From 0d04dd411e43b85c164e15e504db49607be72b3b Mon Sep 17 00:00:00 2001 From: Fabian Keil Date: Tue, 7 Dec 2021 15:25:32 +0100 Subject: [PATCH] Minor ChangeLog improvements --- ChangeLog | 147 +++++++++++++++++++++++++++--------------------------- 1 file changed, 74 insertions(+), 73 deletions(-) diff --git a/ChangeLog b/ChangeLog index 7f0fff98..6a00f3f5 100644 --- a/ChangeLog +++ b/ChangeLog @@ -35,79 +35,81 @@ ChangeLog for Privoxy when unloading an action file with a TAG pattern while Privoxy has been compiled without FEATURE_PCRE_HOST_PATTERNS. Closes: SF patch request #147. Patch by Maxim Antonov. - - Establish the TLS connection with the client earlier and decide - how to route the request afterwards. This allows to change the - forwarding settings based on information from the https-inspected - request, for example the path. - Adjust build_request_line() to create a CONNECT request line when https-inspecting and forwarding to a HTTP proxy. Fixes SF bug #925 reported by Wen Yue. - load_config(): Add a space that was missing in a log message. + - read_http_request_body(): Fix two error messages that used an + incorrect variable. + - If the the response is chunk-encoded, ignore the Content-Length + header sent by the server. + Allows to load https://redmine.lighttpd.net/ with filtering enabled. - General improvements: + - Allow to edit the add-header action through the CGI editor by + generalizing the code that got added with the suppress-tag action. + Closes SF patch request #146. Patch by Maxim Antonov. + - Add a CGI handler for /wpad.dat that returns a + Proxy Auto-Configuration (PAC) file. + Among other things, it can be used to instruct clients + through DHCP to use Privoxy as proxy. + For example with the dnsmasq option: + dhcp-option=252,http://config.privoxy.org/wpad.dat + Initial patch by Richard Schneidt. + - Don't log the applied actions in process_encrypted_request() + Log them in continue_https_chat() instead to mirror chat(). + Prevents the applied actions from getting logged twice + for the first request on an https-inspected connection. + - OpenSSL generate_host_certificate(): Use config.privoxy.org as Common Name + Org and Org Unit if the real host name is too long to get accepted by OpenSSL. + Clients should only care about the Subject Alternative Name + anyway and we can continue to use the real host name for it. + Reported by Miles Wen on privoxy-users@. + - Establish the TLS connection with the client earlier and decide + how to route the request afterwards. This allows to change the + forwarding settings based on information from the https-inspected + request, for example the path. + - listen_loop(): When shutting down gracefully, close listening ports + before waiting for the threads to exit. Allows to start a second + Privoxy with the same config file while the first Privoxy is still + running. - serve(): Close the client socket as well if the server socket for an inspected connection has been closed. Privoxy currently can't establish a new server connection when the client socket is reused and would drop the connection in continue_https_chat() anyway. - - Don't disable redirect checkers in redirect_url() + - Don't disable redirect checkers in redirect_url(). Disable them in handle_established_connection() instead. Doing it in redirect_url() prevented the +redirect{} and +fast-redirects{} actions from being logged with LOG_LEVEL_ACTIONS. - - handle_established_connection(): Slightly improve a comment - - handle_established_connection(): Fix a comment + - handle_established_connection(): Slightly improve a comment. + - handle_established_connection(): Fix a comment. - socks5_connect(): Fix indentation. - - handle_established_connection(): Improve an error message - - create_pattern_spec(): Fix ifdef indentation - - Fix comment typos - - Add a CGI handler for /wpad.dat that returns a - Proxy Auto-Configuration (PAC) file. - Among other things, it can be used to instruct clients - through DHCP to use Privoxy as proxy. - For example with the dnsmasq option: - dhcp-option=252,http://config.privoxy.org/wpad.dat - Initial patch by Richard Schneidt. - - listen_loop(): When shutting down gracefully, close listening ports - before waiting for the threads to exit. - Allows to start a second Privoxy with the same config file - while the first Privoxy is still running. - - Allow to edit the add-header action through the CGI editor by - generalizing the code that got added with the suppress-tag action. - Closes SF patch request #146. Patch by Maxim Antonov. - - process_encrypted_request(): Improve a log message + - handle_established_connection(): Improve an error message. + - create_pattern_spec(): Fix ifdef indentation. + - Fix comment typos. + - process_encrypted_request(): Improve a log message. The function only processes request headers and there may still be unread request body data left to process. - - read_http_request_body(): Fix two error messages that used an incorrect variable. - chat(): Log the applied actions before deciding how to forward the request. - parse_time_header(): Silence a coverity complaint when building without assertions. - - receive_encrypted_request_headers(): Improve a log message + - receive_encrypted_request_headers(): Improve a log message. - mbedTLS get_ciphersuites_from_string(): Use strlcpy() instead of strncpy(). Previously the terminating NUL wasn't copied which resulted in a compiler warning. This didn't cause actual problems as the target buffer was initialized by zalloc_or_die() so the last byte of the target buffer was NUL already. Actually copying the terminating NUL seems clearer, though. - - Remove compiler warnings. "log_error(LOG_LEVEL_FATAL, ..." doesn't return - but apparently the compiler doesn't know that. - Get rid of several "this statement may fall through [-Wimplicit-fallthrough=]" warnings. - - If the the response is chunk-encoded, ignore the Content-Length - header sent by the server. - Allows to load https://redmine.lighttpd.net/ with filtering enabled. + - Remove compiler warnings. "log_error(LOG_LEVEL_FATAL, ..." + doesn't return but apparently the compiler doesn't know that. + Get rid of several "this statement may fall through + [-Wimplicit-fallthrough=]" warnings. - Store the PEM certificate in a dynamically allocated buffer when https-inspecting. Should prevent errors like: 2021-03-16 22:36:19.148 7f47bbfff700 Error: X509 PEM cert len 16694 is larger than buffer len 16383 As a bonus it should slightly reduce the memory usage as most certificates are smaller than the previously used fixed buffer. Reported by: Wen Yue - - Don't log the applied actions in process_encrypted_request() - Log them in continue_https_chat() instead to mirror chat(). - Prevents the applied actions from getting logged twice - for the first request on an https-inspected connection. - - OpenSSL generate_host_certificate(): Use config.privoxy.org as Common Name - Org and Org Unit if the real host name is too long to get accepted by OpenSSL. - Clients should only care about the Subject Alternative Name - anyway and we can continue to use the real host name for it. - Reported by Miles Wen on privoxy-users@. - OpenSSL generate_host_certificate(): Fix two error messsages. - Improve description of handle_established_connection() - OpenSSL ssl_store_cert(): Translate EVP_PKEY_EC to a string. @@ -117,33 +119,32 @@ ChangeLog for Privoxy - Action file improvements: - Disable fast-redirects for .microsoftonline.com/. - Disable fast-redirects for idp.springer.com/. - - Disable fast-redirects for .zeit.de/zustimmung - - Unblock adv-archiv.dfn-cert.de/ - - Block requests to eu-tlp01.kameleoon.eu/ - - Block requests to fpa-events.arstechnica.com/ + - Disable fast-redirects for .zeit.de/zustimmung. + - Unblock adv-archiv.dfn-cert.de/. + - Block requests to eu-tlp01.kameleoon.eu/. + - Block requests to fpa-events.arstechnica.com/. - Unblock nlnet.nl/. - Unblock adguard.com/. - Privoxy-Log-Parser: - - Highlight 'Socket timeout 3 reached: http://127.0.0.1:20000/no-filter/chunked-content/36' - - Improve documentation for inactivity-detection mode - - Detect date changes when looking for inactivity + - Highlight 'Socket timeout 3 reached: http://127.0.0.1:20000/no-filter/chunked-content/36'. + - Improve documentation for inactivity-detection mode. + - Detect date changes when looking for inactivity. - Add a --passed-request-statistics-threshold option - That can be set to get statistics for requests that + that can be set to get statistics for requests that were passed. - - Add a "inactivity detection" mode - Which can be useful for debugging purposes. - - Bump version to 0.9.4 - - Only run print_intro() and print_outro() when syntax highlighting - - Rephrase a sentence in the documentation - - Highlight 'Client socket 7 is no longer usable. The server socket has been closed.' - - Clarify --statistics output - by explicitly mentioning that the status codes - sent by the server may differ from the ones in - "debug 512" messages. - - Fix typo in the --statistics output - - Remove an unused variable - - Highlight 'The peer notified us that the connection on socket 11 is going to be closed' + - Add a "inactivity detection" mode which can be useful + for debugging purposes. + - Bump version to 0.9.4. + - Only run print_intro() and print_outro() when syntax highlighting. + - Rephrase a sentence in the documentation. + - Highlight 'Client socket 7 is no longer usable. The server socket has been closed.'. + - Clarify --statistics output by explicitly mentioning that + the status codes sent by the server may differ from the ones + in "debug 512" messages. + - Fix typo in the --statistics output. + - Remove an unused variable. + - Highlight 'The peer notified us that the connection on socket 11 is going to be closed'. - Privoxy-Regression-Test: - Remove duplicated word in a comment. @@ -156,27 +157,27 @@ ChangeLog for Privoxy - Add a test for CVE-2021-20217. - uagen: - - Bump generated Firefox version to 91 (ESR) - - Bump version to 1.2.3 - - Bump copyright + - Bump generated Firefox version to 91 (ESR). + - Bump version to 1.2.3. + - Bump copyright. - Build system: - configure: Bump SOURCE_DATE_EPOCH. - GNUmakefile.in: Fix typo. - - configure: Add another warning in case --disable-pthread is used - while POSIX threads are available. + - configure: Add another warning in case --disable-pthread + is used while POSIX threads are available. Various features don't even compile when not using threads. - Add configure option to enable MemorySanitizer. - Add configure option to enable UndefinedBehaviorSanitizer. - Add configure option to enable AddressSanitizer. - - Bump copyright + - Bump copyright. - Add a configure option to disable pcre JIT compilation. While JIT compilation makes filtering faster it can cause false-positive valgrind complaints. As reported by Gwyn Ciesla in SF bug 924 it also can cause problems when the SELinux policy does not grant Privoxy "execmem" privileges. - - configure: Remove obsolete RPM_BASE check + - configure: Remove obsolete RPM_BASE check. - Windows build system: - Update the build script to use mbed tls version 2.6.11. @@ -185,7 +186,7 @@ ChangeLog for Privoxy - macOS build system: - The OSXPackageBuilder repository has been updated and - can be used to create macOS packages. + can be used to create macOS packages again. - Documentation: - contacting: Remove obsolete reference to announce.sgml. @@ -206,13 +207,13 @@ ChangeLog for Privoxy Make it easier for users to do the right thing by having all those options present in the config. - Update TODO list item #184 to note that WolfSSL support will - (hopefully) appear after the 3.0.34 release + (hopefully) appear after the 3.0.34 release. - Update max-client-connections's description. On modern systems other than Windows Privoxy should use poll() in which case the FD_SETSIZE value isn't releveant. - Add a warning that the socket-timeout does not apply - to operations done by TLS libraries + to operations done by TLS libraries. - Make documentation slightly less "offensive" for some people by avoiding the word "hell". -- 2.39.2