--- /dev/null
+#include <tunables/global>
+
+/usr/sbin/privoxy {
+ #include <abstractions/base>
+ #include <abstractions/nameservice>
+
+ capability setgid,
+ capability setuid,
+
+ /etc/privoxy/** r,
+ owner /etc/privoxy/match-all.action rw,
+ owner /etc/privoxy/user.action rw,
+ /run/privoxy.pid rw,
+ /usr/share/doc/privoxy/user-manual/** r,
+ /usr/share/doc/privoxy/p_doc.css r,
+ owner /var/lib/privoxy/** rw,
+ owner /var/log/privoxy/logfile rw,
+}
+privoxy (3.0.29-2) unstable; urgency=medium
+
+ * Use --enable-extended-statistics and --enable-pcre-host-patterns.
+ * 39_show-status: Add new features to show-status page.
+ * Remove 38_SOURCE_DATE_EPOCH, since upstream honors it when set.
+ * Upgrade to Standards-Version 4.5.1 (no changes).
+ * 40_redirect-ssl: Check the actual URL when https inspecting requests.
+ * Add apparmor profile usr.sbin.privoxy.
+
+ -- Roland Rosenfeld <roland@debian.org> Sun, 17 Jan 2021 13:10:33 +0100
+
privoxy (3.0.29-1) unstable; urgency=medium
* New upstream release 3.0.29.
Maintainer: Roland Rosenfeld <roland@debian.org>
Build-Depends: autoconf,
debhelper-compat (= 13),
+ dh-apparmor,
docbook,
docbook-dsssl,
docbook-utils,
sgmlspl,
w3m,
zlib1g-dev
-Standards-Version: 4.5.0
+Standards-Version: 4.5.1
Homepage: https://www.privoxy.org/
Vcs-Git: https://salsa.debian.org/debian/privoxy.git
Vcs-Browser: https://salsa.debian.org/debian/privoxy
${shlibs:Depends}
Pre-Depends: ${misc:Pre-Depends}
Recommends: doc-base
+Suggests: apparmor
Description: Privacy enhancing HTTP Proxy
Privoxy is a web proxy with advanced filtering capabilities for
protecting privacy, filtering web page content, managing cookies,
+etc/apparmor.d
etc/privoxy
etc/privoxy/CA
usr/bin
+++ /dev/null
-From: Roland Rosenfeld <roland@debian.org>
-Date: Fri, 04 Sep 2020 16:30:48 +0200
-Subject: Remove hardcoded SOURCE_DATE_EPOCH from configure.in but use the date
- from debian/changelog.
-Forwarded: not-necessary
-
---- a/configure.in
-+++ b/configure.in
-@@ -81,7 +81,7 @@ CODE_STATUS="stable"
-
- dnl Timestamp (date +%s) used by the mtree-spec target.
- dnl Should be updated before releases but forgetting it isn't critical.
--SOURCE_DATE_EPOCH=1605695571
-+dnl SOURCE_DATE_EPOCH=1605695571
-
- dnl CODE_STATUS can be "alpha", "beta", "stable" or "UNRELEASED",
- dnl and will be used for CGI output. Increment version number and
--- /dev/null
+From: Roland Rosenfeld <roland@debian.org>
+Subject: Add new features to show-status page.
+Date: Sun, 06 Dec 2020 14:14:43 +0100
+Forwarded: https://www.privoxy.org/gitweb/?p=privoxy.git;a=patch;h=d83b7ce5
+
+--- a/templates/show-status
++++ b/templates/show-status
+@@ -299,6 +299,19 @@
+ </td>
+ </tr>
+ <tr>
++ <td><code>FEATURE_DYNAMIC_PCRE</code></td>
++ <td>@if-FEATURE_DYNAMIC_PCRE-then@ Yes @else-not-FEATURE_DYNAMIC_PCRE@ No @endif-FEATURE_DYNAMIC_PCRE@</td>
++ <td>Dynamically link to the PCRE library. This is set automatically
++ by <code>./configure</code> if you do not have libpcre installed.
++ Dynamically linking to an external libpcre is recommended as the one that is distributed
++ with Privoxy itself is outdated and lacks various features and bug-fixes you may be interested in.</td>
++ </tr>
++ <tr>
++ <td><code>FEATURE_EXTENDED_STATISTICS</code></td>
++ <td>@if-FEATURE_EXTENDED_STATISTICS-then@ Yes @else-not-FEATURE_EXTENDED_STATISTICS@ No @endif-FEATURE_EXTENDED_STATISTICS@</td>
++ <td>Gather statistics for block reasons and filter executions.</td>
++ </tr>
++ <tr>
+ <td><code>FEATURE_EXTERNAL_FILTERS</code></td>
+ <td>@if-FEATURE_EXTERNAL_FILTERS-then@ Yes @else-not-FEATURE_EXTERNAL_FILTERS@ No @endif-FEATURE_EXTERNAL_FILTERS@</td>
+ <td>
+@@ -308,14 +321,6 @@
+ </td>
+ </tr>
+ <tr>
+- <td><code>FEATURE_DYNAMIC_PCRE</code></td>
+- <td>@if-FEATURE_DYNAMIC_PCRE-then@ Yes @else-not-FEATURE_DYNAMIC_PCRE@ No @endif-FEATURE_DYNAMIC_PCRE@</td>
+- <td>Dynamically link to the PCRE library. This is set automatically
+- by <code>./configure</code> if you do not have libpcre installed.
+- Dynamically linking to an external libpcre is recommended as the one that is distributed
+- with Privoxy itself is outdated and lacks various features and bug-fixes you may be interested in.</td>
+- </tr>
+- <tr>
+ <td><code>FEATURE_FAST_REDIRECTS</code></td>
+ <td>@if-FEATURE_FAST_REDIRECTS-then@ Yes @else-not-FEATURE_FAST_REDIRECTS@ No @endif-FEATURE_FAST_REDIRECTS@</td>
+ <td>Allows the +fast-redirects action, to bypass redirect and logging scripts.</td>
+@@ -353,6 +358,14 @@
+ </td>
+ </tr>
+ <tr>
++ <td><code>FEATURE_PCRE_HOST_PATTERNS</code></td>
++ <td>@if-FEATURE_PCRE_HOST_PATTERNS-then@ Yes @else-not-FEATURE_PCRE_HOST_PATTERNS@ No @endif-FEATURE_PCRE_HOST_PATTERNS@</td>
++ <td>Allow to use extended host patterns and vanilla host patterns
++ at the same time by prefixing extended host patterns with
++ "PCRE-HOST-PATTERN:".
++ </td>
++ </tr>
++ <tr>
+ <td><code>FEATURE_NO_GIFS</code></td>
+ <td>@if-FEATURE_NO_GIFS-then@ Yes @else-not-FEATURE_NO_GIFS@ No @endif-FEATURE_NO_GIFS@</td>
+ <td>Use PNG instead of GIF for the built-in images.</td>
+--- a/cgisimple.c
++++ b/cgisimple.c
+@@ -2097,6 +2097,22 @@ static jb_err show_defines(struct map *e
+ #else
+ 0,
+ #endif
++ },
++ {
++ "FEATURE_EXTENDED_STATISTICS",
++#ifdef FEATURE_EXTENDED_STATISTICS
++ 1,
++#else
++ 0,
++#endif
++ },
++ {
++ "FEATURE_PCRE_HOST_PATTERNS",
++#ifdef FEATURE_PCRE_HOST_PATTERNS
++ 1,
++#else
++ 0,
++#endif
+ }
+ };
+
--- /dev/null
+Origin: https://www.privoxy.org/gitweb/?p=privoxy.git;h=89da1910
+Author: Fabian Keil <fk@fabiankeil.de>
+Date: Tue Dec 15 19:00:00 2020 +0100
+Bug: https://sourceforge.net/p/ijbswa/support-requests/1736/
+Forwarded: not needed, comes from upstream
+Subject: Check the actual URL when https inspecting requests
+ redirect_url(): Check the actual URL when https inspecting requests
+
+ Previously we would only check the path which resulted
+ in rewrite results being rejected as invalid URLs.
+
+ Before:
+ 19:37:29.494 014 Error: pcrs command "s@/test@/@" changed "/test" to "/" (1 hit), but the result doesn't look like a valid URL and will be ignored.
+
+ After:
+ 19:40:57.857 002 Redirect: pcrs command s@/test@/@ changed https://www.electrobsd.org/test to https://www.electrobsd.org/ (1 hit).
+
+ Reported by withoutname in #1736.
+
+--- a/filters.c
++++ b/filters.c
+@@ -66,6 +66,9 @@
+ #ifdef FEATURE_CLIENT_TAGS
+ #include "client-tags.h"
+ #endif
++#ifdef FEATURE_HTTPS_INSPECTION
++#include "ssl.h"
++#endif
+
+ #ifdef _WIN32
+ #include "win32.h"
+@@ -1220,8 +1223,33 @@ struct http_response *redirect_url(struc
+
+ if (*redirection_string == 's')
+ {
+- old_url = csp->http->url;
++#ifdef FEATURE_HTTPS_INSPECTION
++ if (client_use_ssl(csp))
++ {
++ jb_err err;
++
++ old_url = strdup_or_die("https://");
++ err = string_append(&old_url, csp->http->hostport);
++ if (!err) err = string_append(&old_url, csp->http->path);
++ if (err)
++ {
++ log_error(LOG_LEVEL_FATAL,
++ "Failed to rebuild URL 'https://%s%s'",
++ csp->http->hostport, csp->http->path);
++ }
++ }
++ else
++#endif
++ {
++ old_url = csp->http->url;
++ }
+ new_url = rewrite_url(old_url, redirection_string);
++#ifdef FEATURE_HTTPS_INSPECTION
++ if (client_use_ssl(csp))
++ {
++ freez(old_url);
++ }
++#endif
+ }
+ else
+ {
33_manpage_hyphen.patch
34_system-docbook2man.patch
35_man-spelling.patch
-38_SOURCE_DATE_EPOCH.patch
+39_show-status.patch
+40_redirect-ssl.patch
#!/usr/bin/make -f
#
-# (c) 2002-2020 Roland Rosenfeld <roland@debian.org>
+# (c) 2002-2021 Roland Rosenfeld <roland@debian.org>
#
# Uncomment this to turn on verbose mode.
#export DH_VERBOSE=1
--enable-zlib \
--enable-no-gifs \
--enable-external-filters \
+ --enable-extended-statistics \
+ --enable-pcre-host-patterns \
--with-mbedtls \
--with-brotli \
--with-docbook=/usr/share/sgml/docbook/stylesheet/dsssl/modular
mv -f $$f.new $$f; \
done
+override_dh_install:
+ dh_install
+ install -m0644 debian/apparmor/usr.sbin.privoxy \
+ $(DEBDIR)/etc/apparmor.d/
+ dh_apparmor --profile-name=usr.sbin.privoxy
+
override_dh_installdocs:
dh_installdocs
(cd $(DEBDIR)/usr/share/doc/privoxy/; \