Announcing Privoxy 4.0.0 stable -------------------------------------------------------------------- Privoxy 4.0.0 fixes a few minor bugs and comes with a couple of general improvements and new features. HTTPS inspection is no longer considered experimental. Two new features have been funded by donations. If you can, please consider making a donation to support future improvements. -------------------------------------------------------------------- ChangeLog for Privoxy 4.0.0 -------------------------------------------------------------------- - Bug fixes: - Add missing client-body-tagger data to the action_type_info[] struct so lookups based on the action index work correctly again. Prevents assertion failures or segfaults when trying to edit an action file with the CGI editor. The type of failure depended on whether or not assertions were enabled and on whether or not Privoxy had been compiled with FEATURE_EXTERNAL_FILTERS. Regression introduced in Privoxy 3.0.34. Patch submitted by Aaron Li in #940. - Bump MAX_FILTER_TYPES which should have been done in d128e6aa4 when introducing the client-body-tagger{} action. Prevents an assertion in cgi_edit_actions_for_url() from triggering after e32d03e0 when using the CGI editor with assertions enabled. - is_untrusted_url(): Search the encrypted headers for the Referer when the client is using https and https inspection is enabled. Fixes the trust mechanism for https requests. Reported by Laurent Caumont in #1767. - GNUMakefile.in: Let the install target work if no group is specified. - GNUMakefile.in: Set GROUP_T when installing configuration files as root and there is no privoxy user available so the install target doesn't fail. Patch by Fabrice Fontaine. - GNUmakefile.in: Don't exit if configuration files are installed as root as this can be considered acceptable when cross-compiling Privoxy inside an autobuilder with only a root user. Patch by Fabrice Fontaine. - configure.in: Fix argument types in gmtime_r() and localtime_r() probes. Otherwise these probes always fail with stricter compilers even if there is C library support for these functions. Patch submitted by Florian Weimer in SF#149. - Fix socks4 and socks4a support under glibc's source fortification. With glibc's source fortification, gcc offers the compilation warning resulting in a runtime abort() when using a socks4 or socks4a upstream proxy. Despite the warning, the strlcpy() call in question is fine: gcc misidentifies the size of the destination buffer, estimating to hold only a single char while in fact the buffer stretches beyond the end of the struct socks_op. The issue was originally reported in the NixOS issue tracker at https://github.com/NixOS/nixpkgs/issues/265654 prompted by an upgrade of glibc from 2.37-39 to 2.38-0. Patch submitted by Ingo Blechschmid, joint work with @esclear and @richi235. - General improvements: - Allow to use wolfSSL for https inspection. wolfSSL supports TLS 1.3 and can be significantly faster than mbedTLS. Mainly tested on ElectroBSD amd64 where it can compete with OpenSSL and LibreSSL: https://www.fabiankeil.de/gehacktes/privoxy-tls-benchmarks/ To enable the support, install wolfSSL and run ./configure with the --with-wolfssl option. Sponsored by Privoxy project funds collected at SPI. - Add an test framework that leverages the curl test suite. Sponsored by Privoxy project funds collected at SPI. - Add pcre2 support. Closes bug #935. Initial patch submitted by Gagan Sidhu. - Use SHA256 as hash algorithm for the certificate and key file names instead of MD5. The known MD5 vulnerabilities shouldn't matter for Privoxy's use case but it doesn't hurt to use a hash algorithm that isn't deprecated. Sponsored by: Robert Klemme - Add support for mbedTLS 3.x. This removes a sanity check (whether issuer key and issuer certificate match) that seems overly cautious and fails to compile with mbedTLS 3.x as the struct members are private. We don't have an equivalent check in the OpenSSL or wolfSSL code either. - Factor out newer_privoxy_version_required() and improve the logic Previously 3.0.11 was considered newer than 4.0.0. - init_error_log(): Include the reason for failures to open the log file. - create_client_ssl_connection(): Don't keep the certificate lock longer than necessary. - Add periods to a bunch of log messages. - normalize_lws(): Only log the 'Reducing whitespace ...' message once per header - log_error() Win32: Only call LogShowActivity() for debug level LOG_LEVEL_REQUEST. As of b94bbe62a950, which was part of Privoxy 3.0.29, LOG_LEVEL_REQUEST is used for all requests including crunched ones. Previously LogShowActivity() was called twice for crunched requests, (presumably) resulting in an aborted animation. - Remove ./ prefix from tarball-dist files. - create_client_ssl_connection(): Make it more obvious from an error message that a function failed. - Use stringify() instead of section_target() and remove section_target(). Like the XXX comment suggested this could be done my moving the hash into the templates which seems preferable anyway. - Prevent some compiler warnings. - parse_numeric_value(): Expect a base-ten number. - windows/MYconfigure: Have gcc diagnostics in color. - Action file improvements: - Block requests to .amazon-adsystem.com/ - Block requests to 0.css-load.com/ - Block requests to html-load.com/ and 1.html-load.com/ - Block requests to b.6sc.co/ - Block requests to i.clean.gg/ - Block requests to s.cpx.to/ - Block requests to track.venatusmedia.com/ - Block requests to secure-eu.nmrodam.com/ - Block requests to o2.mouseflow.com/ - Disable fast-redirects for services.akteneinsichtsportal.de/ - Disable fast-redirects for /wp-content/plugins/pdf-viewer-for-elementor - Disable fast-redirects for syndication.twitter.com/ - Disable fast-redirects for archive.softwareheritage.org/ - Disable fast-redirects to duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/ - Disable fast-redirects for .creator-spring.com/_next/image - Disable fast redirects for accounts.bahn.de/ - Unblock .datenschmutz.de/ - Unblock requests for 'adventur*.' - Unblock adl.windows.com/ as it is apparently required to update from Windows 10 to 11. Reported by Sam Varshavchik. - Privoxy-Log-Parser: - Highlight 'Couldn't deliver the error message for [...]'. - Highlight 'Failed to accept() incoming connection: Software caused connection abort'. - Highlight 'Keeping chunk offset at 0 despite flushing 31 bytes.'. - Highlight 'Not shutting down client connection on socket 8. The socket is no longer alive.'. - Bump version to 0.9.6. - Privoxy-Regression-Test.pl: - Let the --min-level option increase the --max-level if the latter is smaller than the former. - Add --curl option to use a non-default curl binary. - Bump version to 0.7.5. - uagen: - Bump BROWSER_VERSION and BROWSER_REVISION to match Firefox ESR 128. - Bump version to 1.2.6. - Documentation: - Add HOWTOs for https inspection and client-tags to user-manual. - Suggest to use the force-text-mode action when filtering binary content with external filters. - Declare https-inspection non-experimental. - FAQ: Mention that Privoxy Moral Licenses are available as well. - Fix LibreSSL URL. - Update perlre perldoc URL. - config: Add SOCKS 5 to the list of supported protocols. - In the Windows build section, note that one only needs tidy to build the docs. If you're not building the docbook stuff you don't need tidy. - trust: Use the words 'allowlists' and 'blocklists' instead of "whitelists" and "blacklists" which some people consider to be less inclusive. ----------------------------------------------------------------- About Privoxy: ----------------------------------------------------------------- Privoxy is a non-caching web proxy with advanced filtering capabilities for enhancing privacy, modifying web page data and HTTP headers, controlling access, and removing ads and other obnoxious Internet junk. Privoxy has a flexible configuration and can be customized to suit individual needs and tastes. It has application for both stand-alone systems and multi-user networks. Privoxy is Free Software and licensed under the GNU GPLv2 or later. Our TODO list is rather long. Helping hands and donations are welcome: * https://www.privoxy.org/participate * https://www.privoxy.org/donate At present, Privoxy is known to run on Windows 95 and later versions (98, ME, 2000, XP, Vista, Windows 7, Windows 10 etc.), GNU/Linux (RedHat, SuSE, Debian, Fedora, Gentoo, Slackware and others), Mac OS X (10.4 and upwards on PPC and Intel processors), Haiku, DragonFly, ElectroBSD, FreeBSD, NetBSD, OpenBSD, Solaris, and various other flavors of Unix. In addition to the core features of ad blocking and cookie management, Privoxy provides many supplemental features, that give the end-user more control, more privacy and more freedom: * Supports "Connection: keep-alive". Outgoing connections can be kept alive independently from the client. Currently not available on all platforms. * Supports IPv6, provided the operating system does so too, and the configure script detects it. * Supports tagging which allows to change the behaviour based on client and server headers. * Supports https inspection which allows to filter https requests. * Can be run as an "intercepting" proxy, which obviates the need to configure browsers individually. * Sophisticated actions and filters for manipulating both server and client headers. * Can be chained with other proxies. * Integrated browser based configuration and control utility at http://config.privoxy.org/ (shortcut: http://p.p/). Browser-based tracing of rule and filter effects. Remote toggling. * Web page filtering (text replacements, removes banners based on size, invisible "web-bugs" and HTML annoyances, etc.) * Modularized configuration that allows for standard settings and user settings to reside in separate files, so that installing updated actions files won't overwrite individual user settings. * Support for Perl Compatible Regular Expressions in the configuration files, and a more sophisticated and flexible configuration syntax. * GIF de-animation. * Bypass many click-tracking scripts (avoids script redirection). * User-customizable HTML templates for most proxy-generated pages (e.g. "blocked" page). * Auto-detection and re-reading of config file changes. * Most features are controllable on a per-site or per-location basis. Home Page: https://www.privoxy.org/ - Privoxy Developers