-
-
Fixed a DoS issue in case of client requests with incorrect
- chunk-encoded body. When compiled with assertions enabled (the
- default) they could previously cause Privoxy to abort(). Reported
- by Matthew Daley. CVE-2015-1380.
+ When using socks5t, send the request body optimistically as
+ well. Previously the request body wasn't guaranteed to be sent at
+ all and the error message incorrectly blamed the server. Fixes
+ #1686 reported by Peter Müller and G4JC.
+
+
+ -
+
Fixed buffer scaling in execute_external_filter() that could
+ lead to crashes. Submitted by Yang Xia in #892.
+
+
+ -
+
Fixed crashes when executing external filters on platforms
+ like Mac OS X. Reported by Jonathan McKenzie on ijbswa-users@
+
+
+ -
+
Properly parse ACL directives with ports when compiled with
+ HAVE_RFC2553. Previously the port wasn't removed from the host
+ and in case of 'permit-access 127.0.0.1 example.org:80' Privoxy
+ would try (and fail) to resolve "example.org:80" instead of
+ example.org. Reported by Pak Chan on ijbswa-users@.
+
+
+ -
+
Check requests more carefully before serving them forcefully
+ when blocks aren't enforced. Privoxy always adds the force token
+ at the beginning of the path, but would previously accept it
+ anywhere in the request line. This could result in requests being
+ served that should be blocked. For example in case of pages that
+ were loaded with force and contained JavaScript to create
+ additionally requests that embed the origin URL (thus inheriting
+ the force prefix). The bug is not considered a security issue and
+ the fix does not make it harder for remote sites to intentionally
+ circumvent blocks if Privoxy isn't configured to enforce them.
+ Fixes #1695 reported by Korda.
+
+
+ -
+
Normalize the request line in intercepted requests to make
+ rewriting the destination more convenient. Previously rewrites
+ for intercepted requests were expected to fail unless $hostport
+ was being used, but they failed "the wrong way" and would result
+ in an out-of-memory message (vanilla host patterns) or a crash
+ (extended host patterns). Reported by "Guybrush Threepwood" in
+ #1694.
-
-
Fixed multiple segmentation faults and memory leaks in the
- pcrs code. This fix also increases the chances that an invalid
- pcrs command is rejected as such. Previously some invalid
- commands would be loaded without error. Note that Privoxy's pcrs
- sources (action and filter files) are considered trustworthy
- input and should not be writable by untrusted third-parties.
- CVE-2015-1381.
+ Enable socket lingering for the correct socket. Previously it
+ was repeatedly enabled for the listen socket instead of for the
+ accepted socket. The bug was found by code inspection and did not
+ cause any (reported) issues.
-
-
Fixed an 'invalid read' bug which could at least theoretically
- cause Privoxy to crash. So far, no crashes have been observed.
- CVE-2015-1382.
+ Detect and reject parameters for parameter-less actions.
+ Previously they were silently ignored.
-
-
Compiles with --disable-force again. Reported by Kai
- Raven.
+ Fixed invalid reads in internal and outdated pcre code. Found
+ with afl-fuzz and AddressSanitizer.
-
-
Client requests with body that can't be delivered no longer
- cause pipelined requests behind them to be rejected as invalid.
- Reported by Basil Hussain.
+ Prevent invalid read when loading invalid action files. Found
+ with afl-fuzz and AddressSanitizer.
+
+
+ -
+
Windows build: Use the correct function to close the event
+ handle. It's unclear if this bug had a negative impact on
+ Privoxy's behaviour. Reported by Jarry Xu in #891.
+
+
+ -
+
In case of invalid forward-socks5(t) directives, use the
+ correct directive name in the error messages. Previously they
+ referred to forward-socks4t failures. Reported by Joel Verhagen
+ in #889.