projects / privoxy.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Document the +fast-redirects{} HTTP response splitting fix
[privoxy.git] / doc / webserver / user-manual / whatsnew.html
diff --git a/doc/webserver/user-manual/whatsnew.html b/doc/webserver/user-manual/whatsnew.html
index 776982d..67a98ad 100644 (file)
--- a/doc/webserver/user-manual/whatsnew.html
+++ b/doc/webserver/user-manual/whatsnew.html
@@ -61,6 +61,14 @@ body {
         <p>Bug fixes:</p>
 
         <ul>
+          <li>
+            <p>If the redirect URL contains characters RFC 3986 doesn't
+            permit, they are (re)encoded. Not doing this makes Privoxy
+            versions from 3.0.5 to 3.0.17 susceptible to HTTP response
+            splitting (CWE-113) attacks if the
+            +fast-redirects{check-decoded-url} action is used.</p>
+          </li>
+
           <li>
             <p>Fix a logic bug that could cause Privoxy to reuse a server
             socket after it got tainted by a server-header-tagger-induced
The official Privoxy git repository