Check requests more carefully before serving them forcefully
... when blocks aren't enforced.
Privoxy always adds the force token at the beginning
of the path, but would previously accept it anywhere
in the request line.
This could result in requests being served that should
be blocked. For example in case of pages that were
loaded with force and contained JavaScript to create
additionally requests that embed the origin URL
(thus inheriting the force prefix).
The bug is not considered a security issue and the
fix does not make it harder for remote sites to
intentionally circumvent blocks if Privoxy isn't
configured to enforce them.
Fixes #1695 reported by Korda.
projects / privoxy.git / commit