From: Fabian Keil Date: Sat, 17 Mar 2007 15:20:05 +0000 (+0000) Subject: New config option: enforce-blocks. X-Git-Tag: v_3_0_7~308 X-Git-Url: http://www.privoxy.org/gitweb/?p=privoxy.git;a=commitdiff_plain;h=66d5f733f047a1a177bfd1867ad53a933dd3ee7f New config option: enforce-blocks. --- diff --git a/filters.c b/filters.c index 1c9b2544..06e69129 100644 --- a/filters.c +++ b/filters.c @@ -1,4 +1,4 @@ -const char filters_rcs[] = "$Id: filters.c,v 1.81 2007/03/05 14:40:53 fabiankeil Exp $"; +const char filters_rcs[] = "$Id: filters.c,v 1.82 2007/03/13 11:28:43 fabiankeil Exp $"; /********************************************************************* * * File : $Source: /cvsroot/ijbswa/current/filters.c,v $ @@ -40,6 +40,11 @@ const char filters_rcs[] = "$Id: filters.c,v 1.81 2007/03/05 14:40:53 fabiankeil * * Revisions : * $Log: filters.c,v $ + * Revision 1.82 2007/03/13 11:28:43 fabiankeil + * - Fix port handling in acl_addr() and use a temporary acl spec + * copy so error messages don't contain a truncated version. + * - Log size of iob before and after decompression. + * * Revision 1.81 2007/03/05 14:40:53 fabiankeil * - Cosmetical changes for LOG_LEVEL_RE_FILTER messages. * - Hide the "Go there anyway" link for blocked CONNECT @@ -1030,7 +1035,15 @@ struct http_response *block_url(struct client_state *csp) #ifdef FEATURE_FORCE_LOAD err = map(exports, "force-prefix", 1, FORCE_PREFIX, 1); - if (csp->http->ssl != 0 || 0 == strcmpic(csp->http->gpc, "connect")) + /* + * Export the force conditional block killer if + * + * - Privoxy was compiled without FEATURE_FORCE_LOAD, or + * - Privoxy is configured to enforce blocks, or + * - it's a CONNECT request and enforcing wouldn't work anyway. + */ + if ((csp->config->feature_flags & RUNTIME_FEATURE_ENFORCE_BLOCKS) + || (0 == strcmpic(csp->http->gpc, "connect"))) #endif /* ndef FEATURE_FORCE_LOAD */ { err = map_block_killer(exports, "force-support"); @@ -1179,12 +1192,17 @@ struct http_response *trust_url(struct client_state *csp) } /* - * Export the force prefix or the force conditional block killer + * Export the force conditional block killer if + * + * - Privoxy was compiled without FEATURE_FORCE_LOAD, or + * - Privoxy is configured to enforce blocks, or + * - it's a CONNECT request and enforcing wouldn't work anyway. */ #ifdef FEATURE_FORCE_LOAD - if (0 == strcmpic(csp->http->gpc, "connect")) + if ((csp->config->feature_flags & RUNTIME_FEATURE_ENFORCE_BLOCKS) + || (0 == strcmpic(csp->http->gpc, "connect"))) { - err = map_block_killer(exports, "force-support"); + err = map_block_killer(exports, "force-support"); } else { diff --git a/jcc.c b/jcc.c index a4f9c32a..b375b49e 100644 --- a/jcc.c +++ b/jcc.c @@ -1,4 +1,4 @@ -const char jcc_rcs[] = "$Id: jcc.c,v 1.124 2007/02/23 14:59:54 fabiankeil Exp $"; +const char jcc_rcs[] = "$Id: jcc.c,v 1.125 2007/03/09 14:12:00 fabiankeil Exp $"; /********************************************************************* * * File : $Source: /cvsroot/ijbswa/current/jcc.c,v $ @@ -33,6 +33,11 @@ const char jcc_rcs[] = "$Id: jcc.c,v 1.124 2007/02/23 14:59:54 fabiankeil Exp $" * * Revisions : * $Log: jcc.c,v $ + * Revision 1.125 2007/03/09 14:12:00 fabiankeil + * - Move null byte check into separate function. + * - Don't confuse the client with error pages + * if a CONNECT request was already confirmed. + * * Revision 1.124 2007/02/23 14:59:54 fabiankeil * Speed up NULL byte escaping and only log the complete * NULL byte requests with header debugging enabled. @@ -1592,15 +1597,23 @@ static void chat(struct client_state *csp) } #ifdef FEATURE_FORCE_LOAD - /* If this request contains the FORCE_PREFIX, - * better get rid of it now and set the force flag --oes + /* + * If this request contains the FORCE_PREFIX and blocks + * aren't enforced, get rid of it and set the force flag. */ - if (strstr(req, FORCE_PREFIX)) { - strclean(req, FORCE_PREFIX); - log_error(LOG_LEVEL_FORCE, "Enforcing request \"%s\".\n", req); - csp->flags |= CSP_FLAG_FORCED; + if (csp->config->feature_flags & RUNTIME_FEATURE_ENFORCE_BLOCKS) + { + log_error(LOG_LEVEL_FORCE, + "Ignored force prefix in request: \"%s\".", req); + } + else + { + strclean(req, FORCE_PREFIX); + log_error(LOG_LEVEL_FORCE, "Enforcing request: \"%s\".", req); + csp->flags |= CSP_FLAG_FORCED; + } } #endif /* def FEATURE_FORCE_LOAD */ diff --git a/loadcfg.c b/loadcfg.c index 8722b7cc..7593f0fe 100644 --- a/loadcfg.c +++ b/loadcfg.c @@ -1,4 +1,4 @@ -const char loadcfg_rcs[] = "$Id: loadcfg.c,v 1.60 2007/01/27 13:09:16 fabiankeil Exp $"; +const char loadcfg_rcs[] = "$Id: loadcfg.c,v 1.61 2007/03/16 16:47:35 fabiankeil Exp $"; /********************************************************************* * * File : $Source: /cvsroot/ijbswa/current/loadcfg.c,v $ @@ -35,6 +35,10 @@ const char loadcfg_rcs[] = "$Id: loadcfg.c,v 1.60 2007/01/27 13:09:16 fabiankeil * * Revisions : * $Log: loadcfg.c,v $ + * Revision 1.61 2007/03/16 16:47:35 fabiankeil + * - Mention other reasons why acl directive loading might have failed. + * - Don't log the acl source if the acl destination is to blame. + * * Revision 1.60 2007/01/27 13:09:16 fabiankeil * Add new config option "templdir" to * change the templates directory. @@ -486,6 +490,7 @@ static struct file_list *current_configfile = NULL; #define hash_enable_edit_actions 2517097536ul /* "enable-edit-actions" */ #define hash_enable_remote_toggle 2979744683ul /* "enable-remote-toggle" */ #define hash_enable_remote_http_toggle 110543988ul /* "enable-remote-http-toggle" */ +#define hash_enforce_blocks 1862427469ul /* "enforce-blocks" */ #define hash_filterfile 250887266ul /* "filterfile" */ #define hash_forward 2029845ul /* "forward" */ #define hash_forward_socks4 3963965521ul /* "forward-socks4" */ @@ -958,6 +963,22 @@ struct configuration_spec * load_config(void) } continue; +/* ************************************************************************* + * hash_enforce_blocks 0|1 + * *************************************************************************/ +#ifdef FEATURE_FORCE_LOAD + case hash_enforce_blocks: + if ((*arg != '\0') && (0 != atoi(arg))) + { + config->feature_flags |= RUNTIME_FEATURE_ENFORCE_BLOCKS; + } + else + { + config->feature_flags &= ~RUNTIME_FEATURE_ENFORCE_BLOCKS; + } + continue; +#endif /* def FEATURE_FORCE_LOAD */ + /* ************************************************************************* * filterfile file-name * In confdir by default. diff --git a/project.h b/project.h index 8c637dd3..5469ebe9 100644 --- a/project.h +++ b/project.h @@ -1,7 +1,7 @@ #ifndef PROJECT_H_INCLUDED #define PROJECT_H_INCLUDED /** Version string. */ -#define PROJECT_H_VERSION "$Id: project.h,v 1.90 2007/02/07 10:36:16 fabiankeil Exp $" +#define PROJECT_H_VERSION "$Id: project.h,v 1.91 2007/03/05 13:28:03 fabiankeil Exp $" /********************************************************************* * * File : $Source: /cvsroot/ijbswa/current/project.h,v $ @@ -37,6 +37,9 @@ * * Revisions : * $Log: project.h,v $ + * Revision 1.91 2007/03/05 13:28:03 fabiankeil + * Add some CSP_FLAGs for the header parsers. + * * Revision 1.90 2007/02/07 10:36:16 fabiankeil * Add new http_response member to save * the reason why the response was generated. @@ -1509,6 +1512,9 @@ struct access_control_list /** configuration_spec::feature_flags: Check the host header for requests with host-less request lines. */ #define RUNTIME_FEATURE_ACCEPT_INTERCEPTED_REQUESTS 16 +/** configuration_spec::feature_flags: Don't allow to circumvent blocks with the force prefix. */ +#define RUNTIME_FEATURE_ENFORCE_BLOCKS 32 + /** * Data loaded from the configuration file.