From: Fabian Keil Date: Sat, 4 Aug 2007 09:56:23 +0000 (+0000) Subject: - Log rejected CONNECT requests with LOG_LEVEL_INFO X-Git-Tag: v_3_0_7~188 X-Git-Url: http://www.privoxy.org/gitweb/@default-cgi@/faq/%22https:/@default-cgi@show-url-info?a=commitdiff_plain;h=c99004f42d542f48f114285cd862f519280824a4;p=privoxy.git - Log rejected CONNECT requests with LOG_LEVEL_INFO and explain why they were rejected in the first place. - Fix the LOG_LEVEL_CLF message for crunches of unallowed CONNECT requests. The request line was missing. - Add two more XXX reminders as we don't have enough already. --- diff --git a/ChangeLog b/ChangeLog index 32985277..2e1176ea 100644 --- a/ChangeLog +++ b/ChangeLog @@ -115,6 +115,8 @@ ChangeLog for Privoxy specify a Content-Type. Bug reported by Amuro Namie. - Allow to rewrite the request destination behind the client's back. - Fix socks requests on big-endian platforms. Patch provided by Song Weijia. +- Rejected CONNECT requests are logged with log level info + (enabled by default) and the reason for the block. - Minor code clean-ups, filter and action file updates. (Some of them reported by Davide Alberani, Markus Elfring and Adam Piggott) diff --git a/jcc.c b/jcc.c index 408612bb..e82e95c1 100644 --- a/jcc.c +++ b/jcc.c @@ -1,4 +1,4 @@ -const char jcc_rcs[] = "$Id: jcc.c,v 1.139 2007/07/14 07:46:41 fabiankeil Exp $"; +const char jcc_rcs[] = "$Id: jcc.c,v 1.140 2007/07/21 11:51:36 fabiankeil Exp $"; /********************************************************************* * * File : $Source: /cvsroot/ijbswa/current/jcc.c,v $ @@ -33,6 +33,12 @@ const char jcc_rcs[] = "$Id: jcc.c,v 1.139 2007/07/14 07:46:41 fabiankeil Exp $" * * Revisions : * $Log: jcc.c,v $ + * Revision 1.140 2007/07/21 11:51:36 fabiankeil + * As Hal noticed, checking dispatch_cgi() as the last cruncher + * looks like a bug if CGI requests are blocked unintentionally, + * so don't do it unless the user enabled the new config option + * "allow-cgi-request-crunching". + * * Revision 1.139 2007/07/14 07:46:41 fabiankeil * - Allow to rewrite the request destination behind the client's back. * - Turn the weird-looking unconditional for loop that @@ -2161,20 +2167,31 @@ static void chat(struct client_state *csp) /* * The response may confuse some clients, * but makes unblocking easier. + * + * XXX: It seems to work with all major browsers, + * so we should consider returning a body by default someday ... */ - log_error(LOG_LEVEL_ERROR, "Marking suspicious CONNECT request from %s for blocking.", - csp->ip_addr_str); + log_error(LOG_LEVEL_INFO, "Request from %s marked for blocking. " + "limit-connect{%s} doesn't allow CONNECT requests to port %d.", + csp->ip_addr_str, csp->action->string[ACTION_STRING_LIMIT_CONNECT], + csp->http->port); csp->action->flags |= ACTION_BLOCK; http->ssl = 0; } else { write_socket(csp->cfd, CFORBIDDEN, strlen(CFORBIDDEN)); - log_error(LOG_LEVEL_CONNECT, "Denying suspicious CONNECT request from %s", csp->ip_addr_str); - log_error(LOG_LEVEL_CLF, "%s - - [%T] \" \" 403 0", csp->ip_addr_str); + log_error(LOG_LEVEL_INFO, "Request from %s denied. " + "limit-connect{%s} doesn't allow CONNECT requests to port %d.", + csp->ip_addr_str, csp->action->string[ACTION_STRING_LIMIT_CONNECT], + csp->http->port); + assert(NULL != csp->http->ocmd); + log_error(LOG_LEVEL_CLF, "%s - - [%T] \"%s\" 403 0", csp->ip_addr_str, csp->http->ocmd); list_remove_all(csp->headers); - + /* + * XXX: For consistency we might want to log a crunch message here. + */ return; } }