From 5ee3e711d51e9fc40564f25fed2dccde2c76656c Mon Sep 17 00:00:00 2001
From: Fabian Keil <fk@fabiankeil.de>
Date: Tue, 4 Mar 2008 18:30:44 +0000
Subject: [PATCH] Remove the treat-forbidden-connects-like-blocks action. We
 now use the "blocked" page for forbidden CONNECT requests by default.

---
 ChangeLog                      |  3 ++
 actionlist.h                   |  6 ++-
 actions.c                      | 28 ++++++++++-
 default.action.master          | 13 +----
 doc/source/user-manual.sgml    | 91 +++-------------------------------
 jcc.c                          | 59 ++++++----------------
 project.h                      | 10 ++--
 standard.action                |  3 +-
 templates/edit-actions-for-url | 21 ++------
 9 files changed, 67 insertions(+), 167 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 10275f88..da624222 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -10,6 +10,9 @@ ChangeLog for Privoxy
   the show-status page hides the edit buttons and explains why.
   Previously the user would get the "this feature has been disabled"
   message after using the edit button.
+- Forbidden CONNECT requests are treated like blocks by default.
+  The now-pointless treat-forbidden-connects-like-blocks action
+  has been removed.
 - Fixed false-positives with the link-by-url filter and URLs that
   contain the pattern "/jump/".
 - The less-download-windows filter no longer messes
diff --git a/actionlist.h b/actionlist.h
index 929b73d0..2bb89172 100644
--- a/actionlist.h
+++ b/actionlist.h
@@ -39,6 +39,10 @@
  *
  * Revisions   :
  *    $Log: actionlist.h,v $
+ *    Revision 1.29  2008/03/01 14:00:43  fabiankeil
+ *    Let the block action take the reason for the block
+ *    as argument and show it on the "blocked" page.
+ *
  *    Revision 1.28  2007/12/11 21:08:29  fabiankeil
  *    Let the CGI editor suggest a forward-override
  *    parameter whose syntax is actually valid.
@@ -237,8 +241,6 @@ DEFINE_ACTION_STRING     ("set-image-blocker",          ACTION_IMAGE_BLOCKER,
 DEFINE_CGI_PARAM_RADIO   ("set-image-blocker",          ACTION_IMAGE_BLOCKER,   ACTION_STRING_IMAGE_BLOCKER, "pattern", 1)
 DEFINE_CGI_PARAM_RADIO   ("set-image-blocker",          ACTION_IMAGE_BLOCKER,   ACTION_STRING_IMAGE_BLOCKER, "blank", 0)
 DEFINE_CGI_PARAM_CUSTOM  ("set-image-blocker",          ACTION_IMAGE_BLOCKER,   ACTION_STRING_IMAGE_BLOCKER,  CGI_PREFIX "send-banner?type=pattern")
-DEFINE_ACTION_BOOL       ("treat-forbidden-connects-like-blocks",   ACTION_TREAT_FORBIDDEN_CONNECTS_LIKE_BLOCKS)
-
 
 #if DEFINE_ACTION_ALIAS
 
diff --git a/actions.c b/actions.c
index d5c02c48..2fb546f4 100644
--- a/actions.c
+++ b/actions.c
@@ -1,4 +1,4 @@
-const char actions_rcs[] = "$Id: actions.c,v 1.42 2008/02/09 15:15:38 fabiankeil Exp $";
+const char actions_rcs[] = "$Id: actions.c,v 1.43 2008/03/01 14:00:43 fabiankeil Exp $";
 /*********************************************************************
  *
  * File        :  $Source: /cvsroot/ijbswa/current/actions.c,v $
@@ -33,6 +33,10 @@ const char actions_rcs[] = "$Id: actions.c,v 1.42 2008/02/09 15:15:38 fabiankeil
  *
  * Revisions   :
  *    $Log: actions.c,v $
+ *    Revision 1.43  2008/03/01 14:00:43  fabiankeil
+ *    Let the block action take the reason for the block
+ *    as argument and show it on the "blocked" page.
+ *
  *    Revision 1.42  2008/02/09 15:15:38  fabiankeil
  *    List active and inactive actions in the show-url-info's
  *    "Final results" section separately. Patch submitted by Lee
@@ -602,6 +606,23 @@ jb_err get_action_token(char **line, char **name, char **value)
    return JB_ERR_OK;
 }
 
+/*********************************************************************
+ *
+ * Function    :  action_used_to_valid_
+ *
+ * Description :  Checks if unrecognized actions were valid in earlier
+ *                releases.
+ *
+ * Parameters  :
+ *          1  :  action = The string containing the action to check.
+ *
+ * Returns     :  True if yes, otherwise false.
+ *
+ *********************************************************************/
+static int action_used_to_be_valid(const char *action)
+{
+   return (0 == strcmpic(action, "treat-forbidden-connects-like-blocks"));
+}
 
 /*********************************************************************
  *
@@ -781,6 +802,11 @@ jb_err get_actions(char *line,
                /* Found it */
                merge_actions(cur_action, alias->action);
             }
+            else if ((2 < strlen(option)) && action_used_to_be_valid(option+1))
+            {
+               log_error(LOG_LEVEL_ERROR, "Action '%s' is no longer valid "
+                  "in this Privoxy release. Ignored.", option+1);
+            }
             else
             {
                /* Bad action name */
diff --git a/default.action.master b/default.action.master
index 23433ebd..eeadb155 100644
--- a/default.action.master
+++ b/default.action.master
@@ -9,7 +9,7 @@
 # 
 #  File        :  $Source: /cvsroot/ijbswa/current/default.action.master,v $
 # 
-#  $Id: default.action.master,v 1.113 2008/03/01 14:00:44 fabiankeil Exp $
+#  $Id: default.action.master,v 1.114 2008/03/01 15:25:34 fabiankeil Exp $
 #
 #  Requires    :  This version requires Privoxy v3.0.9 or later due to 
 #                 syntax changes.
@@ -491,17 +491,6 @@
 #    This allows you to add an arbitrary cookie.  Specify it multiple
 #    times in order to add several cookies.
 #
-# +treat-forbidden-connects-like-blocks
-#    If this action is enabled, Privoxy no longer makes a difference between
-#    forbidden connects and ordinary blocks. 
-#
-#    By default Privoxy answers forbidden "Connect" requests  with a short
-#    error message inside the headers. If the browser doesn't display headers
-#    (most don't), you just see an empty page. With this action enabled,
-#    Privoxy displays the message that is used for ordinary blocks instead. If
-#    you decide to make an exception for the page in question, you can do so
-#    by following the "See why" link. 
-#
 #############################################################################
 
 #############################################################################
diff --git a/doc/source/user-manual.sgml b/doc/source/user-manual.sgml
index 6a07d878..bc82970c 100644
--- a/doc/source/user-manual.sgml
+++ b/doc/source/user-manual.sgml
@@ -33,7 +33,7 @@
                 This file belongs into
                 ijbswa.sourceforge.net:/home/groups/i/ij/ijbswa/htdocs/
 
- $Id: user-manual.sgml,v 2.63 2008/02/22 05:50:37 markm68k Exp $
+ $Id: user-manual.sgml,v 2.64 2008/03/01 14:10:28 fabiankeil Exp $
 
  Copyright (C) 2001-2008 Privoxy Developers http://www.privoxy.org/
  See LICENSE.
@@ -59,7 +59,7 @@
  </subscript>
 </pubdate>
 
-<pubdate>$Id: user-manual.sgml,v 2.63 2008/02/22 05:50:37 markm68k Exp $</pubdate>
+<pubdate>$Id: user-manual.sgml,v 2.64 2008/03/01 14:10:28 fabiankeil Exp $</pubdate>
 
 <!--
 
@@ -5221,9 +5221,6 @@ new action
    <application>Privoxy</application> relays HTTPS traffic without seeing
    the decoded content. Websites can leverage this limitation to circumvent &my-app;'s
    filters. By specifying an invalid port range you can disable HTTPS entirely.
-   If you plan to disable SSL by default, consider enabling 
-   <literal><link linkend="treat-forbidden-connects-like-blocks ">treat-forbidden-connects-like-blocks</link></literal>
-   as well, to be able to quickly create exceptions.
   </para>
   </listitem>
  </varlistentry>
@@ -6048,81 +6045,6 @@ example.org/instance-that-is-delivered-as-xml-but-is-not
 </sect3>
 
 
-<!--   ~~~~~       New section      ~~~~~     -->
-<sect3 renderas="sect4" id="treat-forbidden-connects-like-blocks">
-<title>treat-forbidden-connects-like-blocks</title>
-<!--
-new action
--->
-<variablelist>
- <varlistentry>
-  <term>Typical use:</term>
-  <listitem>
-   <para>Block forbidden connects with an easy to find error message.</para>
-  </listitem>
- </varlistentry>
-
- <varlistentry>
-  <term>Effect:</term>
-  <listitem>
-   <para>
-    If this action is enabled, <application>Privoxy</application> no longer
-    makes a difference between forbidden connects and ordinary blocks. 
-   </para>
-  </listitem>
- </varlistentry>
-
- <varlistentry>
-  <term>Type:</term>
-  <!-- Boolean, Parameterized, Multi-value -->
-  <listitem>
-   <para>Boolean</para>
-  </listitem>
- </varlistentry>
-
- <varlistentry>
-  <term>Parameter:</term>
-  <listitem>
-   <para>N/A</para>
-  </listitem>
- </varlistentry>
-
- <varlistentry>
-  <term>Notes:</term>
-  <listitem>
-   <para>
-    By default <application>Privoxy</application> answers
-    <link linkend="limit-connect">forbidden <quote>Connect</quote> requests</link>
-    with a short error message inside the headers. If the browser doesn't display
-    headers (most don't), you just see an empty page.
-   </para>
-   <para>
-    With this action enabled, <application>Privoxy</application> displays
-    the message that is used for ordinary blocks instead. If you decide
-    to make an exception for the page in question, you can do so by
-    following the <quote>See why</quote> link.
-   </para>
-   <para>
-    For <quote>Connect</quote> requests the clients tell
-    <application>Privoxy</application> which host they are interested
-    in, but not which document they plan to get later. As a result, the
-    <quote>Go there anyway</quote> wouldn't work and is therefore suppressed.
-   </para>
-  </listitem>
- </varlistentry>
-
- <varlistentry>
-  <term>Example usage:</term>
-  <listitem>
-   <para>
-    <screen>+treat-forbidden-connects-like-blocks</screen>
-   </para>
-  </listitem>
- </varlistentry>
-</variablelist>
-</sect3>
-
-
 <!--   ~~~~~       New section      ~~~~~     -->
 <sect3>
 <title>Summary</title>
@@ -8662,8 +8584,7 @@ In file: user.action <guibutton>[ View ]</guibutton> <guibutton>[ Edit ]</guibut
  -server-header-filter{xml-to-html}
  -server-header-filter{html-to-xml} 
  -session-cookies-only
- +set-image-blocker {pattern}
- -treat-forbidden-connects-like-blocks </screen>
+ +set-image-blocker {pattern} </screen>
 </para>
 
 <para>
@@ -8785,8 +8706,7 @@ In file: user.action <guibutton>[ View ]</guibutton> <guibutton>[ Edit ]</guibut
   -server-header-filter{xml-to-html}
   -server-header-filter{html-to-xml} 
   +session-cookies-only 
-  +set-image-blocker{blank} 
-  -treat-forbidden-connects-like-blocks }
+  +set-image-blocker{blank} }
    /
 
  { +block{Path contains "ads".} +handle-as-image }
@@ -8947,6 +8867,9 @@ In file: user.action <guibutton>[ View ]</guibutton> <guibutton>[ Edit ]</guibut
  USA
 
  $Log: user-manual.sgml,v $
+ Revision 2.64  2008/03/01 14:10:28  fabiankeil
+ Use new block syntax. Still needs some polishing.
+
  Revision 2.63  2008/02/22 05:50:37  markm68k
  fix merge problem
 
diff --git a/jcc.c b/jcc.c
index 6138e561..82ab4538 100644
--- a/jcc.c
+++ b/jcc.c
@@ -1,4 +1,4 @@
-const char jcc_rcs[] = "$Id: jcc.c,v 1.167 2008/02/23 16:57:12 fabiankeil Exp $";
+const char jcc_rcs[] = "$Id: jcc.c,v 1.168 2008/03/02 12:25:25 fabiankeil Exp $";
 /*********************************************************************
  *
  * File        :  $Source: /cvsroot/ijbswa/current/jcc.c,v $
@@ -33,6 +33,9 @@ const char jcc_rcs[] = "$Id: jcc.c,v 1.167 2008/02/23 16:57:12 fabiankeil Exp $"
  *
  * Revisions   :
  *    $Log: jcc.c,v $
+ *    Revision 1.168  2008/03/02 12:25:25  fabiankeil
+ *    Also use shiny new connect_port_is_forbidden() in jcc.c.
+ *
  *    Revision 1.167  2008/02/23 16:57:12  fabiankeil
  *    Rename url_actions() to get_url_actions() and let it
  *    use the standard parameter ordering.
@@ -1143,12 +1146,6 @@ static const char CHEADER[] =
    "Connection: close\r\n\r\n"
    "Invalid header received from client.\r\n";
 
-static const char CFORBIDDEN[] =
-   "HTTP/1.0 403 Connection not allowable\r\n"
-   "Proxy-Agent: Privoxy " VERSION "\r\n"
-   "X-Hint: If you read this message interactively, then you know why this happens ,-)\r\n"
-   "Connection: close\r\n\r\n";
-
 static const char FTP_RESPONSE[] =
    "HTTP/1.0 400 Invalid request received from client\r\n"
    "Content-Type: text/plain\r\n"
@@ -2192,45 +2189,17 @@ static void chat(struct client_state *csp)
     *
     */
 
-   if (http->ssl)
+   if (http->ssl && connect_port_is_forbidden(csp))
    {
-      if (connect_port_is_forbidden(csp))
-      {
-         const char *acceptable_connect_ports =
-            csp->action->string[ACTION_STRING_LIMIT_CONNECT] ?
-            csp->action->string[ACTION_STRING_LIMIT_CONNECT] :
-            "443 (implied default)";
-         if (csp->action->flags & ACTION_TREAT_FORBIDDEN_CONNECTS_LIKE_BLOCKS)
-         {
-            /*
-             * The response may confuse some clients,
-             * but makes unblocking easier.
-             *
-             * XXX: It seems to work with all major browsers,
-             * so we should consider returning a body by default someday ... 
-             */
-            log_error(LOG_LEVEL_INFO, "Request from %s marked for blocking. "
-               "limit-connect{%s} doesn't allow CONNECT requests to port %d.",
-               csp->ip_addr_str, acceptable_connect_ports, csp->http->port);
-            csp->action->flags |= ACTION_BLOCK;
-            http->ssl = 0;
-         }
-         else
-         {
-            write_socket(csp->cfd, CFORBIDDEN, strlen(CFORBIDDEN));
-            log_error(LOG_LEVEL_INFO, "Request from %s denied. "
-               "limit-connect{%s} doesn't allow CONNECT requests to port %d.",
-               csp->ip_addr_str, acceptable_connect_ports, csp->http->port);
-            assert(NULL != csp->http->ocmd);
-            log_error(LOG_LEVEL_CLF, "%s - - [%T] \"%s\" 403 0", csp->ip_addr_str, csp->http->ocmd);
-
-            list_remove_all(csp->headers);
-            /*
-             * XXX: For consistency we might want to log a crunch message here.
-             */
-            return;
-         }
-      }
+      const char *acceptable_connect_ports =
+         csp->action->string[ACTION_STRING_LIMIT_CONNECT] ?
+         csp->action->string[ACTION_STRING_LIMIT_CONNECT] :
+         "443 (implied default)";
+      log_error(LOG_LEVEL_INFO, "Request from %s marked for blocking. "
+         "limit-connect{%s} doesn't allow CONNECT requests to port %d.",
+         csp->ip_addr_str, acceptable_connect_ports, csp->http->port);
+      csp->action->flags |= ACTION_BLOCK;
+      http->ssl = 0;
    }
 
    if (http->ssl == 0)
diff --git a/project.h b/project.h
index a01b5bfa..678f401d 100644
--- a/project.h
+++ b/project.h
@@ -1,7 +1,7 @@
 #ifndef PROJECT_H_INCLUDED
 #define PROJECT_H_INCLUDED
 /** Version string. */
-#define PROJECT_H_VERSION "$Id: project.h,v 1.102 2008/02/03 13:46:14 fabiankeil Exp $"
+#define PROJECT_H_VERSION "$Id: project.h,v 1.103 2008/03/01 14:00:45 fabiankeil Exp $"
 /*********************************************************************
  *
  * File        :  $Source: /cvsroot/ijbswa/current/project.h,v $
@@ -37,6 +37,10 @@
  *
  * Revisions   :
  *    $Log: project.h,v $
+ *    Revision 1.103  2008/03/01 14:00:45  fabiankeil
+ *    Let the block action take the reason for the block
+ *    as argument and show it on the "blocked" page.
+ *
  *    Revision 1.102  2008/02/03 13:46:14  fabiankeil
  *    Add SOCKS5 support. Patch #1862863 by Eric M. Hopper with minor changes.
  *
@@ -1055,10 +1059,8 @@ struct iob
 #define  ACTION_HANDLE_AS_EMPTY_DOCUMENT             0x08000000UL
 /** Action bitmap: Redirect request. */
 #define  ACTION_REDIRECT                             0x10000000UL
-/** Action bitmap: Answer blocked Connects verbosely */
-#define ACTION_TREAT_FORBIDDEN_CONNECTS_LIKE_BLOCKS  0x20000000UL
 /** Action bitmap: Override the forward settings in the config file */
-#define ACTION_FORWARD_OVERRIDE                      0x40000000UL
+#define ACTION_FORWARD_OVERRIDE                      0x20000000UL
 
 
 /** Action string index: How to deanimate GIFs */
diff --git a/standard.action b/standard.action
index a02ff24c..8a45e827 100644
--- a/standard.action
+++ b/standard.action
@@ -2,7 +2,7 @@
 # 
 #  File        :  $Source: /cvsroot/ijbswa/current/standard.action,v $
 # 
-#  $Id: standard.action,v 1.21 2007/09/01 11:06:04 fabiankeil Exp $
+#  $Id: standard.action,v 1.22 2007/11/07 18:01:10 fabiankeil Exp $
 #
 #  Purpose     :  Provide prefedined sets of actions, see
 #                 http://www.privoxy.org/user-manual/actions-file.html
@@ -90,6 +90,5 @@ standard.Medium
 +limit-connect{,} \
 +overwrite-last-modified{randomize} \
 +set-image-blocker{pattern} \
-+treat-forbidden-connects-like-blocks \
 }
 standard.Advanced
diff --git a/templates/edit-actions-for-url b/templates/edit-actions-for-url
index 145ad50c..6a255d8e 100644
--- a/templates/edit-actions-for-url
+++ b/templates/edit-actions-for-url
@@ -32,6 +32,10 @@
 #
 # Revisions   :
 #    $Log: edit-actions-for-url,v $
+#    Revision 1.49  2008/03/01 14:00:47  fabiankeil
+#    Let the block action take the reason for the block
+#    as argument and show it on the "blocked" page.
+#
 #    Revision 1.48  2007/12/11 21:18:55  fabiankeil
 #    Make forward-override accessible through the CGI editor.
 #
@@ -1321,23 +1325,6 @@ function show_send_wafer_opts(tf)
         <input type="text" name="set_image_blocker_param" id="set_image_blocker_param"
         size="40" value="@set-image-blocker-param@"></td>
     </tr>
-   <tr class="bg1" align="left" valign="top">
-      <td class="en1" align="center" valign="middle"><input type="radio"
-        name="treat_forbidden_connects_like_blocks" value="Y" @treat-forbidden-connects-like-blocks-y@
-        ></td>
-      <td class="dis1" align="center" valign="middle"><input type="radio"
-        name="treat_forbidden_connects_like_blocks" value="N" @treat-forbidden-connects-like-blocks-n@
-        ></td>
-      <td class="noc1" align="center" valign="middle"><input type="radio"
-        name="treat_forbidden_connects_like_blocks" value="X" @treat-forbidden-connects-like-blocks-x@
-        ></td>
-      <td class="action"><a href="@user-manual@@actions-help-prefix@TREAT_FORBIDDEN_CONNECTS_LIKE_BLOCKS">treat-forbidden-connects-like-blocks</a></td>
-      <td>
-       Answer forbidden Connect requests with the usual block message.
-       Makes unblocking easier, but the <q>go there anyway</q> link will not work
-       as expected.
-     </td>
-    </tr>
   </table>
 
 <!-- @if-multiple-forms-start -->
-- 
2.39.2