Privoxy 3.0.22 stable is mainly a bug-fix
release, it also has a couple of new features, though.
Note that the first two entries in the ChangeLog below refer to security
issues:
Bug fixes:
Fixed a memory leak when rejecting client connections due to
the socket limit being reached (CID 66382). This affected
Privoxy 3.0.21 when compiled with IPv6 support (on most
platforms this is the default).
Fixed an immediate-use-after-free bug (CID 66394) and two
additional unconfirmed use-after-free complaints made by
Coverity scan (CID 66391, CID 66376).
Actually show the FORCE_PREFIX value on the show-status page.
Properly deal with Keep-Alive headers with timeout= parameters
If the timeout still can't be parsed, use the configured
timeout instead of preventing the client from keeping the
connection alive. Fixes #3615312/#870 reported by Bernard Guillot.
Not using any filter files no longer results in warning messages
unless an action file is referencing header taggers or filters.
Reported by Stefan Kurtz in #3614835.
Fixed a bug that prevented Privoxy from reusing some reusable
connections. Two bit masks with different purpose unintentionally
shared the same bit.
A couple of additional bugs were discovered by Coverity Scan.
The fixes that are not expected to affect users are not explicitly
mentioned here, for details please have a look at the CVS logs.
General improvements:
Introduced negative tag patterns NO-REQUEST-TAG and NO-RESPONSE-TAG.
They apply if no matching tag is found after parsing client or
server headers.
Add support for external filters which allow to process the
response body with a script or program written in any language
the platform supports. External filters are enabled with
+external-filter{} after they have been defined in one of the
filter files with a header line starting with "EXTERNAL-FILTER:".
External filter support is experimental, not compiled by default
and known not to work on all platforms.
Add support for the 'PATCH' method as defined in RFC5789.
Reject requests with unsupported Expect header values.
Fixes a couple of Co-Advisor tests.
Normalize the HTTP-version in forwarded requests and responses.
This is an explicit RFC 2616 MUST and RFC 7230 mandates that
intermediaries send their own HTTP-version in forwarded
messages.
Client 'Keep-Alive' headers are no longer forwarded. From a user's
point of view it doesn't really matter, but RFC 2616 (obsolete)
mandates that the header is removed and this fixes a Co-Advisor
complaint.
Change declared template file encoding to UTF-8. The templates
already used a subset of UTF-8 anyway and changing the declaration
allows to properly display UTF-8 characters used in the action files.
This change may require existing action files with ISO-8859-1
characters that aren't valid UTF-8 to be converted to UTF-8.
Requested by Sam Chen in #582.
Do not pass rejected keep-alive timeouts to the server. It might
not have caused any problems (we know of), but doing the right
thing shouldn't hurt either.
Let log_error() use its own buffer size #define to make changing
the log buffer size slightly less inconvenient.
Turned single-threaded into a "proper" toggle directive with arguments.
CGI templates no longer enforce new windows for some links.
Remove an undocumented workaround ('HOST' header removal) for
an Apple iTunes bug that according to #729900 got fixed in 2003.
Action file improvements:
The pattern 'promotions.' is no longer being blocked.
Reported by rakista in #3608540.
Disable fast-redirects for .microsofttranslator.com/.
Disable filter{banners-by-size} for .dgb-tagungszentren.de/.
Add adn.speedtest.net as a site-specific unblocker.
Support request #3612908.
Disable filter{banners-by-size} for creativecommons.org/.
Block requests to data.gosquared.com/. Reported by cbug in #3613653.
Unblock .conrad./newsletter/. Reported by David Bo in #3614238.
Unblock .bundestag.de/.
Unblock .rote-hilfe.de/.
Disable fast-redirects for .facebook.com/plugins/like.php.
Unblock Stackexchange popup URLs that aren't used to serve ads.
Reported by David Wagner in #3615179.
Disable fast-redirects for creativecommons.org/.
Unblock .stopwatchingus.info/.
Block requests for .adcash.com/script/.
Reported by Tyrexionibus in #3615289.
Disable HTML filters if the response was tagged as JavaScript.
Filtering JavaScript code with filters intended to deal with HTML
is usually a waste of time and, more importantly, may break stuff.
Use a custom redirect{} for .washingtonpost.com/wp-apps/imrs\.php\?src=
Previously enabling the 'Advanced' settings (or manually enabling
+fast-redirects{}) prevented some images from being loaded properly.
Unblock "adina*." Fixes #919 reported by Morton A. Goldberg.
Block '/.*DigiAd'.
Unblock 'adele*.'. Reported by Adele Lime in #1663.
Disable banners-by-size for kggp.de/.
Filter file improvements & bug fixes:
Decrease the chances that js-annoyances creates invalid JavaScript.
Submitted by John McGowan on ijbswa-users@.
Let the msn filter hide 'related' ads again.
Remove a stray '1' in the 'html-annoyances' filter.
Prevent img-reorder from messing up img tags with empty src
attributes. Fixes #880 reported by Duncan.
Documentation improvements:
Updated the 'Would you like to donate?' section.
Note that invalid forward-override{} parameter syntax isn't
detected until the parameter is used.
Add another +redirect{} example: a shortcut for illumos bugs.
Make it more obvious that many operating systems support log
rotation out of the box.
Fixed dead links. Reported by Mark Nelson in #3614557.
Rephrased the 'Why is the configuration so complicated?' answer
to be slightly less condescending. Anonymously suggested in #3615122.
Be more explicit about accept-intercepted-requests's lack of MITM support.
Make 'demoronizer' FAQ entries more generic.
Add an example hostname to the --pre-chroot-nslookup description.
Add an example for a host pattern that matches an IP address.
Rename the 'domain pattern' to 'host pattern' as it may
contain IP addresses as well.
Recommend forward-socks5t when using Tor. It seems to work fine and
modifying the Tor configuration to profit from it hasn't been necessary
for a while now.
Add another redirect{} example to stress that redirect loops can
and should be avoided.
The usual spelling and grammar fixes. Parts of them were
reported by Reuben Thomas in #3615276.
Mention the PCRS option letters T and D in the filter section.
Clarify that handle-as-empty-doc-returns-ok is still useful
and will not be removed without replacement.
Note that security issues shouldn't be reported using the bug tracker.
Clarify what Privoxy does if both +block{} and +redirect{} apply.
Removed the obsolete bookmarklets section.
Build system improvements:
Let --with-group properly deal with secondary groups.
Patch submitted by Anatoly Arzhnikov in #3615187.
Fix web-actions target.
Add a web-faq target that only updates the FAQ on the webserver.
Remove already-commented-out non-portable DOSFILTER alternatives.
Remove the obsolete targets dok-put and dok-get.
Add a sf-shell target.