privoxy.git
40 hours agoUnblock adv-archiv.dfn-cert.de/ properly master
Fabian Keil [Thu, 2 Dec 2021 10:49:34 +0000 (11:49 +0100)]
Unblock adv-archiv.dfn-cert.de/ properly

... by relocating the pattern and test that were added
in e637f5ac37 further below.

Test failure pointed out by Roland.

43 hours agoprivoxy-log-parser: fix typo in milliseconds.
Roland Rosenfeld [Thu, 2 Dec 2021 08:13:37 +0000 (09:13 +0100)]
privoxy-log-parser: fix typo in milliseconds.

43 hours agoMerge Debian 3.0.32-3 changes.
Roland Rosenfeld [Thu, 2 Dec 2021 08:05:51 +0000 (09:05 +0100)]
Merge Debian 3.0.32-3 changes.

2 days agoRebuild docs
Fabian Keil [Wed, 1 Dec 2021 16:05:32 +0000 (17:05 +0100)]
Rebuild docs

2 days agoBump SMGL entities for 3.0.33 stable
Fabian Keil [Wed, 1 Dec 2021 10:08:50 +0000 (11:08 +0100)]
Bump SMGL entities for 3.0.33 stable

2 days agoRebuild config file
Fabian Keil [Wed, 1 Dec 2021 10:06:47 +0000 (11:06 +0100)]
Rebuild config file

2 days agoRebuild AUTHORS
Fabian Keil [Sat, 6 Nov 2021 12:48:41 +0000 (13:48 +0100)]
Rebuild AUTHORS

2 days agoAdd Artem Ivanov as contributor
Fabian Keil [Tue, 2 Nov 2021 11:17:56 +0000 (12:17 +0100)]
Add Artem Ivanov as contributor

2 days agoRegenerate config file
Fabian Keil [Sat, 6 Nov 2021 12:50:49 +0000 (13:50 +0100)]
Regenerate config file

2 days agoconfig: Explicitly mention that the CGI pages disclosing the ca-password can be blocked
Fabian Keil [Sat, 6 Nov 2021 12:46:29 +0000 (13:46 +0100)]
config: Explicitly mention that the CGI pages disclosing the ca-password can be blocked

... and upgrade the disclosure paragraphs to a warning.

2 days agouagen: Bump copyright
Fabian Keil [Thu, 4 Nov 2021 20:35:45 +0000 (21:35 +0100)]
uagen: Bump copyright

2 days agoprivoxy-log-parser: Highlight 'Socket timeout 3 reached: http://127.0.0.1:20000/no...
Fabian Keil [Wed, 31 Mar 2021 11:33:17 +0000 (13:33 +0200)]
privoxy-log-parser: Highlight 'Socket timeout 3 reached: 127.0.0.1:20000/no-filter/chunked-content/36'

2 days agoprivoxy-log-parser: Improve documentation for inactivity-detection mode
Fabian Keil [Thu, 25 Mar 2021 14:45:53 +0000 (15:45 +0100)]
privoxy-log-parser: Improve documentation for inactivity-detection mode

2 days agoprivoxy-log-parser: Detect date changes when looking for inactivity
Fabian Keil [Wed, 24 Mar 2021 06:55:54 +0000 (07:55 +0100)]
privoxy-log-parser: Detect date changes when looking for inactivity

7 days agouagen: Bump BROWSER_REVISION to match Firefox version to 91 (ESR)
Fabian Keil [Fri, 26 Nov 2021 12:18:23 +0000 (13:18 +0100)]
uagen: Bump BROWSER_REVISION to match Firefox version to 91 (ESR)

Regression introduced in 077333a08de.

9 days agoput all the requested debug options in the config
Lee [Wed, 24 Nov 2021 21:18:32 +0000 (16:18 -0500)]
put all the requested debug options in the config

Section 11.1 of the Privoxy user manual lists all the debug options that
should be enabled when reporting problems or requesting support.
Make it easier for users to do the right thing by having all those
options present in the config.

2 weeks agoDisable fast-redirects for .zeit.de/zustimmung
Fabian Keil [Fri, 12 Nov 2021 08:55:06 +0000 (09:55 +0100)]
Disable fast-redirects for .zeit.de/zustimmung

2 weeks agoUpdate #184 to note that it will (hopefully) appear after the 3.0.34 release
Fabian Keil [Thu, 11 Nov 2021 09:59:35 +0000 (10:59 +0100)]
Update #184 to note that it will (hopefully) appear after the 3.0.34 release

2 weeks agoUnblock adv-archiv.dfn-cert.de/
Fabian Keil [Mon, 8 Nov 2021 13:46:43 +0000 (14:46 +0100)]
Unblock adv-archiv.dfn-cert.de/

2 weeks agoconfigure: Bump SOURCE_DATE_EPOCH
Fabian Keil [Sat, 6 Nov 2021 17:02:25 +0000 (18:02 +0100)]
configure: Bump SOURCE_DATE_EPOCH

2 weeks agoDeclare 3.0.33 stable
Fabian Keil [Sat, 6 Nov 2021 17:01:22 +0000 (18:01 +0100)]
Declare 3.0.33 stable

3 weeks agonit: put all the '--enable-xxx' options together
Lee [Thu, 11 Nov 2021 12:02:30 +0000 (07:02 -0500)]
nit: put all the '--enable-xxx' options together

3 weeks agoupdate the build script to use mbed tls version 2.6.11
Lee [Thu, 11 Nov 2021 11:59:10 +0000 (06:59 -0500)]
update the build script to use mbed tls version 2.6.11

3 weeks agoupdate build script to use the final 8.45 pcre library
Lee [Thu, 11 Nov 2021 11:54:23 +0000 (06:54 -0500)]
update build script to use the final 8.45 pcre library

https://www.pcre.org/
Version 8.45 is expected to be the final release of the older PCRE library, and new
projects should use PCRE2 instead.

3 weeks agoregression-tests.action: Add fetch test for http://p.p/wpad.dat
Fabian Keil [Sat, 13 Mar 2021 10:17:38 +0000 (11:17 +0100)]
regression-tests.action: Add fetch test for p.p/wpad.dat

Bump for-privoxy-version to 3.0.33 which introduced the wpad.dat support.

3 weeks agoBump copyright
Fabian Keil [Fri, 5 Mar 2021 10:32:03 +0000 (11:32 +0100)]
Bump copyright

3 weeks agoAdd Richard Schneidt to the list of contributors
Fabian Keil [Fri, 5 Mar 2021 08:44:43 +0000 (09:44 +0100)]
Add Richard Schneidt to the list of contributors

3 weeks agoAdd a CGI handler for /wpad.dat
Fabian Keil [Mon, 1 Mar 2021 11:22:06 +0000 (12:22 +0100)]
Add a CGI handler for /wpad.dat

... that returns a Proxy Auto-Configuration (PAC) file.

Among other things, it can be used to instruct clients
through DHCP to use Privoxy as proxy.

For example with the dnsmasq option:
dhcp-option=252,http://config.privoxy.org/wpad.dat

Initial patch by Richard Schneidt.

3 weeks agolisten_loop(): When shutting down gracefully, close listening ports
Fabian Keil [Sat, 13 Feb 2021 12:43:02 +0000 (13:43 +0100)]
listen_loop(): When shutting down gracefully, close listening ports

... before waiting for the threads to exit.

Allows to start a second Privoxy with the same config file
while the first Privoxy is still running.

3 weeks agoGNUmakefile.in: Fix typo
Fabian Keil [Sun, 7 Feb 2021 15:44:52 +0000 (16:44 +0100)]
GNUmakefile.in: Fix typo

3 weeks agoAdd more tests for the '/send-banner' code
Fabian Keil [Sat, 6 Feb 2021 21:38:04 +0000 (22:38 +0100)]
Add more tests for the '/send-banner' code

3 weeks agoAdd test for OVE-20210203-0001
Fabian Keil [Sat, 6 Feb 2021 09:35:17 +0000 (10:35 +0100)]
Add test for OVE-20210203-0001

3 weeks agoAdd a test for CVE-2021-20217
Fabian Keil [Sat, 6 Feb 2021 09:16:17 +0000 (10:16 +0100)]
Add a test for CVE-2021-20217

3 weeks agoBump copyright
Fabian Keil [Thu, 21 Jan 2021 13:16:51 +0000 (14:16 +0100)]
Bump copyright

3 weeks agoprivoxy-log-parser: Add a --passed-request-statistics-threshold option
Fabian Keil [Mon, 11 Jan 2021 13:16:12 +0000 (14:16 +0100)]
privoxy-log-parser: Add a --passed-request-statistics-threshold option

That can be set to get statistics for requests that
were passed.

3 weeks agoprivoxy-log-parser: Add a "inactivity detection" mode
Fabian Keil [Sun, 21 Mar 2021 17:52:32 +0000 (18:52 +0100)]
privoxy-log-parser: Add a "inactivity detection" mode

Which can be useful for debugging purposes.

3 weeks agoprivoxy-log-parser: Bump version to 0.9.4
Fabian Keil [Sun, 21 Mar 2021 17:58:03 +0000 (18:58 +0100)]
privoxy-log-parser: Bump version to 0.9.4

3 weeks agoaction_render_string_actions_template(): Reposition an asterisk
Fabian Keil [Tue, 23 Mar 2021 07:25:02 +0000 (08:25 +0100)]
action_render_string_actions_template(): Reposition an asterisk

3 weeks agocgi_edit_process_string_action(): Fix an error message
Fabian Keil [Tue, 23 Mar 2021 07:22:36 +0000 (08:22 +0100)]
cgi_edit_process_string_action(): Fix an error message

3 weeks agoAllow to edit the add-header action through the CGI editor
Maxim Antonov [Mon, 14 Dec 2020 09:48:32 +0000 (16:48 +0700)]
Allow to edit the add-header action through the CGI editor

.. by generalizing the code that got added with the
suppress-tag action.

Closes: SF patch request #146

3 weeks agoUpdate max-client-connections's description
Fabian Keil [Thu, 25 Mar 2021 11:52:00 +0000 (12:52 +0100)]
Update max-client-connections's description

On modern systems other than Windows Privoxy should
use poll() in which case the FD_SETSIZE value isn't
releveant.

3 weeks agoAdd a warning that the socket-timeout does not apply to operations done by TLS libraries
Fabian Keil [Thu, 25 Mar 2021 11:58:00 +0000 (12:58 +0100)]
Add a warning that the socket-timeout does not apply to operations done by TLS libraries

3 weeks agoprivoxy-log-parser: Only run print_intro() and print_outro() when syntax highlighting
Fabian Keil [Thu, 25 Mar 2021 15:02:07 +0000 (16:02 +0100)]
privoxy-log-parser: Only run print_intro() and print_outro() when syntax highlighting

3 weeks agoprivoxy-log-parser: Rephrase a sentence in the documentation
Fabian Keil [Thu, 25 Mar 2021 15:03:45 +0000 (16:03 +0100)]
privoxy-log-parser: Rephrase a sentence in the documentation

3 weeks agoprocess_encrypted_request(): Improve a log message
Fabian Keil [Fri, 26 Mar 2021 18:44:08 +0000 (19:44 +0100)]
process_encrypted_request(): Improve a log message

The function only processes request headers and there
may still be unread request body data left to process.

3 weeks agoprivoxy-log-parser: Highlight 'Client socket 7 is no longer usable. The server socket...
Fabian Keil [Fri, 26 Mar 2021 19:12:38 +0000 (20:12 +0100)]
privoxy-log-parser: Highlight 'Client socket 7 is no longer usable. The server socket has been closed.'

3 weeks agoread_http_request_body(): Fix two error messages that used an incorrect variable
Fabian Keil [Sat, 27 Mar 2021 04:49:05 +0000 (05:49 +0100)]
read_http_request_body(): Fix two error messages that used an incorrect variable

3 weeks agochat(): Log the applied actions before deciding how to forward the request
Fabian Keil [Sat, 27 Mar 2021 06:46:00 +0000 (07:46 +0100)]
chat(): Log the applied actions before deciding how to forward the request

3 weeks agoparse_time_header(): Silence a coverity complaint when building without assertions
Fabian Keil [Sat, 27 Mar 2021 10:07:12 +0000 (11:07 +0100)]
parse_time_header(): Silence a coverity complaint when building without assertions

3 weeks agoRename process_encrypted_request() to process_encrypted_request_headers()
Fabian Keil [Sat, 27 Mar 2021 14:45:48 +0000 (15:45 +0100)]
Rename process_encrypted_request() to process_encrypted_request_headers()

... and update the comment.

3 weeks agoRename receive_encrypted_request() to receive_encrypted_request_headers()
Fabian Keil [Sat, 27 Mar 2021 14:44:10 +0000 (15:44 +0100)]
Rename receive_encrypted_request() to receive_encrypted_request_headers()

... and update the comment description.

3 weeks agoBlock requests to eu-tlp01.kameleoon.eu/
Fabian Keil [Mon, 29 Mar 2021 10:31:00 +0000 (12:31 +0200)]
Block requests to eu-tlp01.kameleoon.eu/

3 weeks agoBlock requests to fpa-events.arstechnica.com/
Fabian Keil [Fri, 2 Apr 2021 08:48:47 +0000 (10:48 +0200)]
Block requests to fpa-events.arstechnica.com/

3 weeks agoreceive_encrypted_request_headers(): Improve a log message
Fabian Keil [Fri, 2 Apr 2021 15:15:32 +0000 (17:15 +0200)]
receive_encrypted_request_headers(): Improve a log message

3 weeks agouagen: Bump version to 1.2.3
Fabian Keil [Thu, 4 Nov 2021 20:24:44 +0000 (21:24 +0100)]
uagen: Bump version to 1.2.3

3 weeks agouagen: Bump generated Firefox version to 91 (ESR)
Fabian Keil [Thu, 4 Nov 2021 20:23:48 +0000 (21:23 +0100)]
uagen: Bump generated Firefox version to 91 (ESR)

4 months agonit: remove compiler warnings
Lee [Wed, 7 Jul 2021 03:15:34 +0000 (23:15 -0400)]
nit: remove compiler warnings

"log_error(LOG_LEVEL_FATAL, ..." doesn't return but apparently the compiler doesn't know that.
Get rid of several "this statement may fall through [-Wimplicit-fallthrough=]" warnings.

i686-w64-mingw32-gcc -c -Imbedtls/include -pipe -O2 -fstack-protector-strong -D_FORTIFY_SOURCE=2 -Wall -Wextra -Wno-missing-field-initializers -Wno-sign-compare -Wno-type-limits -Wno-unused-parameter -Wno-unused-but-set-variable -Wformat=2 -Wlogical-op -Wshadow -DNDEBUG -DWINVER=0x501  -I/source/pcre-8.44/ -I/source/mbedtls-2.16.10/include -I/source/brotli-1.0.9/c/include  -mwindows -Wall  jcc.c -o jcc.o
jcc.c: In function ‘bind_port_helper’:
jcc.c:5820:13: warning: this statement may fall through [-Wimplicit-fallthrough=]
 5820 |             log_error(LOG_LEVEL_FATAL,
      |             ^~~~~~~~~~~~~~~~~~~~~~~~~~
 5821 |                "can't bind to %s:%d: There may be another Privoxy "
      |                ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 5822 |                "or some other proxy running on port %d",
      |                ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 5823 |                bind_address, hport, hport);
      |                ~~~~~~~~~~~~~~~~~~~~~~~~~~~
jcc.c:5825:10: note: here
 5825 |          case -2:
      |          ^~~~

4 months agonit: note expected behavior
Lee [Wed, 7 Jul 2021 02:53:52 +0000 (22:53 -0400)]
nit: note expected behavior

If building for Windows with -Wimplicit-fallthrough you'll get a warning message about
"this statement may fall through."  Make it clear this is expected.

i686-w64-mingw32-gcc -c -Imbedtls/include -pipe -O2 -fstack-protector-strong -D_FORTIFY_SOURCE=2 -march=native -Wall -Wextra -Wno-missing-field-initializers -Wno-sign-compare -Wno-type-limits -Wno-unused-parameter -Wno-unused-but-set-variable -Wformat=2 -Wno-format-nonliteral -Wlogical-op -Wshadow -Wuninitialized -Winit-self -DNDEBUG -DWINVER=0x501  -I/source/pcre-8.44/ -I/source/mbedtls-2.16.10/include -I/source/brotli-1.0.9/c/include  -mwindows -Wall  w32log.c -o w32log.o
w32log.c: In function ‘LogWindowProc’:
w32log.c:1190:27: warning: this statement may fall through [-Wimplicit-fallthrough=]
 1190 |          g_bShowLogWindow = wParam;
      |          ~~~~~~~~~~~~~~~~~^~~~~~~~
w32log.c:1191:7: note: here
 1191 |       case WM_SIZE:  /* note: implicit-fallthrough */
      |       ^~~~

4 months agombedTLS get_ciphersuites_from_string(): Use strlcpy() instead of strncpy()
Fabian Keil [Wed, 30 Jun 2021 12:58:12 +0000 (14:58 +0200)]
mbedTLS get_ciphersuites_from_string(): Use strlcpy() instead of strncpy()

Previously the terminating NUL wasn't copied which resulted
in a compiler warning. This didn't cause actual problems as
the target buffer was initialized by zalloc_or_die() so the
last byte of the target buffer was NUL already.

Actually copying the terminating NUL seems clearer, though.

Reported by: Lee

6 months agoprivoxy-log-parser: Clarify --statistics output
Fabian Keil [Wed, 24 Mar 2021 09:54:32 +0000 (10:54 +0100)]
privoxy-log-parser: Clarify --statistics output

... by explicitly mentioning that the status codes
sent by the server may differ from the ones in
"debug 512" messages.

6 months agoprivoxy-log-parser: Fix typo in the --statistics output
Fabian Keil [Tue, 23 Mar 2021 14:06:55 +0000 (15:06 +0100)]
privoxy-log-parser: Fix typo in the --statistics output

6 months agoMark #87 as work in progress
Fabian Keil [Tue, 23 Mar 2021 16:53:24 +0000 (17:53 +0100)]
Mark #87 as work in progress

6 months agoload_config(): Fix indentation
Fabian Keil [Tue, 23 Mar 2021 04:58:47 +0000 (05:58 +0100)]
load_config(): Fix indentation

6 months agoprivoxy-log-parser: Remove an unused variable
Fabian Keil [Sun, 21 Mar 2021 17:05:53 +0000 (18:05 +0100)]
privoxy-log-parser: Remove an unused variable

6 months agoUpdate #184 to note that it will probably appear after the 3.0.33 release
Fabian Keil [Sun, 14 Mar 2021 16:58:00 +0000 (17:58 +0100)]
Update #184 to note that it will probably appear after the 3.0.33 release

6 months agoRebuild docs
Fabian Keil [Thu, 20 May 2021 09:39:27 +0000 (11:39 +0200)]
Rebuild docs

6 months agoUpdate the 'debug 1' description in two more places
Fabian Keil [Tue, 18 May 2021 09:25:12 +0000 (11:25 +0200)]
Update the 'debug 1' description in two more places

... which I overlooked in 30c327078f4486.

As of b94bbe62a9508 LOG_LEVEL_REQUEST logs all requests.

Pointed out by Lee.

7 months agoAdapt Debian patches to GIT changes.
Roland Rosenfeld [Sun, 11 Apr 2021 11:08:39 +0000 (13:08 +0200)]
Adapt Debian patches to GIT changes.

7 months agoImport Debian changes from 3.0.32-2 (apparmor fixup and documentation)
Roland Rosenfeld [Sun, 11 Apr 2021 11:06:38 +0000 (13:06 +0200)]
Import Debian changes from 3.0.32-2 (apparmor fixup and documentation)

7 months agorebuild docs
Lee [Sat, 10 Apr 2021 19:09:12 +0000 (15:09 -0400)]
rebuild docs

7 months agogrammar nit
Lee [Sat, 10 Apr 2021 17:38:01 +0000 (13:38 -0400)]
grammar nit

7 months agogrammar nit
Lee [Sat, 10 Apr 2021 17:35:45 +0000 (13:35 -0400)]
grammar nit

7 months agowe don't need offensive documentation
Lee [Sat, 10 Apr 2021 17:33:39 +0000 (13:33 -0400)]
we don't need offensive documentation

7 months agoadd FIXME cvs is no more!!! notes
Lee [Sat, 10 Apr 2021 17:29:44 +0000 (13:29 -0400)]
add FIXME  cvs is no more!!! notes

7 months agoadd another step in the windows release process
Lee [Sat, 10 Apr 2021 17:27:54 +0000 (13:27 -0400)]
add another step in the windows release process

- verify that you have current software for the libraries

7 months agoadd another step in the windows repease process
Lee [Sat, 10 Apr 2021 17:25:54 +0000 (13:25 -0400)]
add another step in the windows repease process

- verify that you have current software for the libraries

7 months agoremove leading spaces from <screen> and <programlisting> blocks
Lee [Sat, 10 Apr 2021 17:18:15 +0000 (13:18 -0400)]
remove leading spaces from <screen> and <programlisting> blocks

we automatically add two leading spaces to every line in <screen>
and <programlisting> blocks now, so remove the explicit indentation
that was there.

7 months agohave <screen> and <programlisting> blocks indented by two spaces
Lee [Sat, 10 Apr 2021 16:49:41 +0000 (12:49 -0400)]
have <screen> and <programlisting> blocks indented by two spaces

Define %indent-programlisting-lines% and %indent-screen-lines% to be
two spaces for both the print and html generated text styles
  <style-specification id="print|html"

after which I get a stack overflow when pulling in the GPL licence text,
so import into a <literallayout> section instead of a <screen>

7 months agoupdate windows build instructions
Lee [Sat, 10 Apr 2021 16:36:14 +0000 (12:36 -0400)]
update windows build instructions

tell where to get and how to build the PCRE, MBED-TLS, brotli libraries.

7 months agoAdd missing <filename> ... </filename> markup for filenames.
Lee [Sat, 10 Apr 2021 15:33:25 +0000 (11:33 -0400)]
Add missing <filename> ... </filename> markup for filenames.

7 months agoUpdate the max-client-connections documentation
Lee [Sat, 10 Apr 2021 15:16:42 +0000 (11:16 -0400)]
Update the max-client-connections documentation

The default value for max-client-connections is 128, so there is no
"Effect if unset:".  The value is 128 or whatever the user specified in
the config file.

7 months ago"Maximum number of connections reached" msg log level changed to LOG_LEVEL_ERROR
Lee [Sat, 10 Apr 2021 15:05:28 +0000 (11:05 -0400)]
"Maximum number of connections reached" msg log level changed to LOG_LEVEL_ERROR

Since the max number of connections is a user set value, make it easier to
notice that the limit is being hit.
It was logged at LOG_LEVEL_CONNECT, which is easy to miss.

8 months agoRemove #142 as the obsolete pcre code has been removed
Fabian Keil [Sun, 14 Mar 2021 01:23:46 +0000 (02:23 +0100)]
Remove #142 as the obsolete pcre code has been removed

8 months agoRemove obsolete pcre code
Fabian Keil [Fri, 26 Feb 2021 09:35:36 +0000 (10:35 +0100)]
Remove obsolete pcre code

It was already detached from the build since d7c2657e0b.

8 months agofix indentation
Lee [Sun, 21 Mar 2021 20:45:27 +0000 (16:45 -0400)]
fix indentation

8 months agoadd a note that DEP is also called NX or nxcompat
Lee [Sun, 21 Mar 2021 20:41:34 +0000 (16:41 -0400)]
add a note that DEP is also called NX or nxcompat

and show how to check for the flag being set

8 months agoupdate the windows build to use the latest mbed tls v2.16.10
Lee [Sun, 21 Mar 2021 20:33:03 +0000 (16:33 -0400)]
update the windows build to use the latest mbed tls v2.16.10

release notes:
 https://github.com/ARMmbed/mbedtls/releases/tag/v2.16.10

This release of Mbed TLS provides bug fixes and minor enhancements.
This release includes fixes for security issues.

Default behavior changes

    In mbedtls_rsa_context objects, the ver field was formerly documented
    as always 0. It is now reserved for internal purposes and may take
    different values.

Security

    Fix a buffer overflow in mbedtls_mpi_sub_abs() when calculating
    |A| - |B| where |B| is larger than |A| and has more limbs (so the
    function should return MBEDTLS_ERR_MPI_NEGATIVE_VALUE). Only
    applications calling mbedtls_mpi_sub_abs() directly are affected:
    all calls inside the library were safe since this function is
    only called with |A| >= |B|. Reported by Guido Vranken in #4042.
    Fix an errorneous estimation for an internal buffer in
    mbedtls_pk_write_key_pem(). If MBEDTLS_MPI_MAX_SIZE is set to an odd
    value the function might fail to write a private RSA keys of the largest
    supported size.
    Found by Daniel Otte, reported in #4093 and fixed in #4094,
    backported in #4100.
    Fix a stack buffer overflow with mbedtls_net_poll() and
    mbedtls_net_recv_timeout() when given a file descriptor that is
    beyond FD_SETSIZE. Reported by FigBug in #4169.
    Guard against strong local side channel attack against base64 tables by
    making access aceess to them use constant flow code.

Bugfix

    Fix an incorrect error code if an RSA private operation glitched.
    Fix a resource leak in CTR_DRBG and HMAC_DRBG when MBEDTLS_THREADING_C
    is enabled, on platforms where initializing a mutex allocates resources.
    This was a regression introduced in the previous release. Reported in
    #4017, #4045 and #4071.
    Ensure that calling mbedtls_rsa_free() or mbedtls_entropy_free()
    twice is safe. This happens for RSA when some Mbed TLS library functions
    fail. Such a double-free was not safe when MBEDTLS_THREADING_C was
    enabled on platforms where freeing a mutex twice is not safe.
    Fix a resource leak in a bad-arguments case of mbedtls_rsa_gen_key()
    when MBEDTLS_THREADING_C is enabled on platforms where initializing
    a mutex allocates resources.
    This change makes 'mbedtls_x509write_crt_set_basic_constraints'
    consistent with RFC 5280 4.2.1.9 which says: "Conforming CAs MUST
    include this extension in all CA certificates that contain public keys
    used to validate digital signatures on certificates and MUST mark the
    extension as critical in such certificates." Previous to this change,
    the extension was always marked as non-critical. This was fixed by
    #4044.

8 months agodo not give warnings for a windows build using --disable-pthread
Lee [Sun, 21 Mar 2021 20:22:07 +0000 (16:22 -0400)]
do not give warnings for a windows build using --disable-pthread

Posix threads need to be disabled on windows - see w32svrapi.c
  ...

8 months agoMerge branch 'master' of ssh://git.privoxy.org:23/git/privoxy
Lee [Sun, 21 Mar 2021 19:24:57 +0000 (15:24 -0400)]
Merge branch 'master' of ssh://git.privoxy.org:23/git/privoxy

8 months agoIf the the response is chunk-encoded, ignore the Content-Length
Fabian Keil [Sat, 20 Mar 2021 13:05:44 +0000 (14:05 +0100)]
If the the response is chunk-encoded, ignore the Content-Length

... header sent by the server.

Allows to load https://redmine.lighttpd.net/ with filtering enabled.

Previously requests would fail with complaints like:

   2021-03-20 14:02:08.924 619000011880 Connect: Done reading from server. Expected content length: 7235. Actual content length: 7243. Bytes most recently read: 8130.
   2021-03-20 14:02:08.924 619000011880 Re-Filter: Need to de-chunk first
   2021-03-20 14:02:08.924 619000011880 Error: Not enough room for trailing CRLF.
   2021-03-20 14:02:08.925 619000011880 Connect: Received 7243 bytes while expecting 7235.
   2021-03-20 14:02:08.925 619000011880 Connect: Marking the server socket 8 tainted.

Privoxy would then forward a partialy de-chunked response with
trailing garbage without removing the Transfer-Encoding header.

8 months agoAdd Gwyn Ciesla to the list of contributors
Fabian Keil [Fri, 19 Mar 2021 09:03:38 +0000 (10:03 +0100)]
Add Gwyn Ciesla to the list of contributors

8 months agoconfigure: Add another warning in case --disable-pthread is used
Fabian Keil [Thu, 18 Mar 2021 17:25:15 +0000 (18:25 +0100)]
configure: Add another warning in case --disable-pthread is used

... while POSIX threads are available.

Various features don't even compile when not using threads.

8 months agoAdd configure option to enable MemorySanitizer
Fabian Keil [Sat, 6 Feb 2021 19:19:10 +0000 (20:19 +0100)]
Add configure option to enable MemorySanitizer

8 months agoAdd configure option to enable UndefinedBehaviorSanitizer
Fabian Keil [Sat, 6 Feb 2021 10:24:52 +0000 (11:24 +0100)]
Add configure option to enable UndefinedBehaviorSanitizer

8 months agoAdd configure option to enable AddressSanitizer
Fabian Keil [Sat, 6 Feb 2021 10:23:50 +0000 (11:23 +0100)]
Add configure option to enable AddressSanitizer

8 months agoBump copyright
Fabian Keil [Wed, 17 Mar 2021 11:35:12 +0000 (12:35 +0100)]
Bump copyright

8 months agoAdd a configure option to disable pcre JIT compilation
Fabian Keil [Wed, 17 Mar 2021 11:12:42 +0000 (12:12 +0100)]
Add a configure option to disable pcre JIT compilation

While JIT compilation makes filtering faster it can
cause false-positive valgrind complaints like:

    ==94928== Thread 2:
    ==94928== Conditional jump or move depends on uninitialised value(s)
    ==94928==    at 0x40A990B: ???
    ==94928==    by 0x955E761: ???
    ==94928==  Uninitialised value was created by a heap allocation
    ==94928==    at 0x4C26A44: malloc (in /usr/local/lib/valgrind/vgpreload_memcheck-amd64-freebsd.so)
    ==94928==    by 0x5114247: BUF_MEM_grow_clean (in /usr/local/lib/libcrypto.so.11)
    ==94928==    by 0x50F2FD2: ??? (in /usr/local/lib/libcrypto.so.11)
    ==94928==    by 0x50EDB7F: ??? (in /usr/local/lib/libcrypto.so.11)
    ==94928==    by 0x50ECD78: ??? (in /usr/local/lib/libcrypto.so.11)
    ==94928==    by 0x50ECC75: BIO_write (in /usr/local/lib/libcrypto.so.11)
    ==94928==    by 0x5C15B0F: ??? (in /usr/local/lib/libssl.so.11)
    ==94928==    by 0x5C422A9: ??? (in /usr/local/lib/libssl.so.11)
    ==94928==    by 0x5C39156: ??? (in /usr/local/lib/libssl.so.11)
    ==94928==    by 0x5C07F9A: ??? (in /usr/local/lib/libssl.so.11)
    ==94928==    by 0x50ED3AA: BIO_ctrl (in /usr/local/lib/libcrypto.so.11)
    ==94928==    by 0x460033: create_server_ssl_connection (openssl.c:1150)

As reported by Gwyn Ciesla in SF bug 924 it also can
cause problems when the SELinux policy does not grant
Privoxy "execmem" privileges.

8 months agoconfigure: Remove obsolete RPM_BASE check
Fabian Keil [Wed, 17 Mar 2021 11:06:49 +0000 (12:06 +0100)]
configure: Remove obsolete RPM_BASE check

8 months agoBump copyright
Fabian Keil [Wed, 17 Mar 2021 10:58:38 +0000 (11:58 +0100)]
Bump copyright

8 months agoStore the PEM certificate in a dynamically allocated buffer
Fabian Keil [Wed, 17 Mar 2021 08:13:53 +0000 (09:13 +0100)]
Store the PEM certificate in a dynamically allocated buffer

... when https-inspecting.

Should prevent errors like:
2021-03-16 22:36:19.148 7f47bbfff700 Error: X509 PEM cert len 16694 is larger than buffer len 16383

As a bonus it should slightly reduce the memory usage as most
certificates are smaller than the previously used fixed buffer.

Reported by: Wen Yue