Clifford Caoile
Edward Carrel
Celejar
+ Chakib Benziane
Pak Chan
Wan-Teh Chang
Sam Chen
When building from a source tarball, first unpack the source:
- tar xzvf privoxy-3.0.34-beta-src.tar.gz
- cd privoxy-3.0.34-beta
+ tar xzvf privoxy-3.0.34-stable-src.tar.gz
+ cd privoxy-3.0.34-stable
To build the development version, you can get the source code by doing:
*
*********************************************************************/
-This README is included with the development version of Privoxy 3.0.34. See
-https://www.privoxy.org/ for more information. The current code maturity level
-is "UNRELEASED", but seems stable to us :).
+This README is included with Privoxy 3.0.34. See https://www.privoxy.org/ for
+more information. The current code maturity level is "stable".
-------------------------------------------------------------------------------
The actions list can be configured via the web interface accessed via http://
p.p/, as well other options.
-All configuration files are subject to unannounced changes during the
-development process.
-
-------------------------------------------------------------------------------
5. DOCUMENTATION
-There should be documentation in the 'doc' subdirectory, but it may not be
-completed at this point. In particular, see the User Manual there, the FAQ, and
-those interested in Privoxy development, should look at developer-manual.
+There should be documentation in the 'doc' subdirectory. In particular, see the
+User Manual there, the FAQ, and those interested in Privoxy development, should
+look at developer-manual.
-The most up to date source of information on the current development version,
-may still be either comments in the source code, or the included configuration
-files. The source and configuration files are all well commented. The main
-configuration files are: 'config', 'default.action', and 'default.filter' in
-the top-level source directory.
+The source and configuration files are all well commented. The main
+configuration files are: 'config', 'default.action', and 'default.filter'.
Included documentation may vary according to platform and packager. All
documentation is posted on https://www.privoxy.org, in case you don't have it,
into an empty directory</i></span>. (See "Building and releasing packages" above).</p>
<p>Check that you have the current versions of the <a href=
"https://sourceforge.net/projects/nsis/files/NSIS%203/" target="_top">NSIS installer</a>, <a href=
- "https://ftp.pcre.org/pub/pcre/" target="_top">PCRE library</a>, <a href="https://tls.mbed.org/download"
- target="_top">MBED TLS library</a>, <a href="https://github.com/google/brotli/releases" target="_top">Brotli
- library</a>, and that the <span class="emphasis"><i class="EMPHASIS">MAKENSIS</i></span> evar in <tt class=
- "FILENAME">windows/GNUMakefile</tt> points to the NSIS installer program. (See the <a href=
- "../user-manual/installation.html#WINBUILD-CYGWIN" target="_top"><span class="emphasis"><i class=
- "EMPHASIS">Building from Source / Windows</i></span></a> section of the User Manual for details.)</p>
+ "https://sourceforge.net/projects/pcre/files/pcre/" target="_top">PCRE library</a>, <a href=
+ "https://github.com/Mbed-TLS/mbedtls/tags" target="_top">MBED TLS library</a>, <a href=
+ "https://github.com/google/brotli/releases" target="_top">Brotli library</a>, and that the <span class=
+ "emphasis"><i class="EMPHASIS">MAKENSIS</i></span> evar in <tt class="FILENAME">windows/GNUMakefile</tt> points
+ to the NSIS installer program. (See the <a href="../user-manual/installation.html#WINBUILD-CYGWIN" target=
+ "_top"><span class="emphasis"><i class="EMPHASIS">Building from Source / Windows</i></span></a> section of the
+ User Manual for details.)</p>
<p>Then you can build the package. This is fully automated, and is controlled by <tt class=
"FILENAME">windows/GNUmakefile</tt>. All you need to do is:</p>
<table border="0" bgcolor="#E0E0E0" width="100%">
under the terms of the <i class="CITETITLE">GNU General Public License</i> as published by the Free Software
Foundation, either version 2 of the license, or (at your option) any later version.</p>
<p>The same is true for <span class="APPLICATION">Privoxy</span> binaries unless they are linked with a <a href=
- "https://tls.mbed.org/" target="_top">mbed TLS</a> or <a href="https://www.openssl.org/" target=
- "_top">OpenSSL</a> version that is licensed under the Apache 2.0 license in which case you can redistribute
- and/or modify the <span class="APPLICATION">Privoxy</span> binaries under the terms of the <i class=
- "CITETITLE">GNU General Public License</i> as published by the Free Software Foundation, either version 3 of the
- license, or (at your option) any later version.</p>
+ "https://www.trustedfirmware.org/projects/mbed-tls/" target="_top">mbed TLS</a> or <a href=
+ "https://www.openssl.org/" target="_top">OpenSSL</a> version that is licensed under the Apache 2.0 license in
+ which case you can redistribute and/or modify the <span class="APPLICATION">Privoxy</span> binaries under the
+ terms of the <i class="CITETITLE">GNU General Public License</i> as published by the Free Software Foundation,
+ either version 3 of the license, or (at your option) any later version.</p>
<p><span class="APPLICATION">Privoxy</span> is distributed in the hope that it will be useful, but WITHOUT ANY
WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
<a href="https://www.privoxy.org/user-manual/copyright.html#LICENSE" target="_top"><i class=
<div class="ARTICLE">
<div class="TITLEPAGE">
<h1 class="TITLE"><a name="AEN2" id="AEN2">Privoxy Frequently Asked Questions</a></h1>
- <p class="PUBDATE"><sub><a href="copyright.html">Copyright</a> © 2001-202
1 by <a href=
+ <p class="PUBDATE"><sub><a href="copyright.html">Copyright</a> © 2001-202
3 by <a href=
"https://www.privoxy.org/" target="_top">Privoxy Developers</a></sub><br></p>
<div>
<div class="ABSTRACT">
<p><a href="https://www.privoxy.org/donate" target="_top">https://www.privoxy.org/donate</a></p>
</li>
</ul>
- <p>The most recent release is <a href="announce.txt" target="_top">3.0.34 (UNRELEASED)</a>.</p>
+ <p>The most recent release is <a href="announce.txt" target="_top">3.0.34 (stable)</a>.</p>
</div>
</div>
<hr>
<p style="text-align: center"><sub>The Privoxy website is also available as <a href=
"http://l3tczdiiwoo63iwxty4lhs6p7eaxop5micbn7vbliydgv63x5zrrrfyd.onion/" target="_top">Tor onion
service</a>.</sub></p>
- <p style="text-align: center"><sub>Copyright © 2001-2021 by Privoxy Developers</sub></p>
+ <p style="text-align: center"><sub>Copyright © 2001-2023 by Privoxy Developers</sub></p>
<p style="text-align: center"><sub>Hosting and development is funded in part by:</sub></p>
<p style="text-align: center"><sub><a href="https://www.lalal.ai/"><img src="images/sponsors/lalal.ai_logo.png"
align="middle" alt="Vocal Remover by Lalal.ai"></a></sub></p>
<div class="SECT1">
<hr>
<h2 class="SECT1"><a name="AEN62" id="AEN62"></a></h2>
- <p><sub>Copyright © 2001-2021 by Privoxy Developers</sub></p>
+ <p><sub>Copyright © 2001-2023 by Privoxy Developers</sub></p>
</div>
</div>
</body>
</div>
<div class="SECT3">
<h3 class="SECT3"><a name="CLIENT-TAG-PATTERN" id="CLIENT-TAG-PATTERN">8.4.5. The Client Tag Pattern</a></h3>
- <div class="WARNING">
- <table class="WARNING" border="1" width="100%">
- <tr>
- <td align="center"><b>Warning</b></td>
- </tr>
- <tr>
- <td align="left">
- <p>This is an experimental feature. The syntax is likely to change in future versions.</p>
- </td>
- </tr>
- </table>
- </div>
<p>Client tag patterns are not set based on HTTP headers but based on the client's IP address. Users can enable
them themselves, but the Privoxy admin controls which tags are available and what their effect is.</p>
<p>After a client-specific tag has been defined with the <a href=
<p>Note that the action has to be enabled based on the CONNECT request which doesn't contain a path.
Enabling it based on a pattern with path doesn't work as the path is only seen by <span class=
"APPLICATION">Privoxy</span> if the action is already enabled.</p>
- <p>This is an experimental feature.</p>
</dd>
<dt>Example usage (section):</dt>
<dd>
these. If not, you will get a friendly error message. Internet access is not necessary either.</p>
<ul>
<li>
- <p>Privoxy main page:</p><a name="AEN6516" id="AEN6516"></a>
+ <p>Privoxy main page:</p><a name="AEN6423" id="AEN6423"></a>
<blockquote class="BLOCKQUOTE">
<p><a href="http://config.privoxy.org/" target="_top">http://config.privoxy.org/</a></p>
</blockquote>
"APPLICATION">Privoxy</span>)</p>
</li>
<li>
- <p>View and toggle client tags:</p><a name="AEN6524" id="AEN6524"></a>
+ <p>View and toggle client tags:</p><a name="AEN6431" id="AEN6431"></a>
<blockquote class="BLOCKQUOTE">
<p><a href="http://config.privoxy.org/client-tags" target=
"_top">http://config.privoxy.org/client-tags</a></p>
</li>
<li>
<p>Show information about the current configuration, including viewing and editing of actions
- files:</p><a name="AEN6529" id="AEN6529"></a>
+ files:</p><a name="AEN6436" id="AEN6436"></a>
<blockquote class="BLOCKQUOTE">
<p><a href="http://config.privoxy.org/show-status" target=
"_top">http://config.privoxy.org/show-status</a></p>
</blockquote>
</li>
<li>
- <p>Show the browser's request headers:</p><a name="AEN6534" id="AEN6534"></a>
+ <p>Show the browser's request headers:</p><a name="AEN6441" id="AEN6441"></a>
<blockquote class="BLOCKQUOTE">
<p><a href="http://config.privoxy.org/show-request" target=
"_top">http://config.privoxy.org/show-request</a></p>
</blockquote>
</li>
<li>
- <p>Show which actions apply to a URL and why:</p><a name="AEN6539" id="AEN6539"></a>
+ <p>Show which actions apply to a URL and why:</p><a name="AEN6446" id="AEN6446"></a>
<blockquote class="BLOCKQUOTE">
<p><a href="http://config.privoxy.org/show-url-info" target=
"_top">http://config.privoxy.org/show-url-info</a></p>
<li>
<p>Toggle Privoxy on or off. This feature can be turned off/on in the main <tt class="FILENAME">config</tt>
file. When toggled <span class="QUOTE">"off"</span>, <span class="QUOTE">"Privoxy"</span> continues to run,
- but only as a pass-through proxy, with no actions taking place:</p><a name="AEN6547" id="AEN6547"></a>
+ but only as a pass-through proxy, with no actions taking place:</p><a name="AEN6454" id="AEN6454"></a>
<blockquote class="BLOCKQUOTE">
<p><a href="http://config.privoxy.org/toggle" target="_top">http://config.privoxy.org/toggle</a></p>
</blockquote>
- <p>Short cuts. Turn off, then on:</p><a name="AEN6551" id="AEN6551"></a>
+ <p>Short cuts. Turn off, then on:</p><a name="AEN6458" id="AEN6458"></a>
<blockquote class="BLOCKQUOTE">
<p><a href="http://config.privoxy.org/toggle?set=disable" target=
"_top">http://config.privoxy.org/toggle?set=disable</a></p>
- </blockquote><a name="AEN6554" id="AEN6554"></a>
+ </blockquote><a name="AEN6461" id="AEN6461"></a>
<blockquote class="BLOCKQUOTE">
<p><a href="http://config.privoxy.org/toggle?set=enable" target=
"_top">http://config.privoxy.org/toggle?set=enable</a></p>
</dd>
<dt>Notes:</dt>
<dd>
- <p>The value of this option only matters if the experimental trust mechanism has been activated. (See
- <a href="config.html#TRUSTFILE"><span class="emphasis"><i class="EMPHASIS">trustfile</i></span></a>
- below.)</p>
+ <p>The value of this option only matters if the trust mechanism has been activated. (See <a href=
+ "config.html#TRUSTFILE"><span class="emphasis"><i class="EMPHASIS">trustfile</i></span></a> below.)</p>
<p>If you use the trust mechanism, it is a good idea to write up some on-line documentation about your
trust policy and to specify the URL(s) here. Use multiple times for multiple URLs.</p>
<p>The URL(s) should be added to the trustfile as well, so users don't end up locked out from the
</div>
</div>
<div class="SECT2">
- <h2 class="SECT2"><a name="HTTPS-INSPECTION-DIRECTIVES" id="HTTPS-INSPECTION-DIRECTIVES">7.7. HTTPS Inspection
- (Experimental)</a></h2>
+ <h2 class="SECT2"><a name="HTTPS-INSPECTION-DIRECTIVES" id="HTTPS-INSPECTION-DIRECTIVES">7.7. HTTPS
+ Inspection</a></h2>
<p>HTTPS inspection allows to filter encrypted requests and responses. This is only supported when <span class=
"APPLICATION">Privoxy</span> has been built with FEATURE_HTTPS_INSPECTION. If you aren't sure if your version
supports it, have a look at <a href="http://config.privoxy.org/show-status" target=
<tr>
<td>
<pre class="SCREEN"> </pre>
- <h2 class="BRIDGEHEAD"><a name="AEN952"></a> Privoxy Menu</h2>
+ <h2 class="BRIDGEHEAD"><a name="AEN864"></a> Privoxy Menu</h2>
<pre><br></pre>
<table border="0">
<tbody>
<h2 class="SECT2"><a name="CONFOVERVIEW">6.2. Configuration Files Overview</a></h2>
<p>For Unix, *BSD and GNU/Linux, all configuration files are located in <tt class="FILENAME">/etc/privoxy/</tt>
by default. For MS Windows these are all in the same directory as the <span class="APPLICATION">Privoxy</span>
- executable. The name and number of configuration files has changed from previous versions, and is subject to
- change as development progresses.</p>
+ executable.</p>
<p>The installed defaults provide a reasonable starting point, though some settings may be aggressive by some
standards. For the time being, the principle configuration files are:</p>
<ul>
listening address of <span class="APPLICATION">Privoxy</span>, these <span class="QUOTE">"wake up"</span>
requests must obviously be sent to the <span class="emphasis"><i class="EMPHASIS">old</i></span> listening
address.</p>
- <p>While under development, the configuration content is subject to change. The below documentation may not be
- accurate by the time you read this. Also, what constitutes a <span class="QUOTE">"default"</span> setting, may
- change, so please check all your configuration files on important issues.</p>
</div>
</div>
<div class="NAVFOOTER">
under the terms of the <i class="CITETITLE">GNU General Public License</i> as published by the Free Software
Foundation, either version 2 of the license, or (at your option) any later version.</p>
<p>The same is true for <span class="APPLICATION">Privoxy</span> binaries unless they are linked with a <a href=
- "https://tls.mbed.org/" target="_top">mbed TLS</a> version that is licensed under the Apache 2.0 license in which
- case you can redistribute and/or modify the <span class="APPLICATION">Privoxy</span> binaries under the terms of
- the <i class="CITETITLE">GNU General Public License</i> as published by the Free Software Foundation, either
- version 3 of the license, or (at your option) any later version.</p>
+ "https://www.trustedfirmware.org/projects/mbed-tls/" target="_top">mbed TLS</a> version that is licensed under the
+ Apache 2.0 license in which case you can redistribute and/or modify the <span class="APPLICATION">Privoxy</span>
+ binaries under the terms of the <i class="CITETITLE">GNU General Public License</i> as published by the Free
+ Software Foundation, either version 3 of the license, or (at your option) any later version.</p>
<p>Both licenses are included in the next section.</p>
<div class="SECT2">
<h2 class="SECT2"><a name="LICENSE">12.1. License</a></h2>
<p>When compiled with FEATURE_BROTLI (optional), Privoxy depends on <a href="https://www.brotli.org/" target=
"_top">brotli</a>.</p>
<p>When compiled with FEATURE_HTTPS_INSPECTION (optional), Privoxy depends on a TLS library. The supported
- libraries are <a href="https://www.openssl.org/" target="_top">LibreSSL</a>, <a href="https://tls.mbed.org/"
- target="_top">mbed TLS</a> and <a href="https://www.openssl.org/" target="_top">OpenSSL</a>.</p>
+ libraries are <a href="https://www.openssl.org/" target="_top">LibreSSL</a>, <a href=
+ "https://github.com/Mbed-TLS/mbedtls/tags" target="_top">mbed TLS 2.28.x</a> and <a href=
+ "https://www.openssl.org/" target="_top">OpenSSL</a>.</p>
<p>When compiled with FEATURE_ZLIB (optional), Privoxy depends on <a href="https://zlib.net/" target=
"_top">zlib</a>.</p>
</div>
Clifford Caoile<br>
Edward Carrel<br>
Celejar<br>
+ Chakib Benziane<br>
Pak Chan<br>
Wan-Teh Chang<br>
Sam Chen<br>
</dd>
<dt><span class="emphasis"><i class="EMPHASIS">banners-by-link</i></span></dt>
<dd>
- <p>This is an experimental filter that attempts to kill any banners if their URLs seem to point to known or
- suspected click trackers. It is currently not of much value and is not recommended for use by default.</p>
+ <p>This filter attempts to kill any banners if their URLs seem to point to known or suspected click
+ trackers. It is currently not of much value and is not recommended for use by default.</p>
</dd>
<dt><span class="emphasis"><i class="EMPHASIS">webbugs</i></span></dt>
<dd>
<dt>7.6.19. <a href="config.html#RECEIVE-BUFFER-SIZE">receive-buffer-size</a></dt>
</dl>
</dd>
- <dt>7.7. <a href="config.html#HTTPS-INSPECTION-DIRECTIVES">HTTPS Inspection (Experimental)</a></dt>
+ <dt>7.7. <a href="config.html#HTTPS-INSPECTION-DIRECTIVES">HTTPS Inspection</a></dt>
<dd>
<dl>
<dt>7.7.1. <a href="config.html#CA-DIRECTORY">ca-directory</a></dt>
<table border="0" bgcolor="#E0E0E0" width="100%">
<tr>
<td>
- <pre class="SCREEN"> tar xzvf privoxy-3.0.34-beta-src.tar.gz
- cd privoxy-3.0.34-beta</pre>
+ <pre class="SCREEN"> tar xzvf privoxy-3.0.34-stable-src.tar.gz
+ cd privoxy-3.0.34-stable</pre>
</td>
</tr>
</table>
</td>
</tr>
</table>
- <p>Get the latest 8.x PCRE code from <a href="https://ftp.pcre.org/pub/pcre/" target="_top">PCRE
- https://ftp.pcre.org/pub/pcre/</a> and build the static PCRE libraries with</p>
+ <p>Get the latest 8.x PCRE code from <a href="https://sourceforge.net/projects/pcre/files/pcre/" target=
+ "_top">PCRE https://sourceforge.net/projects/pcre/files/pcre/</a> and build the static PCRE libraries
+ with</p>
<table border="0" bgcolor="#E0E0E0" width="100%">
<tr>
<td>
</td>
</tr>
</table>
- <p>If you want to be able to have Privoxy do TLS Inspection, get the latest 2.16.x MBED-TLS library source
- code from <a href="https://github.com/ARMmbed/mbedtls/tags" target=
- "_top">https://github.com/ARMmbed/mbedtls/tags</a>, extract the tar file into <tt class=
+ <p>If you want to be able to have Privoxy do TLS Inspection, get the latest 2.28.x MBED-TLS library source
+ code from <a href="https://github.com/Mbed-TLS/mbedtls/tags" target=
+ "_top">https://github.com/Mbed-TLS/mbedtls/tags</a>, extract the tar file into <tt class=
"LITERAL"><root-dir></tt> and build the static libraries with</p>
<table border="0" bgcolor="#E0E0E0" width="100%">
<tr>
</div>
<div class="SECT1">
<h1 class="SECT1"><a name="INTRODUCTION" id="INTRODUCTION">1. Introduction</a></h1>
- <p>This documentation is included with the current UNRELEASED version of <span class="APPLICATION">Privoxy</span>,
- 3.0.34, and is mostly complete at this point. The most up to date reference for the time being is still the
- comments in the source files and in the individual configuration files. Development of a new version is currently
- nearing completion, and includes significant changes and enhancements over earlier versions.</p>
- <p>Since this is a UNRELEASED version, not all new features are well tested. This documentation may be slightly out
- of sync as a result (especially with <a href="https://www.privoxy.org/gitweb/?p=privoxy.git;a=summary" target=
- "_top">git sources</a>). And there <span class="emphasis"><i class="EMPHASIS">may be</i></span> bugs, though
- hopefully not many!</p>
+ <p>This documentation is included with the current stable version of <span class="APPLICATION">Privoxy</span>,
+ 3.0.34.</p>
<div class="SECT2">
<h2 class="SECT2"><a name="FEATURES" id="FEATURES">1.1. Features</a></h2>
<p>In addition to the core features of ad blocking and <a href="https://en.wikipedia.org/wiki/Browser_cookie"
target="_top">cookie</a> management, <span class="APPLICATION">Privoxy</span> provides many supplemental
- features, some of them currently under development, that give the end-user more control, more privacy and more
- freedom:</p>
+ features, that give the end-user more control, more privacy and more freedom:</p>
<ul>
<li>
<p>Supports "Connection: keep-alive". Outgoing connections can be kept alive independently from the
<p>Find <tt class="FILENAME">user.action</tt> in the top section, and click on <span class=
"QUOTE">"<span class="GUIBUTTON">Edit</span>"</span>:</p>
<div class="FIGURE">
- <a name="AEN719" id="AEN719"></a>
+ <a name="AEN631" id="AEN631"></a>
<p><b>Figure 1. Actions Files in Use</b></p>
<div class="MEDIAOBJECT">
<p><img src="files-in-use.jpg"></p>
<p>Please note that <span class="APPLICATION">Privoxy</span> can only proxy HTTP and HTTPS traffic. It will not
work with FTP or other protocols.</p>
<div class="FIGURE">
- <a name="AEN773" id="AEN773"></a>
+ <a name="AEN685" id="AEN685"></a>
<p><b>Figure 2. Proxy Configuration Showing Mozilla Firefox HTTP and HTTPS (SSL) Settings</b></p>
<div class="MEDIAOBJECT">
<p><img src="proxy_setup.jpg"></p>
protocols"</span> is <span class="emphasis"><i class="EMPHASIS">UNCHECKED</i></span>. You want only HTTP and HTTPS
(SSL)!</p>
<div class="FIGURE">
- <a name="AEN815" id="AEN815"></a>
+ <a name="AEN727" id="AEN727"></a>
<p><b>Figure 3. Proxy Configuration Showing Internet Explorer HTTP and HTTPS (Secure) Settings</b></p>
<div class="MEDIAOBJECT">
<p><img src="proxy2.jpg"></p>
</div>
<div class="SECT1">
<h1 class="SECT1"><a name="WHATSNEW" id="WHATSNEW">3. What's New in this Release</a></h1>
- <p><span class="APPLICATION">Privoxy 3.0.33</span> fixes an XSS issue and multiple DoS issues and a couple of other
- bugs. The issues also affect earlier Privoxy releases. <span class="APPLICATION">Privoxy 3.0.33</span> also comes
- with a couple of general improvements and new features.</p>
- <p>Changes in <span class="APPLICATION">Privoxy 3.0.33</span> stable:</p>
+ <p><span class="APPLICATION">Privoxy 3.0.34</span> fixes a few minor bugs and comes with a couple of general
+ improvements and new features.</p>
+ <p>Changes in <span class="APPLICATION">Privoxy 3.0.34</span> stable:</p>
<ul>
<li>
- <p>Security/Reliability:</p>
+ <p>Bug fixes:</p>
<ul>
<li>
- <p>cgi_error_no_template(): Encode the template name to prevent XSS (cross-site scripting) when Privoxy is
- configured to servce the user-manual itself. Commit 0e668e9409c. OVE-20211102-0001. CVE-2021-44543.
- Reported by: Artem Ivanov</p>
+ <p>Improve the handling of chunk-encoded responses by buffering the data even if filters are disabled and
+ properly keeping track of where the various chunks are supposed to start and end. Previously Privoxy would
+ merely check the last bytes received to see if they looked like the last-chunk. This failed to work if the
+ last-chunk wasn't received in one read and could also result in actual data being misdetected as
+ last-chunk. Should fix: SF support request #1739 Reported by: withoutname</p>
</li>
<li>
- <p>get_url_spec_param(): Free memory of compiled pattern spec before bailing. Reported by Joshua Rogers
- (Opera) who also provided the fix. Commit 652b4b7cb0. OVE-20211201-0003. CVE-2021-44540.</p>
+ <p>remove_chunked_transfer_coding(): Refuse to de-chunk invalid data Previously the data could get
+ corrupted even further. Now we simply pass the unmodified data to the client.</p>
</li>
<li>
- <p>process_encrypted_request_headers(): Free header memory when failing to get the request destination.
- Reported by Joshua Rogers (Opera) who also provided the fix. Commit 0509c58045. OVE-20211201-0002.
- CVE-2021-44541.</p>
+ <p>gif_deanimate(): Tolerate multiple image extensions in a row. This allows to deanimate all the gifs on:
+ https://commons.wikimedia.org/wiki/Category:Animated_smilies Fixes SF bug #795 reported by Celejar.</p>
</li>
<li>
- <p>send_http_request(): Prevent memory leaks when handling errors Reported by Joshua Rogers (Opera) who
- also provided the fix. Commit c48d1d6d08. OVE-20211201-0001. CVE-2021-44542.</p>
+ <p>OpenSSL generate_host_certificate(): Use X509_get_subject_name() instead of X509_get_issuer_name() to
+ get the issuer for generated website certificates so there are no warnings in the browser when using an
+ intermediate CA certificate instead of a self-signed root certificate. Problem reported and patch submitted
+ by Chakib Benziane.</p>
</li>
- </ul>
- </li>
- <li>
- <p>Bug fixes:</p>
- <ul>
<li>
- <p>handle_established_connection(): Skip the poll()/select() calls if TLS data is pending on the server
- socket. The TLS library may have already consumed all the data from the server response in which case
- poll() and select() will not detect that data is available to be read. Fixes SF bug #926 reported by Wen
- Yue.</p>
+ <p>can_filter_request_body(): Fix a log message that contained a spurious u.</p>
</li>
<li>
- <p>continue_https_chat(): Update csp->server_connection.request_sent after sending the request to make
- sure the latency is calculated correctly. Previously https connections were not reused after timeout
- seconds after the first request made on the connection.</p>
+ <p>handle_established_connection(): Check for pending TLS data from the client before checking if data is
+ available on the connection. The TLS library may have already consumed all the data from the client
+ response in which case poll() and select() will not detect that data is available to be read. Sponsored by:
+ Robert Klemme</p>
</li>
<li>
- <p>free_pattern_spec(): Don't try to free an invalid pointer when unloading an action file with a TAG
- pattern while Privoxy has been compiled without FEATURE_PCRE_HOST_PATTERNS. Closes: SF patch request #147.
- Patch by Maxim Antonov.</p>
+ <p>ssl_send_certificate_error(): Don't crash if there's no certificate information available. This is only
+ relevant when Privoxy is built with wolfSSL 5.0.0 or later (code not yet published). Earlier wolfSSL
+ versions or the other TLS backends don't seem to trigger the crash.</p>
</li>
<li>
- <p>Adjust build_request_line() to create a CONNECT request line when https-inspecting and forwarding to a
- HTTP proxy. Fixes SF bug #925 reported by Wen Yue.</p>
- </li>
- <li>
- <p>load_config(): Add a space that was missing in a log message.</p>
- </li>
- <li>
- <p>read_http_request_body(): Fix two error messages that used an incorrect variable.</p>
- </li>
- <li>
- <p>If the the response is chunk-encoded, ignore the Content-Length header sent by the server. Allows to
- load https://redmine.lighttpd.net/ with filtering enabled.</p>
+ <p>socks5_connect(): Add support for target hosts specified as IPv4 address Previously the IP address was
+ sent as domain.</p>
</li>
</ul>
</li>
<p>General improvements:</p>
<ul>
<li>
- <p>Allow to edit the add-header action through the CGI editor by generalizing the code that got added with
- the suppress-tag action. Closes SF patch request #146. Patch by Maxim Antonov.</p>
+ <p>Add a client-body-tagger action which creates tags based on the content of the request body. Sponsored
+ by: Robert Klemme</p>
</li>
<li>
- <p>Add a CGI handler for /wpad.dat that returns a Proxy Auto-Configuration (PAC) file. Among other things,
- it can be used to instruct clients through DHCP to use Privoxy as proxy. For example with the dnsmasq
- option: dhcp-option=252,http://config.privoxy.org/wpad.dat Initial patch by Richard Schneidt.</p>
+ <p>When client-body filters are enabled, buffer the whole request before opening a connection to the
+ server. Makes it less likely that the server connection times out and we don't open a connection if the
+ buffering fails anyway. Sponsored by: Robert Klemme</p>
</li>
<li>
- <p>Don't log the applied actions in process_encrypted_request() Log them in continue_https_chat() instead
- to mirror chat(). Prevents the applied actions from getting logged twice for the first request on an
- https-inspected connection.</p>
+ <p>Add periods to a couple of log messages.</p>
</li>
<li>
- <p>OpenSSL generate_host_certificate(): Use config.privoxy.org as Common Name Org and Org Unit if the real
- host name is too long to get accepted by OpenSSL. Clients should only care about the Subject Alternative
- Name anyway and we can continue to use the real host name for it. Reported by Miles Wen on
- privoxy-users@.</p>
+ <p>accept_connection(): Add missing space to a log message.</p>
</li>
<li>
- <p>Establish the TLS connection with the client earlier and decide how to route the request afterwards.
- This allows to change the forwarding settings based on information from the https-inspected request, for
- example the path.</p>
+ <p>Initialize ca-related defaults with strdup_or_die() so errors aren't silently ignored.</p>
</li>
<li>
- <p>listen_loop(): When shutting down gracefully, close listening ports before waiting for the threads to
- exit. Allows to start a second Privoxy with the same config file while the first Privoxy is still
- running.</p>
+ <p>make_path: Use malloc_or_die() in cases where allocation errors were already fatal anyway.</p>
</li>
<li>
- <p>serve(): Close the client socket as well if the server socket for an inspected connection has been
- closed. Privoxy currently can't establish a new server connection when the client socket is reused and
- would drop the connection in continue_https_chat() anyway.</p>
+ <p>handle_established_connection(): Improve an error message slightly.</p>
</li>
<li>
- <p>Don't disable redirect checkers in redirect_url(). Disable them in handle_established_connection()
- instead. Doing it in redirect_url() prevented the +redirect{} and +fast-redirects{} actions from being
- logged with LOG_LEVEL_ACTIONS.</p>
+ <p>receive_client_request(): Reject https URLs without CONNECT request.</p>
</li>
<li>
- <p>handle_established_connection(): Slightly improve a comment.</p>
+ <p>Include all requests in the statistics if mutexes are available. Previously in case of reused
+ connections only the last request got counted. The statistics still aren't perfect but it's an
+ improvement.</p>
</li>
<li>
- <p>handle_established_connection(): Fix a comment.</p>
+ <p>Add read_socks_reply() and start using it in socks5_connect() to apply the socket timeout more
+ consistently.</p>
</li>
<li>
- <p>socks5_connect(): Fix indentation.</p>
+ <p>socks5_connect(): Deal with domain names in the socks reply</p>
</li>
<li>
- <p>handle_established_connection(): Improve an error message.</p>
- </li>
- <li>
- <p>create_pattern_spec(): Fix ifdef indentation.</p>
- </li>
- <li>
- <p>Fix comment typos.</p>
- </li>
- <li>
- <p>process_encrypted_request(): Improve a log message. The function only processes request headers and
- there may still be unread request body data left to process.</p>
- </li>
- <li>
- <p>chat(): Log the applied actions before deciding how to forward the request.</p>
- </li>
- <li>
- <p>parse_time_header(): Silence a coverity complaint when building without assertions.</p>
- </li>
- <li>
- <p>receive_encrypted_request_headers(): Improve a log message.</p>
- </li>
- <li>
- <p>mbedTLS get_ciphersuites_from_string(): Use strlcpy() instead of strncpy(). Previously the terminating
- NUL wasn't copied which resulted in a compiler warning. This didn't cause actual problems as the target
- buffer was initialized by zalloc_or_die() so the last byte of the target buffer was NUL already. Actually
- copying the terminating NUL seems clearer, though.</p>
- </li>
- <li>
- <p>Remove compiler warnings. "log_error(LOG_LEVEL_FATAL, ..." doesn't return but apparently the compiler
- doesn't know that. Get rid of several "this statement may fall through [-Wimplicit-fallthrough=]"
- warnings.</p>
- </li>
- <li>
- <p>Store the PEM certificate in a dynamically allocated buffer when https-inspecting. Should prevent errors
- like: 2021-03-16 22:36:19.148 7f47bbfff700 Error: X509 PEM cert len 16694 is larger than buffer len 16383
- As a bonus it should slightly reduce the memory usage as most certificates are smaller than the previously
- used fixed buffer. Reported by: Wen Yue</p>
- </li>
- <li>
- <p>OpenSSL generate_host_certificate(): Fix two error messsages.</p>
- </li>
- <li>
- <p>Improve description of handle_established_connection()</p>
- </li>
- <li>
- <p>OpenSSL ssl_store_cert(): Translate EVP_PKEY_EC to a string.</p>
- </li>
- <li>
- <p>OpenSSL ssl_store_cert(): Remove pointless variable initialization.</p>
- </li>
- <li>
- <p>OpenSSL ssl_store_cert(): Initialize pointer with NULL instead of 0.</p>
+ <p>Add a filter for bundeswehr.de</p>
</li>
</ul>
</li>
<p>Action file improvements:</p>
<ul>
<li>
- <p>Disable fast-redirects for .microsoftonline.com/.</p>
- </li>
- <li>
- <p>Disable fast-redirects for idp.springer.com/.</p>
- </li>
- <li>
- <p>Disable fast-redirects for .zeit.de/zustimmung.</p>
+ <p>Disable filter{banners-by-size} for .freiheitsfoo.de/</p>
</li>
<li>
- <p>Unblock adv-archiv.dfn-cert.de/.</p>
+ <p>Disable filter{banners-by-size} for freebsdfoundation.org/</p>
</li>
<li>
- <p>Block requests to eu-tlp01.kameleoon.eu/.</p>
+ <p>Disable fast-redirects for consent.youtube.com/</p>
</li>
<li>
- <p>Block requests to fpa-events.arstechnica.com/.</p>
+ <p>Block requests to ups.xplosion.de/</p>
</li>
<li>
- <p>Unblock nlnet.nl/.</p>
+ <p>Block requests for elsa.memoinsights.com/t</p>
</li>
<li>
- <p>Unblock adguard.com/.</p>
+ <p>Fix a typo in a test.</p>
</li>
- </ul>
- </li>
- <li>
- <p>Privoxy-Log-Parser:</p>
- <ul>
<li>
- <p>Highlight 'Socket timeout 3 reached: http://127.0.0.1:20000/no-filter/chunked-content/36'.</p>
+ <p>Disable fast-redirects for launchpad.net/</p>
</li>
<li>
- <p>Improve documentation for inactivity-detection mode.</p>
+ <p>Unblock .eff.org/</p>
</li>
<li>
- <p>Detect date changes when looking for inactivity.</p>
+ <p>Stop unblocking .org/.*(image|banner) which appears to be too generous.</p>
</li>
<li>
- <p>Add a --passed-request-statistics-threshold option that can be set to get statistics for requests that
- were passed.</p>
+ <p>Unblock adfd.org/</p>
</li>
<li>
- <p>Add a "inactivity detection" mode which can be useful for debugging purposes.</p>
+ <p>Disable filter{banners-by-link} for .eff.org/</p>
</li>
<li>
- <p>Bump version to 0.9.4.</p>
+ <p>Block requests to odb.outbrain.com/</p>
</li>
<li>
- <p>Only run print_intro() and print_outro() when syntax highlighting.</p>
+ <p>Disable fast-redirects for .gandi.net/</p>
</li>
<li>
- <p>Rephrase a sentence in the documentation.</p>
+ <p>Disable fast-redirects{} for .onion/.*/status/</p>
</li>
<li>
- <p>Highlight 'Client socket 7 is no longer usable. The server socket has been closed.'.</p>
+ <p>Disable fast-redirects{} for twitter.com/.*/status/</p>
</li>
<li>
- <p>Clarify --statistics output by explicitly mentioning that the status codes sent by the server may differ
- from the ones in "debug 512" messages.</p>
+ <p>Unblock pinkstinks.de/</p>
</li>
<li>
- <p>Fix typo in the --statistics output.</p>
- </li>
- <li>
- <p>Remove an unused variable.</p>
- </li>
- <li>
- <p>Highlight 'The peer notified us that the connection on socket 11 is going to be closed'.</p>
- </li>
- </ul>
- </li>
- <li>
- <p>Privoxy-Regression-Test:</p>
- <ul>
- <li>
- <p>Remove duplicated word in a comment.</p>
+ <p>Disable fast-redirects for .hagalil.com/</p>
</li>
</ul>
</li>
<li>
- <p>regression-tests.action:</p>
+ <p>Privoxy-Log-Parser:</p>
<ul>
<li>
- <p>Add fetch test for http://p.p/wpad.dat.</p>
- </li>
- <li>
- <p>Bump for-privoxy-version to 3.0.33 which introduced the wpad.dat support.</p>
- </li>
- <li>
- <p>Add more tests for the '/send-banner' code.</p>
+ <p>Bump version to 0.9.5.</p>
</li>
<li>
- <p>Add test for OVE-20210203-0001.</p>
+ <p>Highlight more log messages.</p>
</li>
<li>
- <p>Add a test for CVE-2021-20217.</p>
+ <p>Highlight the Crunch reason only once. Previously the "crunch reason" could also be highlighted when the
+ URL contained a matching string. The real crunch reason only occurs once per line, so there's no need to
+ continue looking for it after it has been found once. While at it, add a comment with an example log
+ line.</p>
</li>
</ul>
</li>
<p>uagen:</p>
<ul>
<li>
- <p>Bump generated Firefox version to 91 (ESR).</p>
- </li>
- <li>
- <p>Bump version to 1.2.3.</p>
- </li>
- <li>
- <p>Bump copyright.</p>
- </li>
- </ul>
- </li>
- <li>
- <p>Build system:</p>
- <ul>
- <li>
- <p>configure: Bump SOURCE_DATE_EPOCH.</p>
+ <p>Update BROWSER_VERSION and BROWSER_REVISION to 102.0 to match the User-Agent of the current Firefox
+ ESR.</p>
</li>
<li>
- <p>GNUmakefile.in: Fix typo.</p>
+ <p>Explicitly document that changing the 'Gecko token' is suspicious.</p>
</li>
<li>
- <p>configure: Add another warning in case --disable-pthread is used while POSIX threads are available.
- Various features don't even compile when not using threads.</p>
+ <p>Consistently use a lower-case 'c' as copyright symbol.</p>
</li>
<li>
- <p>Add configure option to enable MemorySanitizer.</p>
- </li>
- <li>
- <p>Add configure option to enable UndefinedBehaviorSanitizer.</p>
+ <p>Bump copyright.</p>
</li>
<li>
- <p>Add configure option to enable AddressSanitizer.</p>
+ <p>Add 'aarch64' as Linux architecture.</p>
</li>
<li>
- <p>Bump copyright.</p>
+ <p>Add OpenBSD architecture 'arm64'.</p>
</li>
<li>
- <p>Add a configure option to disable pcre JIT compilation. While JIT compilation makes filtering faster it
- can cause false-positive valgrind complaints. As reported by Gwyn Ciesla in SF bug 924 it also can cause
- problems when the SELinux policy does not grant Privoxy "execmem" privileges.</p>
+ <p>Stop using sparc64 as FreeBSD architecture. It hasn't been supported for a while now.</p>
</li>
<li>
- <p>configure: Remove obsolete RPM_BASE check.</p>
+ <p>Bump version.</p>
</li>
</ul>
</li>
<li>
- <p>Windows build system:</p>
+ <p>Build system:</p>
<ul>
<li>
- <p>Update the build script to use mbed tls version 2.6.11.</p>
- </li>
- <li>
- <p>Update build script to use the final 8.45 pcre library.</p>
+ <p>Makefile: Add a 'dok' target that depends on the 'error' target to show the "You are not using GNU make
+ or did nor run configure" message.</p>
</li>
<li>
- <p>Put all the '--enable-xxx' options in the configure call together.</p>
+ <p>configure: Fix --with-msan option. Also (probably) reported by Andrew Savchenko.</p>
</li>
</ul>
</li>
<p>macOS build system:</p>
<ul>
<li>
- <p>The OSXPackageBuilder repository has been updated and can be used to create macOS packages again.</p>
+ <p>HTTPS inspection is enabled when building the macOS binary using OpenSSL as TLS library.</p>
</li>
</ul>
</li>
<p>Documentation:</p>
<ul>
<li>
- <p>contacting: Remove obsolete reference to announce.sgml.</p>
- </li>
- <li>
- <p>contacting: Request that the browser cache is cleared before producing a log file for submission.</p>
- </li>
- <li>
- <p>Sponsor FAQ: Note that Privoxy users may follow sponsor links without Referer header set.</p>
- </li>
- <li>
- <p>newfeatures: Clarify that https inspection also allows to filter https responses.</p>
- </li>
- <li>
- <p>developer-manual: Mention that announce.txt should be updated when doing a release.</p>
- </li>
- <li>
- <p>config: Explicitly mention that the CGI pages disclosing the ca-password can be blocked and upgrade the
- disclosure paragraphs to a warning.</p>
- </li>
- <li>
- <p>Put all the requested debug options in the config file. Section 11.1 of the Privoxy user manual lists
- all the debug options that should be enabled when reporting problems or requesting support. Make it easier
- for users to do the right thing by having all those options present in the config.</p>
- </li>
- <li>
- <p>Update TODO list item #184 to note that WolfSSL support will (hopefully) appear after the 3.0.34
- release.</p>
+ <p>Add OpenSSL to the list of libraries that may be licensed under the Apache 2.0 license in which case the
+ linked Privoxy binary has to be distributed under the GPLv3 or later.</p>
</li>
<li>
- <p>Update max-client-connections's description. On modern systems other than Windows Privoxy should use
- poll() in which case the FD_SETSIZE value isn't releveant.</p>
+ <p>config: Fix the documented ca-directory default value Reported by avoidr.</p>
</li>
<li>
- <p>Add a warning that the socket-timeout does not apply to operations done by TLS libraries.</p>
+ <p>Rebuild developer-manual and tidy with 'HTML Tidy for FreeBSD version 5.8.0'</p>
</li>
<li>
- <p>Make documentation slightly less "offensive" for some people by avoiding the word "hell".</p>
+ <p>Update developer manual with new macOS packaging instructions.</p>
</li>
</ul>
</li>
projects / privoxy.git / commitdiff