1 Announcing Privoxy v.3.0.19 stable
2 --------------------------------------------------------------------
4 This is a bug-fix release for the previously released
5 Privoxy 3.0.18. One of the fixes addresses a security issue.
7 --------------------------------------------------------------------
9 --------------------------------------------------------------------
10 *** Version 3.0.19 Stable ***
13 - Prevent a segmentation fault when de-chunking buffered content.
14 It could be triggered by malicious web servers if Privoxy was
15 configured to filter the content and running on a platform
16 where SIZE_T_MAX isn't larger than UINT_MAX, which probably
17 includes most 32-bit systems. On those platforms, all Privoxy
18 versions before 3.0.19 appear to be affected.
19 To be on the safe side, this bug should be presumed to allow
20 code execution as proving that it doesn't seems unrealistic.
21 - Do not expect a response from the SOCKS4/4A server until it
22 got something to respond to. This regression was introduced
23 in 3.0.18 and prevented the SOCKS4/4A negotiation from working.
24 Reported by qqqqqw in #3459781.
26 - General improvements:
27 - Fix an off-by-one in an error message about connect failures.
28 - Use a GNUMakefile variable for the webserver root directory and
29 update the path. Sourceforge changed it which broke various
31 - Update the CODE_STATUS description.
33 *** Version 3.0.18 stable ***
36 - If a generated redirect URL contains characters RFC 3986 doesn't
37 permit, they are (re)encoded. Not doing this makes Privoxy versions
38 from 3.0.5 to 3.0.17 susceptible to HTTP response splitting (CWE-113)
39 attacks if the +fast-redirects{check-decoded-url} action is used.
40 - Fix a logic bug that could cause Privoxy to reuse a server
41 socket after it got tainted by a server-header-tagger-induced
42 block that was triggered before the whole server response had
43 been read. If keep-alive was enabled and the request following
44 the blocked one was to the same host and using the same forwarding
45 settings, Privoxy would send it on the tainted server socket.
46 While the server would simply treat it as a pipelined request,
47 Privoxy would later on fail to properly parse the server's
48 response as it would try to parse the unread data from the
49 first response as server headers for the second one.
50 Regression introduced in 3.0.17.
51 - When implying keep-alive in client_connection(), remember that
52 the client didn't. Fixes a regression introduced in 3.0.13 that
53 would cause Privoxy to wait for additional client requests after
54 receiving a HTTP/1.1 request with "Connection: close" set
55 and connection sharing enabled.
56 With clients which terminates the client connection after detecting
57 that the whole body has been received it doesn't really matter,
58 but with clients that don't the connection would be kept open until
60 - Fix a subtle race condition between prepare_csp_for_next_request()
61 and sweep(). A thread preparing itself for the next client request
62 could briefly appear to be inactive.
63 If all other threads were already using more recent files,
64 the thread could get its files swept away under its feet.
65 So far this has only been reproduced while stress testing in
66 valgrind while touching action files in a loop. It's unlikely
67 to have caused any actual problems in the real world.
68 - Disable filters if SDCH compression is used unless filtering is forced.
69 If SDCH was combined with a supported compression algorithm, Privoxy
70 previously could try to decompress it and ditch the Content-Encoding
71 header even though the SDCH compression wasn't dealt with.
72 Reported by zebul666 in #3225863.
73 - Make a copy of the --user value and only mess with that when splitting
74 user and group. On some operating systems modifying the value directly
75 is reflected in the output of ps and friends and can be misleading.
76 Reported by zepard in #3292710.
77 - If forwarded-connect-retries is set, only retry if Privoxy is actually
78 forwarding the request. Previously direct connections would be retried
80 - Fixed a small memory leak when retrying connections with IPv6
82 - Remove an incorrect assertion in compile_dynamic_pcrs_job_list()
83 It could be triggered by a pcrs job with an invalid pcre
84 pattern (for example one that contains a lone quantifier).
85 - If the --user argument user[.group] contains a dot, always bail out
86 if no group has been specified. Previously the intended, but undocumented
87 (and apparently untested), behaviour was to try interpreting the whole
88 argument as user name, but the detection was flawed and checked for '0'
89 instead of '\0', thus merely preventing group names beginning with a zero.
90 - In html_code_map[], use a numeric character reference instead of '
91 which wasn't standardized before XHTML 1.0.
92 - Fix an invalid free when compiled with FEATURE_GRACEFUL_TERMINATION
93 and shut down through http://config.privoxy.org/die
94 - In get_actions(), fix the "temporary" backwards compatibility hack
95 to accept block actions without reason.
96 It also covered other actions that should be rejected as invalid.
97 Reported by Billy Crook.
99 - General improvements:
100 - Privoxy can (re)compress buffered content before delivering
101 it to the client. Disabled by default as most users wouldn't
103 - The +fast-redirects{check-decoded-url} action checks URL
104 segments separately. If there are other parameters behind
105 the redirect URL, this makes it unnecessary to cut them off
106 by additionally using a +redirect{} pcrs command.
107 Initial patch submitted by Jamie Zawinski in #3429848.
108 - When loading action sections, verify that the referenced filters
109 exist. Currently missing filters only result in an error message,
110 but eventually the severity will be upgraded to fatal.
111 - Allow to bind to multiple separate addresses.
112 Patch set submitted by Petr Pisar in #3354485.
113 - Set socket_error to errno if connecting fails in rfc2553_connect_to().
114 Previously rejected direct connections could be incorrectly reported
115 as DNS issues if Privoxy was compiled with IPv6 support.
116 - Adjust url_code_map[] so spaces are replaced with %20 instead of '+'
117 While '+' can be used by client's submitting form data, this is not
118 actually what Privoxy is using the lookups for. This is more of a
119 cosmetic issue and doesn't fix any known problems.
120 - When compiled without FEATURE_FAST_REDIRECTS, do not silently
121 ignore +fast-redirect{} directives
122 - Added a workaround for GNU libc's strptime() reporting negative
123 year values when the parsed year is only specified with two digits.
124 On affected systems cookies with such a date would not be turned
125 into session cookies by the +session-cookies-only action.
126 Reported by Vaeinoe in #3403560
127 - Fixed bind failures with certain GNU libc versions if no non-loopback
128 IP address has been configured on the system. This is mainly an issue
129 if the system is using DHCP and Privoxy is started before the network
130 is completely configured.
131 Reported by Raphael Marichez in #3349356.
132 Additional insight from Petr Pisar.
133 - Privoxy log messages now use the ISO 8601 date format %Y-%m-%d.
134 It's only slightly longer than the old format, but contains
135 the full date including the year and allows sorting by date
136 (when grepping in multiple log files) without hassle.
137 - In get_last_url(), do not bother trying to decode URLs that do
138 not contain at least one '%' sign. It reduces the log noise and
139 a number of unnecessary memory allocations.
140 - In case of SOCKS5 failures, dump the socks response in the log message.
141 - Simplify the signal setup in main().
142 - Streamline socks5_connect() slightly.
143 - In socks5_connect(), require a complete socks response from the server.
144 Previously Privoxy didn't care how much data the server response
145 contained as long as the first two bytes contained the expected
146 values. While at it, shrink the buffer size so Privoxy can't read
147 more than a whole socks response.
148 - In chat(), do not bother to generate a client request in case of
149 direct CONNECT requests. It will not be used anyway.
150 - Reduce server_last_modified()'s stack size.
151 - Shorten get_http_time() by using strftime().
152 - Constify the known_http_methods pointers in unknown_method().
153 - Constify the time_formats pointers in parse_header_time().
154 - Constify the formerly_valid_actions pointers in action_used_to_be_valid().
155 - Introduce a GNUMakefile MAN_PAGE variable that defaults to privoxy.1.
156 The Debian package uses section 8 for the man page and this
157 should simplify the patch.
158 - Deduplicate the INADDR_NONE definition for Solaris by moving it to jbsockets.h
159 - In block_url(), ditch the obsolete workaround for ancient Netscape versions
160 that supposedly couldn't properly deal with status code 403.
161 - Remove a useless NULL pointer check in load_trustfile().
162 - Remove two useless NULL pointer checks in load_one_re_filterfile().
163 - Change url_code_map[] from an array of pointers to an array of arrays
164 It removes an unnecessary layer of indirection and on 64bit system reduces
165 the size of the binary a bit.
166 - Fix various typos. Fixes taken from Debian's 29_typos.dpatch by Roland Rosenfeld.
167 - Add a dok-tidy GNUMakefile target to clean up the messy HTML
168 generated by the other dok targets.
169 - GNUisms in the GNUMakefile have been removed.
170 - Change the HTTP version in static responses to 1.1
171 - Synced config.sub and config.guess with upstream
172 2011-11-11/386c7218162c145f5f9e1ff7f558a3fbb66c37c5.
173 - Add a dedicated function to parse the values of toggles. Reduces duplicated
174 code in load_config() and provides better error handling. Invalid or missing
175 toggle values are now a fatal error instead of being silently ignored.
176 - Terminate HTML lines in static error messages with \n instead of \r\n.
177 - Simplify cgi_error_unknown() a bit.
178 - In LogPutString(), don't bother looking at pszText when not
179 actually logging anything.
180 - Change ssplit()'s fourth parameter from int to size_t.
181 Fixes a clang complaint.
182 - Add a warning that the statistics currently can't be trusted.
183 Mention Privoxy-Log-Parser's --statistics option as
184 an alternative for the time being.
185 - In rfc2553_connect_to(), start setting cgi->error_message on error.
186 - Change the expected status code returned for http://p.p/die depending
187 on whether or not FEATURE_GRACEFUL_TERMINATION is available.
188 - In cgi_die(), mark the client connection for closing.
189 If the client will fetch the style sheet through another connection
190 it gets the main thread out of the accept() state and should thus
191 trigger the actual shutdown.
192 - Add a proper CGI message for cgi_die().
193 - Don't enforce a logical line length limit in read_config_line().
194 - Slightly refactor server_last_modified() to remove useless gmtime*() calls.
195 - In get_content_type(), also recognize '.jpeg' as JPEG extension.
196 - Add '.png' to the list of recognized file extensions in get_content_type().
197 - In block_url(), consistently use the block reason "Request blocked by Privoxy"
198 In two places the reason was "Request for blocked URL" which hides the
199 fact that the request got blocked by Privoxy and isn't necessarily
200 correct as the block may be due to tags.
201 - In listen_loop(), reload the configuration files after accepting
202 a new connection instead of before.
203 Previously the first connection that arrived after a configuration
204 change would still be handled with the old configuration.
205 - In chat()'s receive-data loop, skip a client socket check if
206 the socket will be written to right away anyway. This can
207 increase the transfer speed for unfiltered content on fast
209 - The socket timeout is used for SOCKS negotiations as well which
210 previously couldn't timeout.
211 - Don't keep the client connection alive if any configuration file
212 changed since the time the connection came in. This is closer to
213 Privoxy's behaviour before keep-alive support for client connection
214 has been added and also less confusing in general.
215 - Treat all Content-Type header values containing the pattern
216 'script' as a sign of text. Reported by pribog in #3134970.
218 - Action file improvements:
219 - Moved the site-specific block pattern section below the one for the
220 generic patterns so for requests that are matched in both, the block
221 reason for the domain is shown which is usually more useful than showing
222 the one for the generic pattern.
223 - Remove -prevent-compression from the fragile alias. It's no longer
224 used anywhere by default and isn't known to break stuff anyway.
225 - Add a (disabled) section to block various Facebook tracking URLs.
226 Reported by Dan Stahlke in #3421764.
227 - Add a (disabled) section to rewrite and redirect click-tracking
228 URLs used on news.google.com.
229 Reported by Dan Stahlke in #3421755.
230 - Unblock linuxcounter.net/.
231 Reported by Dan Stahlke in #3422612.
232 - Block 'www91.intel.com/' which is used by Omniture.
233 Reported by Adam Piggott in #3167370.
234 - Disable the handle-as-empty-doc-returns-ok option and mark it as deprecated.
235 Reminded by tceverling in #2790091.
236 - Add ".ivwbox.de/" to the "Cross-site user tracking" section.
237 Reported by Nettozahler in #3172525.
238 - Unblock and fast-redirect ".awin1.com/.*=http://".
239 Reported by Adam Piggott in #3170921.
240 - Block "b.collective-media.net/".
241 - Widen the Debian popcon exception to "qa.debian.org/popcon".
242 Seen in Debian's 05_default_action.dpatch by Roland Rosenfeld.
243 - Block ".gemius.pl/" which only seems to be used for user tracking.
244 Reported by johnd16 in #3002731. Additional input from Lee and movax.
245 - Disable banners-by-size filters for '.thinkgeek.com/'.
246 The filter only seems to catch pictures of the inventory.
247 - Block requests for 'go.idmnet.bbelements.com/please/showit/'.
248 Reported by kacperdominik in #3372959.
249 - Unblock adainitiative.org/.
250 - Add a fast-redirects exception for '.googleusercontent.com/.*=cache'.
251 - Add a fast-redirects exception for webcache.googleusercontent.com/.
252 - Unblock http://adassier.wordpress.com/ and http://adassier.files.wordpress.com/.
254 - Filter file improvements:
255 - Let the yahoo filter hide '.ads'.
256 - Let the msn filter hide overlay ads for Facebook 'likes' in search
257 results and elements with the id 's_notf_div'. They only seem to be
258 used to advertise site 'enhancements'.
259 - Let the js-events filter additionally disarm setInterval().
260 Suggested by dg1727 in #3423775.
262 - Documentation improvements:
263 - Clarify the effect of compiling Privoxy with zlib support.
264 Suggested by dg1727 in #3423782.
265 - Point out that the SourceForge messaging system works like a black
266 hole and should thus not be used to contact individual developers.
267 - Mention some of the problems one can experience when not explicitly
268 configuring an IP addresses as listen address.
269 - Explicitly mention that hostnames can be used instead of IP addresses
270 for the listen-address, that only the first address returned will be
271 used and what happens if the address is invalid.
272 Requested by Calestyo in #3302213.
274 - Log message improvements:
275 - If only the server connection is kept alive, do not pretend to
276 wait for a new client request.
277 - Remove a superfluous log message in forget_connection().
278 - In chat(), properly report missing server responses as such
279 instead of calling them empty.
280 - In forwarded_connect(), fix a log message nobody should ever see.
281 - Fix a log message in socks5_connect(), a failed write operation
282 was logged as failed read operation.
283 - Let load_one_actions_file() properly complain about a missing
284 '{' at the beginning of the file.
285 Simply stating that a line is invalid isn't particularly helpful.
286 - Do not claim to listen on a socket until Privoxy actually does.
287 Patch submitted by Petr Pisar #3354485
288 - Prevent a duplicated LOG_LEVEL_CLF message when sending out
289 the "no-server-data" response.
290 - Also log the client socket when dropping a connection.
291 - Include the destination host in the 'Request ... marked for
292 blocking. limit-connect{...} doesn't allow CONNECT ...' message
293 Patch submitted by Saperski in #3296250.
294 - Prevent a duplicated log message if none of the resolved IP
295 addresses were reachable.
296 - In connect_to(), do not pretend to retry if forwarded-connect-retries
298 - When a specified user or group can't be found, put the name in
299 single-quotes when logging it.
300 - In rfc2553_connect_to(), explain getnameinfo() errors better.
301 - Remove a useless log message in chat().
302 - When retrying to connect, also log the maximum number of connection
304 - Rephrase a log message in compile_dynamic_pcrs_job_list().
305 Divide the error code and its meaning with a colon. Call the pcrs
306 job dynamic and not the filter. Filters may contain dynamic and
307 non-dynamic pcrs jobs at the same time. Only mention the name of
308 the filter or tagger, but don't claim it's a filter when it could
310 - In a fatal error message in load_one_actions_file(), cover both
311 URL and TAG patterns.
312 - In pcrs_strerror(), properly report unknown positive error code
313 values as such. Previously they were handled like 0 (no error).
314 - In compile_dynamic_pcrs_job_list(), also log the actual error code as
315 pcrs_strerror() doesn't handle all errors reported by pcre.
316 - Don't bother trying to continue chatting if the client didn't ask for it.
317 Reduces log noise a bit.
318 - Make two fatal error message in load_one_actions_file() more descriptive.
319 - In cgi_send_user_manual(), log when rejecting a file name due to '/' or '..'.
320 - In load_file(), log a message if opening a file failed.
321 The CGI error message alone isn't too helpful.
322 - In connection_destination_matches(), improve two log messages
323 to help understand why the destinations don't match.
324 - Rephrase a log message in serve(). Client request arrival
325 should be differentiated from closed client connections now.
326 - In serve(), log if a client connection isn't reused due to a
327 configuration file change.
328 - Let mark_server_socket_tainted() always mark the server socket tainted,
329 just don't talk about it in cases where it has no effect. It doesn't change
330 Privoxy's behaviour, but makes understanding the log file easier.
333 - Added a --disable-ipv6-support switch for platforms where support
334 is detected but doesn't actually work.
335 - Do not check for the existence of strerror() and memmove() twice
336 - Remove a useless test for setpgrp(2). Privoxy doesn't need it and
337 it can cause problems when cross-compiling.
338 - Rename the --disable-acl-files switch to --disable-acl-support.
339 Since about 2001, ACL directives are specified in the standard
341 - Update the URL of the 'Removing outdated PCRE version after the
342 next stable release' posting. The old URL stopped working after
343 one of SF's recent site "optimizations". Reported by Han Liu.
345 - Privoxy-Regression-Test:
346 - Added --shuffle-tests option to increase the chances of detection race conditions.
347 - Added a --local-test-file option that allows to use Privoxy-Regression-Test without Privoxy.
348 - Added tests for missing socks4 and socks4a forwarders.
349 - The --privoxy-address option now works with IPv6 addresses containing brackets, too.
350 - Perform limited sanity checks for parameters that are supposed to have numerical values.
351 - Added a --sleep-time option to specify a number of seconds to
352 sleep between tests, defaults to 0.
353 - Disable the range-requests tagger for tests that break if it's enabled.
354 - Log messages use the ISO 8601 date format %Y-%m-%d.
355 - Fix spelling in two error messages.
356 - In the --help output, include a list of supported tests and their default levels.
357 - Adjust the tests to properly deal with FEATURE_TOGGLE being disabled.
359 - Privoxy-Log-Parser:
360 - Perform limited sanity checks for command line parameters that
361 are supposed to have numerical values.
362 - Implement a --unbreak-lines-only option to try to revert MUA breakage.
363 - Accept and highlight: Added header: Content-Encoding: deflate
364 - Accept and highlight: Compressed content from 29258 to 8630 bytes.
365 - Accept and highlight: Client request arrived in time on socket 21.
366 - Highlight: Didn't receive data in time: a.fsdn.com:443
367 - Accept log messages with ISO 8601 time stamps, too.
370 - Bump generated Firefox version to 8.0.
371 - Only randomize the release date if the new --randomize-release-date
372 option is enabled. Firefox versions after 4 use a fixed date string
375 -----------------------------------------------------------------
377 -----------------------------------------------------------------
379 Privoxy is a non-caching web proxy with advanced filtering capabilities for
380 enhancing privacy, modifying web page data and HTTP headers, controlling
381 access, and removing ads and other obnoxious Internet junk. Privoxy has a
382 flexible configuration and can be customized to suit individual needs and
383 tastes. It has application for both stand-alone systems and multi-user
386 Privoxy is Free Software and licensed under the GNU GPLv2.
388 Privoxy is an associated project of Software in the Public Interest (SPI).
390 Helping hands and donations are welcome:
392 * http://www.privoxy.org/faq/general.html#PARTICIPATE
394 * http://www.privoxy.org/faq/general.html#DONATE
396 At present, Privoxy is known to run on Windows(95, 98, ME, 2000,
397 XP, Vista), GNU/Linux (Ubuntu, RedHat, SuSE, Debian, Fedora, Gentoo and
398 others), Mac OSX, OS/2, AmigaOS, FreeBSD, NetBSD, OpenBSD, Solaris, and
399 various other flavors of Unix.
401 In addition to the core features of ad blocking and cookie management,
402 Privoxy provides many supplemental features, that give the end-user
403 more control, more privacy and more freedom:
406 * Supports "Connection: keep-alive". Outgoing connections can be kept
407 alive independently from the client. Currently not available on all
410 * Supports IPv6, provided the operating system does so too,
411 and the configure script detects it.
413 * Supports tagging which allows to change the behaviour based on client
416 * Can be run as an "intercepting" proxy, which obviates the need to
417 configure browsers individually.
419 * Sophisticated actions and filters for manipulating both server and
422 * Can be chained with other proxies.
424 * Integrated browser based configuration and control utility at
425 http://config.privoxy.org/ (shortcut: http://p.p/). Browser-based
426 tracing of rule and filter effects. Remote toggling.
428 * Web page filtering (text replacements, removes banners based on size,
429 invisible <quote>web-bugs</quote> and HTML annoyances, etc.)
431 * Modularized configuration that allows for standard settings and user
432 settings to reside in separate files, so that installing updated actions
433 files won't overwrite individual user settings.
435 * Support for Perl Compatible Regular Expressions in the configuration
436 files, and a more sophisticated and flexible configuration syntax.
440 * Bypass many click-tracking scripts (avoids script redirection).
442 * User-customizable HTML templates for most proxy-generated pages (e.g.
445 * Auto-detection and re-reading of config file changes.
447 * Most features are controllable on a per-site or per-location basis.
451 http://sourceforge.net/project/showfiles.php?group_id=11118
454 http://www.privoxy.org/
457 - Privoxy Developers <ijbswa-developers@lists.sourceforge.net>