From 363febbbf9f54bcd3fc7ecc8eae6eaa18f9d587a Mon Sep 17 00:00:00 2001
From: hal9 <hal9@users.sourceforge.net>
Date: Sun, 4 Nov 2007 21:17:31 +0000
Subject: [PATCH] Disable enable-remote-toggle, enable-remote-http-toggle, and
 enable-edit-actions in a default config. Alter commentary accordingly. A few
 other minor changes.

---
 doc/source/p-config.sgml | 56 +++++++++++++++++++++++-----------------
 1 file changed, 33 insertions(+), 23 deletions(-)

diff --git a/doc/source/p-config.sgml b/doc/source/p-config.sgml
index 07c83d22..04e0e1f5 100644
--- a/doc/source/p-config.sgml
+++ b/doc/source/p-config.sgml
@@ -3,7 +3,7 @@
 
  Purpose     :  Used with other docs and files only.
 
- $Id: p-config.sgml,v 2.17 2007/07/21 11:53:40 fabiankeil Exp $
+ $Id: p-config.sgml,v 2.18 2007/11/03 14:31:27 fabiankeil Exp $
 
  Copyright (C) 2001-2007 Privoxy Developers http://www.privoxy.org/
  See LICENSE.
@@ -95,7 +95,7 @@
  Sample Configuration File for Privoxy v&p-version;
 </title>
 <para>
- $Id: p-config.sgml,v 2.17 2007/07/21 11:53:40 fabiankeil Exp $
+ $Id: p-config.sgml,v 2.18 2007/11/03 14:31:27 fabiankeil Exp $
 </para>
 <para>
 Copyright (C) 2001-2007 Privoxy Developers http://www.privoxy.org/
@@ -812,7 +812,7 @@ actionsfile
  <varlistentry>
   <term>Default value:</term>
   <listitem>
-   <para>logfile (Unix) <emphasis>or</emphasis> privoxy.log (Windows)</para>
+   <para><emphasis>Unset (commented out)</emphasis>. When activated: logfile (Unix) <emphasis>or</emphasis> privoxy.log (Windows)</para>
   </listitem>
  </varlistentry>
  <varlistentry>
@@ -838,13 +838,15 @@ actionsfile
     of detail and number of messages are set with the <literal>debug</literal>
     option (see below). The logfile can be useful for tracking down a problem with
     <application>Privoxy</application> (e.g., it's not blocking an ad you
-    think it should block) but in most cases you probably will never look at it.
+    think it should block) but in most cases you probably will never look at
+    it. For this reason, it is disabled by default. For troubleshooting
+    purposes, you will have to explicitly enable it.
    </para>
    <para>
     Your logfile will grow indefinitely, and you will probably want to
     periodically remove it.  On Unix systems, you can do this with a cron job
-    (see <quote>man cron</quote>). For Red Hat, a <command>logrotate</command> 
-    script has been included.
+    (see <quote>man cron</quote>). For Red Hat based Linux distributions, a
+    <command>logrotate</command> script has been included.
    </para> 
    <para>
     On SuSE Linux systems, you can place a line like <quote>/var/log/privoxy.*
@@ -860,7 +862,7 @@ actionsfile
  </varlistentry>
 </variablelist>
 
-<![%config-file;[<literallayout>@@logfile logfile</literallayout>]]>
+<![%config-file;[<literallayout>@@#logfile logfile</literallayout>]]>
 </sect3>
 
 
@@ -885,7 +887,7 @@ actionsfile
  <varlistentry>
   <term>Default value:</term>
   <listitem>
-   <para>Unset (commented out). When activated: jarfile (Unix) <emphasis>or</emphasis> privoxy.jar (Windows)</para>
+   <para><emphasis>Unset (commented out)</emphasis>. When activated: jarfile (Unix) <emphasis>or</emphasis> privoxy.jar (Windows)</para>
   </listitem>
  </varlistentry>
  <varlistentry>
@@ -1324,7 +1326,7 @@ actionsfile
  <varlistentry>
   <term>Default value:</term>
   <listitem>
-   <para>1</para>
+   <para>0</para>
   </listitem>
  </varlistentry>
  <varlistentry>
@@ -1344,12 +1346,16 @@ actionsfile
     any URL.
    </para>
    <para>
-    For the time being, access to the toggle feature can <emphasis>not</emphasis> be
+    Access to the toggle feature can <emphasis>not</emphasis> be
     controlled separately by <quote>ACLs</quote> or HTTP authentication,
     so that everybody who can access <application>Privoxy</application> (see
     <quote>ACLs</quote> and <literal>listen-address</literal> above) can
     toggle it for all users. So this option is <emphasis>not recommended</emphasis>
-    for multi-user environments with untrusted users.
+    for multi-user environments with untrusted users. Because of 
+    the obvious security implications, this feature is off by default.
+    Note that malicious client side code (e.g JavaScript) is also potentially
+    capable of changing <application>Privoxy's</application> intended
+    behavior.
    </para>
    <para>
     Note that you must have compiled <application>Privoxy</application> with
@@ -1359,7 +1365,7 @@ actionsfile
  </varlistentry>
 </variablelist>
 
-<![%config-file;[<literallayout>@@enable-remote-toggle  1</literallayout>]]>
+<![%config-file;[<literallayout>@@enable-remote-toggle  0</literallayout>]]>
 </sect3>
 
 
@@ -1383,7 +1389,7 @@ actionsfile
  <varlistentry>
   <term>Default value:</term>
   <listitem>
-   <para>1</para>
+   <para>0</para>
   </listitem>
  </varlistentry>
  <varlistentry>
@@ -1404,16 +1410,17 @@ actionsfile
     the ongoing request, even if it is enabled in one of the action files.
    </para>
    <para>
-    If you are using <application>Privoxy</application> in a
-    multi-user environment or with untrustworthy clients and want to
-    enforce filtering, you will have to disable this option,
-    otherwise you can ignore it. 
+    This feature is disabled by default. If you are using
+    <application>Privoxy</application> in a environment with trusted clients,
+    you may enable this feature at your discretion. Note that malicious client
+    side code (e.g JavaScript) is also potentially capable of changing
+    <application>Privoxy's</application> intended behavior.
    </para>
   </listitem>
  </varlistentry>
 </variablelist>
 
-<![%config-file;[<literallayout>@@enable-remote-http-toggle  1</literallayout>]]>
+<![%config-file;[<literallayout>@@enable-remote-http-toggle  0</literallayout>]]>
 </sect3>
 
 
@@ -1438,7 +1445,7 @@ actionsfile
  <varlistentry>
   <term>Default value:</term>
   <listitem>
-   <para>1</para>
+   <para>0</para>
   </listitem>
  </varlistentry>
  <varlistentry>
@@ -1453,12 +1460,15 @@ actionsfile
   <term>Notes:</term>
   <listitem>
    <para>
-    For the time being, access to the editor can <emphasis>not</emphasis> be
+    Access to the editor can <emphasis>not</emphasis> be
     controlled separately by <quote>ACLs</quote> or HTTP authentication,
     so that everybody who can access <application>Privoxy</application> (see
     <quote>ACLs</quote> and <literal>listen-address</literal> above) can
-    modify its configuration for all users. So this option is <emphasis>not
-    recommended</emphasis> for multi-user environments with untrusted users.
+    modify its configuration for all users. This option is <emphasis>not
+    recommended</emphasis> for multi-user environments with untrusted users 
+    and is therefore disabled by default. Note that malicious client side code
+    (e.g JavaScript) is also potentially capable of changing
+    <application>Privoxy's</application> intended behavior.
    </para>
    <para>
     Note that you must have compiled <application>Privoxy</application> with
@@ -1468,7 +1478,7 @@ actionsfile
  </varlistentry>
 </variablelist>
 
-<![%config-file;[<literallayout>@@enable-edit-actions 1</literallayout>]]>
+<![%config-file;[<literallayout>@@enable-edit-actions 0</literallayout>]]>
 </sect3>
 
 
-- 
2.39.2