X-Git-Url: http://www.privoxy.org/gitweb/?p=privoxy.git;a=blobdiff_plain;f=doc%2Fsource%2Fchangelog.sgml;h=9c4339dd9cc36b80cbd67bb50f274170d29af5fd;hp=2eb5db83bca1f2d134e588ba42a25ae4b894f886;hb=0bd549e5e92bb1a079ddcec96d1f73055f9d9ac9;hpb=286320493d9653f101fd18d1c153dfaf2d3cd6a9
diff --git a/doc/source/changelog.sgml b/doc/source/changelog.sgml
index 2eb5db83..9c4339dd 100644
--- a/doc/source/changelog.sgml
+++ b/doc/source/changelog.sgml
@@ -1,11 +1,9 @@
-
- Privoxy 3.0.22 stable is mainly a bug-fix
- release, it also has a couple of new features, though.
- Note that the first two entries in the ChangeLog below refer to security
- issues:
-
+
+ Privoxy 3.0.30 fixes a couple of bugs
+ and introduces a few new features.
+
+
+ Changes in Privoxy 3.0.30 stable:
+
+
@@ -38,51 +38,53 @@
- Fixed a memory leak when rejecting client connections due to
- the socket limit being reached (CID 66382). This affected
- Privoxy 3.0.21 when compiled with IPv6 support (on most
- platforms this is the default).
+ Check the actual URL for redirects when https inspecting requests.
+ Previously Privoxy would only check the path which resulted in
+ rewrite results being rejected as invalid URLs.
+ Reported by withoutname in #1736.
- Fixed an immediate-use-after-free bug (CID 66394) and two
- additional unconfirmed use-after-free complaints made by
- Coverity scan (CID 66391, CID 66376).
+ Let the hide-referrer code tolerate Referer headers with https:// URLs.
+ Previously they would always be treated like a changed host.
- Actually show the FORCE_PREFIX value on the show-status page.
+ Use the https headers if the show-request handler is reached through
+ https://. Previously Privoxy would use the http headers which
+ may be empty on a reused connection.
- Properly deal with Keep-Alive headers with timeout= parameters
- If the timeout still can't be parsed, use the configured
- timeout instead of preventing the client from keeping the
- connection alive. Fixes #3615312/#870 reported by Bernard Guillot.
+ Make CGI_PREFIX protocol-relative when building with FEATURE_HTTPS_INSPECTION.
+ This unbreaks (at least) https://config.privoxy.org/client-tags whose
+ buttons would previously use a http:// URL resulting in browser warnings.
- Not using any filter files no longer results in warning messages
- unless an action file is referencing header taggers or filters.
- Reported by Stefan Kurtz in #3614835.
+ Support using https-inspection and client-header-order at the same time.
+ Previously Privoxy would crash.
+ Reported by: Kai Raven
- Fixed a bug that prevented Privoxy from reusing some reusable
- connections. Two bit masks with different purpose unintentionally
- shared the same bit.
+ Properly reject rewrites from http to https as they currently
+ aren't supported. Previously Privoxy would wait for the client
+ to establish an encrypted connection which obviously would not happen.
- A couple of additional bugs were discovered by Coverity Scan.
- The fixes that are not expected to affect users are not explicitly
- mentioned here, for details please have a look at the CVS logs.
+ When https inspection is enabled and Privoxy has been compiled with
+ FEATURE_GRACEFUL_TERMINATION (not recommended for production builds),
+ the TLS backend resources are free'd later on and only if no active
+ connections are left. Prevents crashes when exiting "gracefully" at the
+ wrong time.
@@ -94,86 +96,173 @@
- Introduced negative tag patterns NO-REQUEST-TAG and NO-RESPONSE-TAG.
- They apply if no matching tag is found after parsing client or
- server headers.
+ Allow to rewrite the request destination for https-inspected
+ requests behind the client's back. The documentation already sort
+ of claimed that it was supported by not especially mentioning that
+ it didn't work for https-inspected requests.
+ Fixes SF bug #923 reported by withoutname.
+
+
+
+
+ Add support for filtering client request bodies by using
+ CLIENT-BODY-FILTER filters which can be enabled with the
+ client-body-filter action.
+ Patch submitted by Maxim Antonov.
+ Sponsored by: Robert Klemme
+
+
+
+
+ Add the new action suppress-tag{} which can be used to prevent
+ a tagger from adding a tag. Patch submitted by Maxim Antonov.
+ Sponsored by: Robert Klemme
+
+
+
+
+ Gracefully handle existing website keys without matching certificates.
+ This can happen if Privoxy was previously running with an invalid
+ TLS configuration that didn't allow it to create a certificate.
+
+
+
+
+ Recycle debug bit 4 for Tagging-related messages.
+
+
+
+
+ Improve the message shown when the client-tags CGI page
+ is requested with no tags configured.
+
+
+
+
+ Shorten the 'donate' and 'participate' links used by templates
+ using redirects. Currently the redirects lead to the FAQ entries
+ but in the future we may want to relocate the content and using
+ redirects makes this more convenient.
+
+
+
+
+ Log an error when a PCRE-HOST-PATTERN is used with
+ FEATURE_PCRE_HOST_PATTERNS disabled. Don't treat this a
+ fatal error so the regression tests can be used with and
+ without FEATURE_PCRE_HOST_PATTERNS.
+
+
+
+
+ The code compiles with older C compilers again.
+
+
+
+
+ The chdir() return code is checked to fix a compiler warning.
+
+
+
+
+ The packages feed has been removed from the source tarball.
+ It's usually out of date when the source tarball is generated
+ for the release.
+
+
+
+
+ Fixed harmless compiler warnings from GCC9 with -D_FORTIFY_SOURCE=2.
- Add support for external filters which allow to process the
- response body with a script or program written in any language
- the platform supports. External filters are enabled with
- +external-filter{} after they have been defined in one of the
- filter files with a header line starting with "EXTERNAL-FILTER:".
- External filter support is experimental, not compiled by default
- and known not to work on all platforms.
+ windows: Remove obsolete '$(DEST)/doc/images' target.
- Add support for the 'PATCH' method as defined in RFC5789.
+ windows: Install the images referenced in the user manual.
- Reject requests with unsupported Expect header values.
- Fixes a couple of Co-Advisor tests.
+ Remove obsolete 'gnu_regex.@OBJEXT@' target.
- Normalize the HTTP-version in forwarded requests and responses.
- This is an explicit RFC 2616 MUST and RFC 7230 mandates that
- intermediaries send their own HTTP-version in forwarded
- messages.
+ When installing from the GNUMAkefile, don't create an 'images'
+ directory which is no longer used. The images were relocated to
+ the user-manual directory years ago.
- Client 'Keep-Alive' headers are no longer forwarded. From a user's
- point of view it doesn't really matter, but RFC 2616 (obsolete)
- mandates that the header is removed and this fixes a Co-Advisor
- complaint.
+ Add new FEATURES to the show-status page and resort list.
- Change declared template file encoding to UTF-8. The templates
- already used a subset of UTF-8 anyway and changing the declaration
- allows to properly display UTF-8 characters used in the action files.
- This change may require existing action files with ISO-8859-1
- characters that aren't valid UTF-8 to be converted to UTF-8.
- Requested by Sam Chen in #582.
+ Remove unused variable in the OpenSSL-specific code.
- Do not pass rejected keep-alive timeouts to the server. It might
- not have caused any problems (we know of), but doing the right
- thing shouldn't hurt either.
+ Update bug tracker URL in cgi_error_unknown().
- Let log_error() use its own buffer size #define to make changing
- the log buffer size slightly less inconvenient.
+ Saved a couple of memory allocations when sorting client headers.
- Turned single-threaded into a "proper" toggle directive with arguments.
+ Improved a couple of error messages.
- CGI templates no longer enforce new windows for some links.
+ Saved memory allocations when using OpenSSL and checking if a
+ key already exists.
- Remove an undocumented workaround ('HOST' header removal) for
- an Apple iTunes bug that according to #729900 got fixed in 2003.
+ The configure script will bail out if OpenSSL and mbedTLS are
+ enabled at the same time.
+
+
+
+
+ Log a message right before exiting gracefully.
+
+
+
+
+ A couple of structures have been rearranged to require slightly
+ less memory.
+
+
+
+
+ When https inspection is enabled and the certificate is invalid
+ the error message is now sent with status code 403 instead of 200.
+
+
+
+
+ The Slackware rc script template has been renamed to
+ slackware/rc.privoxy.in to silence complaints when building
+ Debian packages.
+
+
+
+
+ When building with MbedTLS support, mbedtls_md5_ret() is used
+ instead of mbedtls_md5() which is deprecated and causes a warning
+ on Debian GNU/Linux.
@@ -185,110 +274,121 @@
- The pattern 'promotions.' is no longer being blocked.
- Reported by rakista in #3608540.
+ Block requests to eu-tlp03.kameleoon.com/.
- Disable fast-redirects for .microsofttranslator.com/.
+ Unblock metrics.sr.ht/.
- Disable filter{banners-by-size} for .dgb-tagungszentren.de/.
+ Disable fast-redirects for .fsf.org/.
- Add adn.speedtest.net as a site-specific unblocker.
- Support request #3612908.
+ Disable fast-redirects for .gravater.com/.
- Disable filter{banners-by-size} for creativecommons.org/.
+ Disable fast-redirects for .ksta.de/.
- Block requests to data.gosquared.com/. Reported by cbug in #3613653.
+ Block requests to tag.crsspxl.com/.
- Unblock .conrad./newsletter/. Reported by David Bo in #3614238.
+ Block requests to analytics.slashdotmedia.com/.
- Unblock .bundestag.de/.
+ Block requests to ml314.com/.
- Unblock .rote-hilfe.de/.
+ Block requests to .adroll.com/.
- Disable fast-redirects for .facebook.com/plugins/like.php.
+ Block requests to fastlane.rubiconproject.com/.
- Unblock Stackexchange popup URLs that aren't used to serve ads.
- Reported by David Wagner in #3615179.
+ Block requests to api.theadex.com/.
- Disable fast-redirects for creativecommons.org/.
+ Block requests to ih.adscale.de/.
- Unblock .stopwatchingus.info/.
+ Block requests to .s400.meetrics.net/.
- Block requests for .adcash.com/script/.
- Reported by Tyrexionibus in #3615289.
+ Block requests for pp.lp4.io/.
- Disable HTML filters if the response was tagged as JavaScript.
- Filtering JavaScript code with filters intended to deal with HTML
- is usually a waste of time and, more importantly, may break stuff.
+ Block requests for trc-events.taboola.com/.
+
+
+
+
+
+
+
+ Filter file improvements:
+
+
+
+ A allow-autocompletion filter has been added which changes
+ autocomplete="off" to "on" on input fields to allow autocompletion.
+ Requested by Jamie Zawinski in #370.
+ Filter based on a submission by Aaron Linville.
- Use a custom redirect{} for .washingtonpost.com/wp-apps/imrs\.php\?src=
- Previously enabling the 'Advanced' settings (or manually enabling
- +fast-redirects{}) prevented some images from being loaded properly.
+ Added an imdb filter.
- Unblock "adina*." Fixes #919 reported by Morton A. Goldberg.
+ Added a sourceforge filter that reduces the amount of ads
+ for proprietary software.
- Block '/.*DigiAd'.
+ Added a github filter that removes the annoying "Sign-Up"
+ banner and the Cookie disclaimer.
- Unblock 'adele*.'. Reported by Adele Lime in #1663.
+ Removed a duplicated pcrs command from the js-annoyances filter.
- Disable banners-by-size for kggp.de/.
+ The crude-parental filter now provides a short reason when blocking,
+ inserts a link to Privoxy's webinterface and adds a new line at
+ the end of the generated page.
@@ -296,28 +396,377 @@
- Filter file improvements & bug fixes:
+ Privoxy-Log-Parser:
- Decrease the chances that js-annoyances creates invalid JavaScript.
- Submitted by John McGowan on ijbswa-users@.
+ Highlight a few more messages.
+
+
+
+
+ Add a handler for tagging messages.
+
+
+
+
+ Properly deal with 'Certificate error' crunches
+ Previously the error description was highlighted as 'host'.
+
+
+
+
+ Log truncated LOG_LEVEL_CLF messages more gracefully
+ and note that the statistics will be imprecise.
+
+
+
+
+ Fixed perldoc typo.
+
+
+
+
+ Bump version to 0.9.2.
+
+
+
+
+
+
+
+ Privoxy-Regression-Test:
+
+
+
+ Use http://127.0.0.1:8118/ as default Privoxy address
+ unless http_proxy is set through the environment.
+
+
+
+
+ Add a --privoxy-cgi-prefix option that specifies the prefix
+ to use when building URLs that are supposed to reach Privoxy's
+ CGI interface. If it's not set, http://p.p/ is used, which is
+ supposed to work with the default Privoxy configuration.
+ If Privoxy has been built with FEATURE_HTTPS_INSPECTION enabled,
+ and if https inspection is activated with the +https-inspection
+ action, this option can be used with "https://p.p/" provided the
+ system running Privoxy-Regression-Test has been configured to
+ trust the certificate used by Privoxy.
+ Note that there are currently two tests in the official
+ regression-tests.action file that are expected to fail
+ when using "https://p.p/" as privoxy-cgi-prefix.
+
+
+
+
+ Skip the connection-established response in get_status_code()
+ when looking for the status code with a CGI prefix
+ that starts with https://. We care about the status code
+ sent by the impersonated web server.
+
+
+
+
+ Use --proxy-header when using a CGI prefix with https://
+ and a "Host:" header.
+
+
+
+
+ Allow '|' in tokens and values to allow tag patterns like
+ "TAG:^(application|text)/(x-)?javascript$".
+
+
+
+
+ When get_cgi_page_or_else() fails, include the URL of the
+ requested page in the log message.
+
+
+
+
+ Added a --check-bad-ssl option that can be used to verify that
+ Privoxy detects certificate problems when accessing the test
+ sites from badssl.com.
+
+
+
+
+ Bumped version to 0.7.2
+
+
+
+
+
+
+
+ uagen:
+
+
+
+ Update example output.
+
+
+
+
+ Recommend the use of the https-inspection action in the documentation.
+
+
+
+
+ Upgrade a couple of URLs to https://.
+
+
+
+
+ Add ElectroBSD to the list of operating systems.
+
+
+
+
+ Bumped generated Firefox version to 78 (ESR).
+
+
+
+
+ Bumped version to 1.2.2.
+
+
+
+
+
+
+
+ User documentation:
+
+
+
+ Remove reference to 'How to Report Bugs Effectively'.
+ It was only rendered as text without URL in the README anyway
+ and there's no indication that users read it ...
+
+
+
+
+ Let the dok-readme target fix the location embedded into the
+ README file. This used to be done by CVS but since the git migration
+ it has to be done through other means.
+
+
+
+
+ Remove 'experimental' warning for client-specific-tag-related directives.
+ They seem to work reliably and there is no obvious reason
+ why we would change the syntax in the near future.
+
+
+
+
+ Describe how to check if Privoxy has been built with
+ FEATURE_HTTPS_INSPECTION.
+
+
+
+
+ Add a link to the trusted-cas-file documentation
+ that explains how the user can create the file herself.
+
+
+
+
+ Don't explicitly mention the license for the code coming from
+ 'Anonymous Coders' and Junkbusters. It's obviously licensed under
+ the GNU GPL like the rest of Privoxy or we wouldn't be allowed to
+ distribute it.
+
+
+
+
+ Update the +hide-user-agent example with uagen output.
+
+
+
+
+ Slightly improve the wording of the ca-key-file documentation.
+
+
+
+
+ Explicitly mention Windows 10 as supported so search engines and
+ users looking for it can find it.
+
+
+
+
+ Import a bunch of contributors from the ChangeLog.
+
+
+
+
+ Remove obsolete doc/gpl.html.
+
+
+
+
+ Upgrade a couple of links to https://.
+
+
+
+
+ Don't prefer the SourceForge patch tracker over the
+ privoxy-devel mailing list. While at it, link to the
+ SourceForge patch tracker.
+
+
+
+
+ Mention http-inspection in the 'my browser warns me about
+ unauthenticated content' FAQ entry.
+
+
+
+
+ Simplify the 'Is there is a license or fee?' FAQ entry.
+
+
+
+
+ Add another +redirect{} example.
+
+
+
+
+ Explicitly mention that interested sponsors should include
+ the link target in their first mail.
+
+
+
+
+ Clarify that only Privoxy team members can object to new sponsors
+ and link to the list of current team members.
- Let the msn filter hide 'related' ads again.
+ Note that sponsor URLs may not contain keyword spam.
- Remove a stray '1' in the 'html-annoyances' filter.
+ Garbage collect doc/webserver/images which isn't referenced anymore.
- Prevent img-reorder from messing up img tags with empty src
- attributes. Fixes #880 reported by Duncan.
+ Update the method to reach the proxy settings in Firefox.
+
+
+
+
+ Update proxy_setup.jpg description to refer to Firefox.
+
+
+
+
+ Regenerate proxy_setup.jpg with a more recent Firefox (78.0).
+
+
+
+
+ Regenerate files-in-use.jpg without obsolete standard.action
+ with modern colors and a slightly better quality.
+
+
+
+
+ Update URL to the actionsfile tracker.
+
+
+
+
+ Update a support request URL.
+
+
+
+
+ Rephrase the 'Can Privoxy run as service' FAQ entry and
+ remove an obsolete paragraph.
+
+
+
+
+ Let the 'Where can I get updated Actions Files?' entry link to
+ the gitweb version of default.action.master.
+
+
+
+
+ Update a link to the default.action file.
+
+
+
+
+ Update URLs for trackers and mailing lists.
+
+
+
+
+ Replace CVS reference with git.
+
+
+
+
+ Mention regression-tests.action in the config file.
+
+
+
+
+ Explicitly mention in the config file that access to the
+ CA key should be limited to Privoxy.
+
+
+
+
+ List more client-specific-tag examples for inspiration.
+
+
+
+
+ Add additional headers to the client-header-order example.
+
+
+
+
+ Note that actions aren't updated after rewrites.
+
+
+
+
+ Explicitly mention that upgrading from http to https with
+ a client-header filter is not supported
+
+
+
+
+ Note that protocol and host have to be added when rewriting
+ the destination host for https-inspected requests.
+
+
+
+
+ Explicitly mention that the CA key is used to sign certificates.
+
+
+
+
+ Put openssl command in 'command' tags.
+
+
+
+
+ The man page has been moved from section 1 to man section 8.
@@ -325,110 +774,199 @@
- Documentation improvements:
+ Developer manual:
- Updated the 'Would you like to donate?' section.
+ Flesh out the build instructions for Debian.
+
+
+
+
+ Remove the packaging instructions for RPM-based systems.
+ They don't work and we don't release RPM packages anymore anyway.
+
+
+
+
+ Remove the packaging instructions for Solaris.
+ They don't work and we don't release Solaris packages anymore anyway.
+
+
+
+
+ Update the suggested subject for the announce mails.
- Note that invalid forward-override{} parameter syntax isn't
- detected until the parameter is used.
+ Update upload instructions.
+ ftp://upload.sourceforge.net is no longer functional.
- Add another +redirect{} example: a shortcut for illumos bugs.
+ Remove a couple of package-dependent upload instructions
+ that don't actually work.
- Make it more obvious that many operating systems support log
- rotation out of the box.
+ Remove 'cd current' that no longer works.
- Fixed dead links. Reported by Mark Nelson in #3614557.
+ Add regression-tests.action to the list of files that should be installed.
- Rephrased the 'Why is the configuration so complicated?' answer
- to be slightly less condescending. Anonymously suggested in #3615122.
+ Stop claiming that there are text versions of the manuals.
+ We stopped building them in 2008 (9ed36a3c5e6f12).
- Be more explicit about accept-intercepted-requests's lack of MITM support.
+ Note that the 'webserver' target creates the link needed for the user-manual.
- Make 'demoronizer' FAQ entries more generic.
+ Suggest to use the master branch as reference when creating
+ the ChangeLog so the steps work when the current branch differs
+ from master which is likely as the developer manual
+ suggests to use a local branch for development.
- Add an example hostname to the --pre-chroot-nslookup description.
+ Add the -s flag to the suggested 'git tag' command. We prefer signed tags.
- Add an example for a host pattern that matches an IP address.
+ Mention that merges into 'master' should be avoided.
- Rename the 'domain pattern' to 'host pattern' as it may
- contain IP addresses as well.
+ Add git commands that should result in a merge-free history.
- Recommend forward-socks5t when using Tor. It seems to work fine and
- modifying the Tor configuration to profit from it hasn't been necessary
- for a while now.
+ Mention Privoxy-Regression-Test.
+
+
+
+
+ Add a section id to reduce link churn.
+
+
+
+
+ Recommend the dok-tidy target when building docs for the webserver.
+
+
+
+
+ Add another plug for the privoxy-devel mailing list.
+
+
+
+
+ Let the intro link the copyright section in the user manual instead
+ of giving an incomplete summary of the license status.
+
+
+
+
+ Clarify that the webserver target uploads to the SourceForge webserver.
+
+
+
+
+ Mark the documentation for the Mac OS X installers as out of date and
+ change the SCM name back to CVS.
+
+
+
+
+ Fix the location of the installer modules for Mac OS X.
+ They are not actually available through git (yet).
+
+
+
+
+ Don't speak of Privoxy version 3 in the past tense.
+
+
+
+
+ Update the list of programs required for the release process.
+
+
+
+
+ Update description of the webserver target which uses ssh, not scp.
+
+
+
+
+ Remove obsolete reference to config.new.
+
+
+
+
+
+
+
+ Tests:
+
+
+
+ Add another hide-referrer{conditional-block} test.
- Add another redirect{} example to stress that redirect loops can
- and should be avoided.
+ Add another hide-referrer{conditional-forge} test.
- The usual spelling and grammar fixes. Parts of them were
- reported by Reuben Thomas in #3615276.
+ Fix a hide-referrer{conditional-forge} test
+ that expected an acceptable header to be forged.
- Mention the PCRS option letters T and D in the filter section.
+ Fix a hide-referrer{conditional-block} test
+ that expected an acceptable Referer to be removed.
- Clarify that handle-as-empty-doc-returns-ok is still useful
- and will not be removed without replacement.
+ Explain why the "Set Header = Host: whatever.example.org" test is
+ expected to fail when using a CGI prefix that starts with "https://".
- Note that security issues shouldn't be reported using the bug tracker.
+ Explain why a connection-sharing test is known to fail
+ when using "https://p.p/" as CGI prefix.
- Clarify what Privoxy does if both +block{} and +redirect{} apply.
+ Add a link to Privoxy-Regression-Test to regression-tests.action
+ in case it isn't packaged.
- Removed the obsolete bookmarklets section.
+ Add regression tests for pcre host patterns.
@@ -436,37 +974,36 @@
- Build system improvements:
+ Privoxy infrastructure:
- Let --with-group properly deal with secondary groups.
- Patch submitted by Anatoly Arzhnikov in #3615187.
+ Import a Privoxy logo for the website.
- Fix web-actions target.
+ Update Tor onion service to HiddenServiceVersion 3.
- Add a web-faq target that only updates the FAQ on the webserver.
+ Display the "model" photos in a single row and remove placeholder images.
- Remove already-commented-out non-portable DOSFILTER alternatives.
+ Regenerate homepage with updated sponsor list.
- Remove the obsolete targets dok-put and dok-get.
+ Use the '/sponsor' redirect for the link to the sponsor page.
- Add a sf-shell target.
+ Git commit messages are sent to the Privoxy-commits mailing list.