Detect and reject parameters for parameter-less actions.
+ Previously they were silently ignored.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Fixed invalid reads in internal and outdated pcre code.
+ Found with afl-fuzz and AddressSanitizer.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Prevent invalid read when loading invalid action files.
+ Found with afl-fuzz and AddressSanitizer.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Windows build: Use the correct function to close the event handle.
+ It's unclear if this bug had a negative impact on Privoxy's behaviour.
+ Reported by Jarry Xu in #891.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ In case of invalid forward-socks5(t) directives, use the
+ correct directive name in the error messages. Previously they
+ referred to forward-socks4t failures.
+ Reported by Joel Verhagen in #889.