Merge Debian version 3.0.29-2
authorRoland Rosenfeld <roland@debian.org>
Sun, 17 Jan 2021 12:31:42 +0000 (13:31 +0100)
committerRoland Rosenfeld <roland@debian.org>
Sun, 17 Jan 2021 12:31:42 +0000 (13:31 +0100)
debian/apparmor/usr.sbin.privoxy [new file with mode: 0644]
debian/changelog
debian/control
debian/dirs
debian/patches/38_SOURCE_DATE_EPOCH.patch [deleted file]
debian/patches/39_show-status.patch [new file with mode: 0644]
debian/patches/40_redirect-ssl.patch [new file with mode: 0644]
debian/patches/series
debian/rules

diff --git a/debian/apparmor/usr.sbin.privoxy b/debian/apparmor/usr.sbin.privoxy
new file mode 100644 (file)
index 0000000..2386db6
--- /dev/null
@@ -0,0 +1,18 @@
+#include <tunables/global>
+
+/usr/sbin/privoxy {
+  #include <abstractions/base>
+  #include <abstractions/nameservice>
+
+  capability setgid,
+  capability setuid,
+
+  /etc/privoxy/** r,
+  owner /etc/privoxy/match-all.action rw,
+  owner /etc/privoxy/user.action rw,
+  /run/privoxy.pid rw,
+  /usr/share/doc/privoxy/user-manual/** r,
+  /usr/share/doc/privoxy/p_doc.css r,
+  owner /var/lib/privoxy/** rw,
+  owner /var/log/privoxy/logfile rw,
+}
index 07cf123..b5a59f6 100644 (file)
@@ -1,3 +1,14 @@
+privoxy (3.0.29-2) unstable; urgency=medium
+
+  * Use --enable-extended-statistics and --enable-pcre-host-patterns.
+  * 39_show-status: Add new features to show-status page.
+  * Remove 38_SOURCE_DATE_EPOCH, since upstream honors it when set.
+  * Upgrade to Standards-Version 4.5.1 (no changes).
+  * 40_redirect-ssl: Check the actual URL when https inspecting requests.
+  * Add apparmor profile usr.sbin.privoxy.
+
+ -- Roland Rosenfeld <roland@debian.org>  Sun, 17 Jan 2021 13:10:33 +0100
+
 privoxy (3.0.29-1) unstable; urgency=medium
 
   * New upstream release 3.0.29.
index 7ce5356..754124d 100644 (file)
@@ -4,6 +4,7 @@ Priority: optional
 Maintainer: Roland Rosenfeld <roland@debian.org>
 Build-Depends: autoconf,
                debhelper-compat (= 13),
+               dh-apparmor,
                docbook,
                docbook-dsssl,
                docbook-utils,
@@ -17,7 +18,7 @@ Build-Depends: autoconf,
                sgmlspl,
                w3m,
                zlib1g-dev
-Standards-Version: 4.5.0
+Standards-Version: 4.5.1
 Homepage: https://www.privoxy.org/
 Vcs-Git: https://salsa.debian.org/debian/privoxy.git
 Vcs-Browser: https://salsa.debian.org/debian/privoxy
@@ -35,6 +36,7 @@ Depends: adduser,
          ${shlibs:Depends}
 Pre-Depends: ${misc:Pre-Depends}
 Recommends: doc-base
+Suggests: apparmor
 Description: Privacy enhancing HTTP Proxy
  Privoxy is a web proxy with advanced filtering capabilities for
  protecting privacy, filtering web page content, managing cookies,
index 47d3b87..9e33ee0 100644 (file)
@@ -1,3 +1,4 @@
+etc/apparmor.d
 etc/privoxy
 etc/privoxy/CA
 usr/bin
diff --git a/debian/patches/38_SOURCE_DATE_EPOCH.patch b/debian/patches/38_SOURCE_DATE_EPOCH.patch
deleted file mode 100644 (file)
index 27b528e..0000000
+++ /dev/null
@@ -1,17 +0,0 @@
-From: Roland Rosenfeld <roland@debian.org>
-Date: Fri, 04 Sep 2020 16:30:48 +0200
-Subject: Remove hardcoded SOURCE_DATE_EPOCH from configure.in but use the date
- from debian/changelog.
-Forwarded: not-necessary
-
---- a/configure.in
-+++ b/configure.in
-@@ -81,7 +81,7 @@ CODE_STATUS="stable"
- dnl Timestamp (date +%s) used by the mtree-spec target.
- dnl Should be updated before releases but forgetting it isn't critical.
--SOURCE_DATE_EPOCH=1605695571
-+dnl SOURCE_DATE_EPOCH=1605695571
- dnl CODE_STATUS can be "alpha", "beta", "stable" or "UNRELEASED",
- dnl and will be used for CGI output. Increment version number and
diff --git a/debian/patches/39_show-status.patch b/debian/patches/39_show-status.patch
new file mode 100644 (file)
index 0000000..13c74e7
--- /dev/null
@@ -0,0 +1,82 @@
+From: Roland Rosenfeld <roland@debian.org>
+Subject: Add new features to show-status page.
+Date: Sun, 06 Dec 2020 14:14:43 +0100
+Forwarded: https://www.privoxy.org/gitweb/?p=privoxy.git;a=patch;h=d83b7ce5
+
+--- a/templates/show-status
++++ b/templates/show-status
+@@ -299,6 +299,19 @@
+               </td>
+             </tr>
+             <tr>
++              <td><code>FEATURE_DYNAMIC_PCRE</code></td>
++              <td>@if-FEATURE_DYNAMIC_PCRE-then@ Yes @else-not-FEATURE_DYNAMIC_PCRE@ No @endif-FEATURE_DYNAMIC_PCRE@</td>
++              <td>Dynamically link to the PCRE library. This is set automatically
++               by <code>./configure</code> if you do not have libpcre installed.
++               Dynamically linking to an external libpcre is recommended as the one that is distributed
++               with Privoxy itself is outdated and lacks various features and bug-fixes you may be interested in.</td>
++            </tr>
++            <tr>
++              <td><code>FEATURE_EXTENDED_STATISTICS</code></td>
++              <td>@if-FEATURE_EXTENDED_STATISTICS-then@ Yes @else-not-FEATURE_EXTENDED_STATISTICS@ No @endif-FEATURE_EXTENDED_STATISTICS@</td>
++              <td>Gather statistics for block reasons and filter executions.</td>
++            </tr>
++            <tr>
+               <td><code>FEATURE_EXTERNAL_FILTERS</code></td>
+               <td>@if-FEATURE_EXTERNAL_FILTERS-then@ Yes @else-not-FEATURE_EXTERNAL_FILTERS@ No @endif-FEATURE_EXTERNAL_FILTERS@</td>
+               <td>
+@@ -308,14 +321,6 @@
+               </td>
+             </tr>
+             <tr>
+-              <td><code>FEATURE_DYNAMIC_PCRE</code></td>
+-              <td>@if-FEATURE_DYNAMIC_PCRE-then@ Yes @else-not-FEATURE_DYNAMIC_PCRE@ No @endif-FEATURE_DYNAMIC_PCRE@</td>
+-              <td>Dynamically link to the PCRE library. This is set automatically
+-               by <code>./configure</code> if you do not have libpcre installed.
+-               Dynamically linking to an external libpcre is recommended as the one that is distributed
+-               with Privoxy itself is outdated and lacks various features and bug-fixes you may be interested in.</td>
+-            </tr>
+-            <tr>
+               <td><code>FEATURE_FAST_REDIRECTS</code></td>
+               <td>@if-FEATURE_FAST_REDIRECTS-then@ Yes @else-not-FEATURE_FAST_REDIRECTS@ No @endif-FEATURE_FAST_REDIRECTS@</td>
+               <td>Allows the +fast-redirects action, to bypass redirect and logging scripts.</td>
+@@ -353,6 +358,14 @@
+               </td>
+             </tr>
+             <tr>
++              <td><code>FEATURE_PCRE_HOST_PATTERNS</code></td>
++              <td>@if-FEATURE_PCRE_HOST_PATTERNS-then@ Yes @else-not-FEATURE_PCRE_HOST_PATTERNS@ No @endif-FEATURE_PCRE_HOST_PATTERNS@</td>
++              <td>Allow to use extended host patterns and vanilla host patterns
++               at the same time by prefixing extended host patterns with
++               "PCRE-HOST-PATTERN:".
++              </td>
++            </tr>
++            <tr>
+               <td><code>FEATURE_NO_GIFS</code></td>
+               <td>@if-FEATURE_NO_GIFS-then@ Yes @else-not-FEATURE_NO_GIFS@ No @endif-FEATURE_NO_GIFS@</td>
+               <td>Use PNG instead of GIF for the built-in images.</td>
+--- a/cgisimple.c
++++ b/cgisimple.c
+@@ -2097,6 +2097,22 @@ static jb_err show_defines(struct map *e
+ #else
+          0,
+ #endif
++      },
++      {
++         "FEATURE_EXTENDED_STATISTICS",
++#ifdef FEATURE_EXTENDED_STATISTICS
++         1,
++#else
++         0,
++#endif
++      },
++      {
++         "FEATURE_PCRE_HOST_PATTERNS",
++#ifdef FEATURE_PCRE_HOST_PATTERNS
++         1,
++#else
++         0,
++#endif
+       }
+    };
diff --git a/debian/patches/40_redirect-ssl.patch b/debian/patches/40_redirect-ssl.patch
new file mode 100644 (file)
index 0000000..1b1768b
--- /dev/null
@@ -0,0 +1,66 @@
+Origin: https://www.privoxy.org/gitweb/?p=privoxy.git;h=89da1910
+Author: Fabian Keil <fk@fabiankeil.de>
+Date: Tue Dec 15 19:00:00 2020 +0100
+Bug: https://sourceforge.net/p/ijbswa/support-requests/1736/
+Forwarded: not needed, comes from upstream
+Subject: Check the actual URL when https inspecting requests
+    redirect_url(): Check the actual URL when https inspecting requests
+    
+    Previously we would only check the path which resulted
+    in rewrite results being rejected as invalid URLs.
+    
+    Before:
+    19:37:29.494 014 Error: pcrs command "s@/test@/@" changed "/test" to "/" (1 hit), but the result doesn't look like a valid URL and will be ignored.
+    
+    After:
+    19:40:57.857 002 Redirect: pcrs command s@/test@/@ changed https://www.electrobsd.org/test to https://www.electrobsd.org/ (1 hit).
+    
+    Reported by withoutname in #1736.
+
+--- a/filters.c
++++ b/filters.c
+@@ -66,6 +66,9 @@
+ #ifdef FEATURE_CLIENT_TAGS
+ #include "client-tags.h"
+ #endif
++#ifdef FEATURE_HTTPS_INSPECTION
++#include "ssl.h"
++#endif
+ #ifdef _WIN32
+ #include "win32.h"
+@@ -1220,8 +1223,33 @@ struct http_response *redirect_url(struc
+       if (*redirection_string == 's')
+       {
+-         old_url = csp->http->url;
++#ifdef FEATURE_HTTPS_INSPECTION
++         if (client_use_ssl(csp))
++         {
++            jb_err err;
++
++            old_url = strdup_or_die("https://");
++            err = string_append(&old_url, csp->http->hostport);
++            if (!err) err = string_append(&old_url, csp->http->path);
++            if (err)
++            {
++               log_error(LOG_LEVEL_FATAL,
++                  "Failed to rebuild URL 'https://%s%s'",
++                  csp->http->hostport, csp->http->path);
++            }
++         }
++         else
++#endif
++         {
++            old_url = csp->http->url;
++         }
+          new_url = rewrite_url(old_url, redirection_string);
++#ifdef FEATURE_HTTPS_INSPECTION
++         if (client_use_ssl(csp))
++         {
++            freez(old_url);
++         }
++#endif
+       }
+       else
+       {
index 7bcaa7d..cc721f9 100644 (file)
@@ -7,4 +7,5 @@
 33_manpage_hyphen.patch
 34_system-docbook2man.patch
 35_man-spelling.patch
-38_SOURCE_DATE_EPOCH.patch
+39_show-status.patch
+40_redirect-ssl.patch
index aac8cdf..e7745b0 100755 (executable)
@@ -1,6 +1,6 @@
 #!/usr/bin/make -f
 #
-# (c) 2002-2020 Roland Rosenfeld <roland@debian.org>
+# (c) 2002-2021 Roland Rosenfeld <roland@debian.org>
 #
 # Uncomment this to turn on verbose mode.
 #export DH_VERBOSE=1
@@ -23,6 +23,8 @@ override_dh_auto_configure:
                --enable-zlib \
                --enable-no-gifs \
                --enable-external-filters \
+               --enable-extended-statistics \
+               --enable-pcre-host-patterns \
                --with-mbedtls \
                --with-brotli \
                --with-docbook=/usr/share/sgml/docbook/stylesheet/dsssl/modular
@@ -86,6 +88,12 @@ override_dh_auto_install:
            mv -f $$f.new $$f; \
        done
 
+override_dh_install:
+       dh_install
+       install -m0644 debian/apparmor/usr.sbin.privoxy \
+               $(DEBDIR)/etc/apparmor.d/
+       dh_apparmor --profile-name=usr.sbin.privoxy
+
 override_dh_installdocs:
        dh_installdocs
        (cd $(DEBDIR)/usr/share/doc/privoxy/; \