Document the +fast-redirects{} HTTP response splitting fix

diff --git a/ChangeLog b/ChangeLog
index b0e69b3..4a8e6ef 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -4,6 +4,10 @@ ChangeLog for Privoxy
 *** Version 3.0.18 Stable ***
 
 - Bug fixes:
 *** Version 3.0.18 Stable ***
 
 - Bug fixes:

+  - If the redirect URL contains characters RFC 3986 doesn't permit,
+    they are (re)encoded. Not doing this makes Privoxy versions from
+    3.0.5 to 3.0.17 susceptible to HTTP response splitting (CWE-113)
+    attacks if the +fast-redirects{check-decoded-url} action is used.

   - Fix a logic bug that could cause Privoxy to reuse a server
     socket after it got tainted by a server-header-tagger-induced
     block that was triggered before the whole server response had
   - Fix a logic bug that could cause Privoxy to reuse a server
     socket after it got tainted by a server-header-tagger-induced
     block that was triggered before the whole server response had

diff --git a/doc/source/user-manual.sgml b/doc/source/user-manual.sgml
index fa03f4d..585d402 100644 (file)
--- a/doc/source/user-manual.sgml
+++ b/doc/source/user-manual.sgml
@@ -34,7 +34,7 @@
                 This file belongs into
                 ijbswa.sourceforge.net:/home/groups/i/ij/ijbswa/htdocs/
 
                 This file belongs into
                 ijbswa.sourceforge.net:/home/groups/i/ij/ijbswa/htdocs/
 

- $Id: user-manual.sgml,v 2.139 2011/11/18 16:49:29 fabiankeil Exp $
+ $Id: user-manual.sgml,v 2.140 2011/11/19 15:18:02 fabiankeil Exp $

 
  Copyright (C) 2001-2011 Privoxy Developers http://www.privoxy.org/
  See LICENSE.
 
  Copyright (C) 2001-2011 Privoxy Developers http://www.privoxy.org/
  See LICENSE.


@@ -60,7 +60,7 @@
  </subscript>
 </pubdate>
 
  </subscript>
 </pubdate>
 

-<pubdate>$Id: user-manual.sgml,v 2.139 2011/11/18 16:49:29 fabiankeil Exp $</pubdate>
+<pubdate>$Id: user-manual.sgml,v 2.140 2011/11/19 15:18:02 fabiankeil Exp $</pubdate>

 
 <!--
 
 
 <!--
 


@@ -447,6 +447,14 @@ How to install the binary packages depends on your operating system:
    <para>
     Bug fixes:
     <itemizedlist>
    <para>
     Bug fixes:
     <itemizedlist>

+    <listitem>
+     <para>
+      If the redirect URL contains characters RFC 3986 doesn't permit,
+      they are (re)encoded. Not doing this makes Privoxy versions from
+      3.0.5 to 3.0.17 susceptible to HTTP response splitting (CWE-113)
+      attacks if the +fast-redirects{check-decoded-url} action is used.
+     </para>
+    </listitem>

     <listitem>
      <para>
       Fix a logic bug that could cause Privoxy to reuse a server
     <listitem>
      <para>
       Fix a logic bug that could cause Privoxy to reuse a server


@@ -9362,6 +9370,9 @@ In file: user.action <guibutton>[ View ]</guibutton> <guibutton>[ Edit ]</guibut
  USA
 
  $Log: user-manual.sgml,v $
  USA
 
  $Log: user-manual.sgml,v $

+ Revision 2.140  2011/11/19 15:18:02  fabiankeil
+ Update ChangeLog
+

  Revision 2.139  2011/11/18 16:49:29  fabiankeil
  Update ChangeLog
 
  Revision 2.139  2011/11/18 16:49:29  fabiankeil
  Update ChangeLog
 

diff --git a/doc/webserver/user-manual/whatsnew.html b/doc/webserver/user-manual/whatsnew.html
index 776982d..67a98ad 100644 (file)
--- a/doc/webserver/user-manual/whatsnew.html
+++ b/doc/webserver/user-manual/whatsnew.html
@@ -61,6 +61,14 @@ body {
         <p>Bug fixes:</p>
 
         <ul>
         <p>Bug fixes:</p>
 
         <ul>

+          <li>
+            <p>If the redirect URL contains characters RFC 3986 doesn't
+            permit, they are (re)encoded. Not doing this makes Privoxy
+            versions from 3.0.5 to 3.0.17 susceptible to HTTP response
+            splitting (CWE-113) attacks if the
+            +fast-redirects{check-decoded-url} action is used.</p>
+          </li>
+

           <li>
             <p>Fix a logic bug that could cause Privoxy to reuse a server
             socket after it got tainted by a server-header-tagger-induced
           <li>
             <p>Fix a logic bug that could cause Privoxy to reuse a server
             socket after it got tainted by a server-header-tagger-induced