From: Roland Rosenfeld Date: Sun, 17 Jan 2021 12:31:42 +0000 (+0100) Subject: Merge Debian version 3.0.29-2 X-Git-Tag: v_3_0_30~113 X-Git-Url: http://www.privoxy.org/gitweb/?p=privoxy.git;a=commitdiff_plain;h=3d8c0631436ee4a0536e013e5d57976db59c15c9 Merge Debian version 3.0.29-2 --- diff --git a/debian/apparmor/usr.sbin.privoxy b/debian/apparmor/usr.sbin.privoxy new file mode 100644 index 00000000..2386db6d --- /dev/null +++ b/debian/apparmor/usr.sbin.privoxy @@ -0,0 +1,18 @@ +#include + +/usr/sbin/privoxy { + #include + #include + + capability setgid, + capability setuid, + + /etc/privoxy/** r, + owner /etc/privoxy/match-all.action rw, + owner /etc/privoxy/user.action rw, + /run/privoxy.pid rw, + /usr/share/doc/privoxy/user-manual/** r, + /usr/share/doc/privoxy/p_doc.css r, + owner /var/lib/privoxy/** rw, + owner /var/log/privoxy/logfile rw, +} diff --git a/debian/changelog b/debian/changelog index 07cf123a..b5a59f6a 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,14 @@ +privoxy (3.0.29-2) unstable; urgency=medium + + * Use --enable-extended-statistics and --enable-pcre-host-patterns. + * 39_show-status: Add new features to show-status page. + * Remove 38_SOURCE_DATE_EPOCH, since upstream honors it when set. + * Upgrade to Standards-Version 4.5.1 (no changes). + * 40_redirect-ssl: Check the actual URL when https inspecting requests. + * Add apparmor profile usr.sbin.privoxy. + + -- Roland Rosenfeld Sun, 17 Jan 2021 13:10:33 +0100 + privoxy (3.0.29-1) unstable; urgency=medium * New upstream release 3.0.29. diff --git a/debian/control b/debian/control index 7ce5356d..754124d5 100644 --- a/debian/control +++ b/debian/control @@ -4,6 +4,7 @@ Priority: optional Maintainer: Roland Rosenfeld Build-Depends: autoconf, debhelper-compat (= 13), + dh-apparmor, docbook, docbook-dsssl, docbook-utils, @@ -17,7 +18,7 @@ Build-Depends: autoconf, sgmlspl, w3m, zlib1g-dev -Standards-Version: 4.5.0 +Standards-Version: 4.5.1 Homepage: https://www.privoxy.org/ Vcs-Git: https://salsa.debian.org/debian/privoxy.git Vcs-Browser: https://salsa.debian.org/debian/privoxy @@ -35,6 +36,7 @@ Depends: adduser, ${shlibs:Depends} Pre-Depends: ${misc:Pre-Depends} Recommends: doc-base +Suggests: apparmor Description: Privacy enhancing HTTP Proxy Privoxy is a web proxy with advanced filtering capabilities for protecting privacy, filtering web page content, managing cookies, diff --git a/debian/dirs b/debian/dirs index 47d3b870..9e33ee0c 100644 --- a/debian/dirs +++ b/debian/dirs @@ -1,3 +1,4 @@ +etc/apparmor.d etc/privoxy etc/privoxy/CA usr/bin diff --git a/debian/patches/38_SOURCE_DATE_EPOCH.patch b/debian/patches/38_SOURCE_DATE_EPOCH.patch deleted file mode 100644 index 27b528e8..00000000 --- a/debian/patches/38_SOURCE_DATE_EPOCH.patch +++ /dev/null @@ -1,17 +0,0 @@ -From: Roland Rosenfeld -Date: Fri, 04 Sep 2020 16:30:48 +0200 -Subject: Remove hardcoded SOURCE_DATE_EPOCH from configure.in but use the date - from debian/changelog. -Forwarded: not-necessary - ---- a/configure.in -+++ b/configure.in -@@ -81,7 +81,7 @@ CODE_STATUS="stable" - - dnl Timestamp (date +%s) used by the mtree-spec target. - dnl Should be updated before releases but forgetting it isn't critical. --SOURCE_DATE_EPOCH=1605695571 -+dnl SOURCE_DATE_EPOCH=1605695571 - - dnl CODE_STATUS can be "alpha", "beta", "stable" or "UNRELEASED", - dnl and will be used for CGI output. Increment version number and diff --git a/debian/patches/39_show-status.patch b/debian/patches/39_show-status.patch new file mode 100644 index 00000000..13c74e72 --- /dev/null +++ b/debian/patches/39_show-status.patch @@ -0,0 +1,82 @@ +From: Roland Rosenfeld +Subject: Add new features to show-status page. +Date: Sun, 06 Dec 2020 14:14:43 +0100 +Forwarded: https://www.privoxy.org/gitweb/?p=privoxy.git;a=patch;h=d83b7ce5 + +--- a/templates/show-status ++++ b/templates/show-status +@@ -299,6 +299,19 @@ + + + ++ FEATURE_DYNAMIC_PCRE ++ @if-FEATURE_DYNAMIC_PCRE-then@ Yes @else-not-FEATURE_DYNAMIC_PCRE@ No @endif-FEATURE_DYNAMIC_PCRE@ ++ Dynamically link to the PCRE library. This is set automatically ++ by ./configure if you do not have libpcre installed. ++ Dynamically linking to an external libpcre is recommended as the one that is distributed ++ with Privoxy itself is outdated and lacks various features and bug-fixes you may be interested in. ++ ++ ++ FEATURE_EXTENDED_STATISTICS ++ @if-FEATURE_EXTENDED_STATISTICS-then@ Yes @else-not-FEATURE_EXTENDED_STATISTICS@ No @endif-FEATURE_EXTENDED_STATISTICS@ ++ Gather statistics for block reasons and filter executions. ++ ++ + FEATURE_EXTERNAL_FILTERS + @if-FEATURE_EXTERNAL_FILTERS-then@ Yes @else-not-FEATURE_EXTERNAL_FILTERS@ No @endif-FEATURE_EXTERNAL_FILTERS@ + +@@ -308,14 +321,6 @@ + + + +- FEATURE_DYNAMIC_PCRE +- @if-FEATURE_DYNAMIC_PCRE-then@ Yes @else-not-FEATURE_DYNAMIC_PCRE@ No @endif-FEATURE_DYNAMIC_PCRE@ +- Dynamically link to the PCRE library. This is set automatically +- by ./configure if you do not have libpcre installed. +- Dynamically linking to an external libpcre is recommended as the one that is distributed +- with Privoxy itself is outdated and lacks various features and bug-fixes you may be interested in. +- +- + FEATURE_FAST_REDIRECTS + @if-FEATURE_FAST_REDIRECTS-then@ Yes @else-not-FEATURE_FAST_REDIRECTS@ No @endif-FEATURE_FAST_REDIRECTS@ + Allows the +fast-redirects action, to bypass redirect and logging scripts. +@@ -353,6 +358,14 @@ + + + ++ FEATURE_PCRE_HOST_PATTERNS ++ @if-FEATURE_PCRE_HOST_PATTERNS-then@ Yes @else-not-FEATURE_PCRE_HOST_PATTERNS@ No @endif-FEATURE_PCRE_HOST_PATTERNS@ ++ Allow to use extended host patterns and vanilla host patterns ++ at the same time by prefixing extended host patterns with ++ "PCRE-HOST-PATTERN:". ++ ++ ++ + FEATURE_NO_GIFS + @if-FEATURE_NO_GIFS-then@ Yes @else-not-FEATURE_NO_GIFS@ No @endif-FEATURE_NO_GIFS@ + Use PNG instead of GIF for the built-in images. +--- a/cgisimple.c ++++ b/cgisimple.c +@@ -2097,6 +2097,22 @@ static jb_err show_defines(struct map *e + #else + 0, + #endif ++ }, ++ { ++ "FEATURE_EXTENDED_STATISTICS", ++#ifdef FEATURE_EXTENDED_STATISTICS ++ 1, ++#else ++ 0, ++#endif ++ }, ++ { ++ "FEATURE_PCRE_HOST_PATTERNS", ++#ifdef FEATURE_PCRE_HOST_PATTERNS ++ 1, ++#else ++ 0, ++#endif + } + }; + diff --git a/debian/patches/40_redirect-ssl.patch b/debian/patches/40_redirect-ssl.patch new file mode 100644 index 00000000..1b1768b0 --- /dev/null +++ b/debian/patches/40_redirect-ssl.patch @@ -0,0 +1,66 @@ +Origin: https://www.privoxy.org/gitweb/?p=privoxy.git;h=89da1910 +Author: Fabian Keil +Date: Tue Dec 15 19:00:00 2020 +0100 +Bug: https://sourceforge.net/p/ijbswa/support-requests/1736/ +Forwarded: not needed, comes from upstream +Subject: Check the actual URL when https inspecting requests + redirect_url(): Check the actual URL when https inspecting requests + + Previously we would only check the path which resulted + in rewrite results being rejected as invalid URLs. + + Before: + 19:37:29.494 014 Error: pcrs command "s@/test@/@" changed "/test" to "/" (1 hit), but the result doesn't look like a valid URL and will be ignored. + + After: + 19:40:57.857 002 Redirect: pcrs command s@/test@/@ changed https://www.electrobsd.org/test to https://www.electrobsd.org/ (1 hit). + + Reported by withoutname in #1736. + +--- a/filters.c ++++ b/filters.c +@@ -66,6 +66,9 @@ + #ifdef FEATURE_CLIENT_TAGS + #include "client-tags.h" + #endif ++#ifdef FEATURE_HTTPS_INSPECTION ++#include "ssl.h" ++#endif + + #ifdef _WIN32 + #include "win32.h" +@@ -1220,8 +1223,33 @@ struct http_response *redirect_url(struc + + if (*redirection_string == 's') + { +- old_url = csp->http->url; ++#ifdef FEATURE_HTTPS_INSPECTION ++ if (client_use_ssl(csp)) ++ { ++ jb_err err; ++ ++ old_url = strdup_or_die("https://"); ++ err = string_append(&old_url, csp->http->hostport); ++ if (!err) err = string_append(&old_url, csp->http->path); ++ if (err) ++ { ++ log_error(LOG_LEVEL_FATAL, ++ "Failed to rebuild URL 'https://%s%s'", ++ csp->http->hostport, csp->http->path); ++ } ++ } ++ else ++#endif ++ { ++ old_url = csp->http->url; ++ } + new_url = rewrite_url(old_url, redirection_string); ++#ifdef FEATURE_HTTPS_INSPECTION ++ if (client_use_ssl(csp)) ++ { ++ freez(old_url); ++ } ++#endif + } + else + { diff --git a/debian/patches/series b/debian/patches/series index 7bcaa7d2..cc721f9c 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -7,4 +7,5 @@ 33_manpage_hyphen.patch 34_system-docbook2man.patch 35_man-spelling.patch -38_SOURCE_DATE_EPOCH.patch +39_show-status.patch +40_redirect-ssl.patch diff --git a/debian/rules b/debian/rules index aac8cdfd..e7745b0c 100755 --- a/debian/rules +++ b/debian/rules @@ -1,6 +1,6 @@ #!/usr/bin/make -f # -# (c) 2002-2020 Roland Rosenfeld +# (c) 2002-2021 Roland Rosenfeld # # Uncomment this to turn on verbose mode. #export DH_VERBOSE=1 @@ -23,6 +23,8 @@ override_dh_auto_configure: --enable-zlib \ --enable-no-gifs \ --enable-external-filters \ + --enable-extended-statistics \ + --enable-pcre-host-patterns \ --with-mbedtls \ --with-brotli \ --with-docbook=/usr/share/sgml/docbook/stylesheet/dsssl/modular @@ -86,6 +88,12 @@ override_dh_auto_install: mv -f $$f.new $$f; \ done +override_dh_install: + dh_install + install -m0644 debian/apparmor/usr.sbin.privoxy \ + $(DEBDIR)/etc/apparmor.d/ + dh_apparmor --profile-name=usr.sbin.privoxy + override_dh_installdocs: dh_installdocs (cd $(DEBDIR)/usr/share/doc/privoxy/; \