- - Allow to edit the add-header action through the CGI editor by
- generalizing the code that got added with the suppress-tag action.
- Closes SF patch request #146. Patch by Maxim Antonov.
- - Add a CGI handler for /wpad.dat that returns a
- Proxy Auto-Configuration (PAC) file.
- Among other things, it can be used to instruct clients
- through DHCP to use Privoxy as proxy.
- For example with the dnsmasq option:
- dhcp-option=252,http://config.privoxy.org/wpad.dat
- Initial patch by Richard Schneidt.
- - Don't log the applied actions in process_encrypted_request()
- Log them in continue_https_chat() instead to mirror chat().
- Prevents the applied actions from getting logged twice
- for the first request on an https-inspected connection.
- - OpenSSL generate_host_certificate(): Use config.privoxy.org as Common Name
- Org and Org Unit if the real host name is too long to get accepted by OpenSSL.
- Clients should only care about the Subject Alternative Name
- anyway and we can continue to use the real host name for it.
- Reported by Miles Wen on privoxy-users@.
- - Establish the TLS connection with the client earlier and decide
- how to route the request afterwards. This allows to change the
- forwarding settings based on information from the https-inspected
- request, for example the path.
- - listen_loop(): When shutting down gracefully, close listening ports
- before waiting for the threads to exit. Allows to start a second
- Privoxy with the same config file while the first Privoxy is still
- running.
- - serve(): Close the client socket as well if the server socket
- for an inspected connection has been closed. Privoxy currently
- can't establish a new server connection when the client socket
- is reused and would drop the connection in continue_https_chat()
- anyway.
- - Don't disable redirect checkers in redirect_url().
- Disable them in handle_established_connection() instead.
- Doing it in redirect_url() prevented the +redirect{} and
- +fast-redirects{} actions from being logged with LOG_LEVEL_ACTIONS.
- - handle_established_connection(): Slightly improve a comment.
- - handle_established_connection(): Fix a comment.
- - socks5_connect(): Fix indentation.
- - handle_established_connection(): Improve an error message.
- - create_pattern_spec(): Fix ifdef indentation.
- - Fix comment typos.
- - process_encrypted_request(): Improve a log message.
- The function only processes request headers and there
- may still be unread request body data left to process.
- - chat(): Log the applied actions before deciding how to forward the request.
- - parse_time_header(): Silence a coverity complaint when building without assertions.
- - receive_encrypted_request_headers(): Improve a log message.
- - mbedTLS get_ciphersuites_from_string(): Use strlcpy() instead of strncpy().
- Previously the terminating NUL wasn't copied which resulted
- in a compiler warning. This didn't cause actual problems as
- the target buffer was initialized by zalloc_or_die() so the
- last byte of the target buffer was NUL already.
- Actually copying the terminating NUL seems clearer, though.
- - Remove compiler warnings. "log_error(LOG_LEVEL_FATAL, ..."
- doesn't return but apparently the compiler doesn't know that.
- Get rid of several "this statement may fall through
- [-Wimplicit-fallthrough=]" warnings.
- - Store the PEM certificate in a dynamically allocated buffer
- when https-inspecting. Should prevent errors like:
- 2021-03-16 22:36:19.148 7f47bbfff700 Error: X509 PEM cert len 16694 is larger than buffer len 16383
- As a bonus it should slightly reduce the memory usage as most
- certificates are smaller than the previously used fixed buffer.
- Reported by: Wen Yue
- - OpenSSL generate_host_certificate(): Fix two error messsages.
- - Improve description of handle_established_connection()
- - OpenSSL ssl_store_cert(): Translate EVP_PKEY_EC to a string.
- - OpenSSL ssl_store_cert(): Remove pointless variable initialization.
- - OpenSSL ssl_store_cert(): Initialize pointer with NULL instead of 0.
+ - Add a client-body-tagger action which creates tags based on
+ the content of the request body.
+ Sponsored by: Robert Klemme.
+ - When client-body filters are enabled, buffer the whole request
+ before opening a connection to the server.
+ Makes it less likely that the server connection times out
+ and we don't open a connection if the buffering fails anyway.
+ Sponsored by: Robert Klemme.
+ - Add periods to a couple of log messages.
+ - accept_connection(): Add missing space to a log message.
+ - Initialize ca-related defaults with strdup_or_die() so errors
+ aren't silently ignored.
+ - make_path: Use malloc_or_die() in cases where allocation errors
+ were already fatal anyway.
+ - handle_established_connection(): Improve an error message slightly.
+ - receive_client_request(): Reject https URLs without CONNECT request.
+ - Include all requests in the statistics if mutexes are available.
+ Previously in case of reused connections only the last request got
+ counted. The statistics still aren't perfect but it's an improvement.
+ - Add read_socks_reply() and start using it in socks5_connect()
+ to apply the socket timeout more consistently.
+ - socks5_connect(): Deal with domain names in the socks reply
+ - Add a filter for bundeswehr.de that hides the cookie and
+ privacy info banner.