1 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
2 "http://www.w3.org/TR/html4/loose.dtd">
6 <meta name="generator" content=
7 "HTML Tidy for Linux/x86 (vers 7 December 2008), see www.w3.org">
9 <title>What's New in this Release</title>
10 <meta name="GENERATOR" content=
11 "Modular DocBook HTML Stylesheet Version 1.79">
12 <link rel="HOME" title="Privoxy 3.0.18 User Manual" href="index.html">
13 <link rel="PREVIOUS" title="Installation" href="installation.html">
14 <link rel="NEXT" title="Quickstart to Using Privoxy" href=
16 <link rel="STYLESHEET" type="text/css" href="../p_doc.css">
17 <meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
18 <link rel="STYLESHEET" type="text/css" href="p_doc.css">
19 <style type="text/css">
21 background-color: #EEEEEE;
24 :link { color: #0000FF }
25 :visited { color: #840084 }
26 :active { color: #0000FF }
27 hr.c1 {text-align: left}
32 <div class="NAVHEADER">
33 <table summary="Header navigation table" width="100%" border="0"
34 cellpadding="0" cellspacing="0">
36 <th colspan="3" align="center">Privoxy 3.0.18 User Manual</th>
40 <td width="10%" align="left" valign="bottom"><a href=
41 "installation.html" accesskey="P">Prev</a></td>
43 <td width="80%" align="center" valign="bottom"></td>
45 <td width="10%" align="right" valign="bottom"><a href=
46 "quickstart.html" accesskey="N">Next</a></td>
49 <hr class="c1" width="100%">
53 <h1 class="SECT1"><a name="WHATSNEW" id="WHATSNEW">3. What's New in this
56 <p><span class="APPLICATION">Privoxy 3.0.18</span> is a stable release.
57 The changes since 3.0.17 stable are:</p>
65 <p>If the redirect URL contains characters RFC 3986 doesn't
66 permit, they are (re)encoded. Not doing this makes Privoxy
67 versions from 3.0.5 to 3.0.17 susceptible to HTTP response
68 splitting (CWE-113) attacks if the
69 +fast-redirects{check-decoded-url} action is used.</p>
73 <p>Fix a logic bug that could cause Privoxy to reuse a server
74 socket after it got tainted by a server-header-tagger-induced
75 block that was triggered before the whole server response had
76 been read. If keep-alive was enabled and the request following
77 the blocked one was to the same host and using the same
78 forwarding settings, Privoxy would send it on the tainted server
79 socket. While the server would simply treat it as a pipelined
80 request, Privoxy would later on fail to properly parse the
81 server's response as it would try to parse the unread data from
82 the first response as server headers for the second one.
83 Regression introduced in 3.0.17.</p>
87 <p>When implying keep-alive in client_connection(), remember that
88 the client didn't. Fixes a regression introduced in 3.0.13 that
89 would cause Privoxy to wait for additional client requests after
90 receiving a HTTP/1.1 request with "Connection: close" set and
91 connection sharing enabled. With clients which terminates the
92 client connection after detecting that the whole body has been
93 received it doesn't really matter, but with clients that don't
94 the connection would be kept open until it timed out.</p>
98 <p>Fix a subtle race condition between
99 prepare_csp_for_next_request() and sweep() A thread preparing
100 itself for the next client request could briefly appear to be
101 inactive. If all other threads were already using more recent
102 files, the thread could get its files swept away under its feet.
103 So far this has only been reproduced while stress testing in
104 valgrind while touching action files in a loop. It's unlikely to
105 have caused any actual problems in the real world.</p>
109 <p>Disable filters if SDCH compression is used unless filtering
110 is forced. If SDCH was combined with a supported compression
111 algorithm, Privoxy previously could try to decompress it and
112 ditch the Content-Encoding header even though the SDCH
113 compression wasn't dealt with. Reported by zebul666 in
118 <p>Make a copy of the --user value and only mess with that when
119 splitting user and group. On some operating systems modifying the
120 value directly is reflected in the output of ps and friends and
121 can be misleading. Reported by zepard in #3292710.</p>
125 <p>If forwarded-connect-retries is set, only retry if Privoxy is
126 actually forwarding the request. Previously direct connections
127 would be retried as well.</p>
131 <p>Fixed a small memory leak when retrying connections with IPv6
136 <p>Remove an incorrect assertion in
137 compile_dynamic_pcrs_job_list() It could be triggered by a pcrs
138 job with an invalid pcre pattern (for example one that contains a
139 lone quantifier).</p>
143 <p>If the --user argument user[.group] contains a dot, always
144 bail out if no group has been specified. Previously the intended,
145 but undocumented (and apparently untested), behaviour was to try
146 interpreting the whole argument as user name, but the detection
147 was flawed and checked for '0' instead of '\0', thus merely
148 preventing group names beginning with a zero.</p>
152 <p>In html_code_map[], use a numeric character reference instead
153 of ' which wasn't standardized before XHTML 1.0.</p>
157 <p>Fix an invalid free when compiled with
158 FEATURE_GRACEFUL_TERMINATION and shut down through
159 http://config.privoxy.org/die</p>
163 <p>In get_actions(), fix the "temporary" backwards compatibility
164 hack to accept block actions without reason. It also covered
165 other actions that should be rejected as invalid. Reported by
172 <p>General improvements:</p>
176 <p>Privoxy can (re)compress buffered content before delivering it
177 to the client. Disabled by default as most users wouldn't benefit
182 <p>The +fast-redirects{check-decoded-url} action checks URL
183 segments separately. If there are other parameters behind the
184 redirect URL, this makes it unnecessary to cut them off by
185 additionally using a +redirect{} pcrs command. Initial patch
186 submitted by Jamie Zawinski in #3429848.</p>
190 <p>When loading action sections, verify that the referenced
191 filters exist. Currently missing filters only result in an error
192 message, but eventually the severity will be upgraded to
197 <p>Allow to bind to multiple separate addresses. Patch set
198 submitted by Petr Pisar in #3354485.</p>
202 <p>Set socket_error to errno if connecting fails in
203 rfc2553_connect_to() Previously rejected direct connections could
204 be incorrectly reported as DNS issues if Privoxy was compiled
205 with IPv6 support.</p>
209 <p>Adjust url_code_map[] so spaces are replaced with %20 instead
210 of '+' While '+' can be used by client's submitting form data,
211 this is not actually what Privoxy is using the lookups for. This
212 is more of a cosmetic issue and doesn't fix any known
217 <p>When compiled without FEATURE_FAST_REDIRECTS, do not silently
218 ignore +fast-redirect{} directives</p>
222 <p>Added a workaround for GNU libc's strptime() reporting
223 negative year values when the parsed year is only specified with
224 two digits. On affected systems cookies with such a date would
225 not be turned into session cookies by the +session-cookies-only
226 action. Reported by Vaeinoe in #3403560</p>
230 <p>Fixed bind failures with certain GNU libc versions if no
231 non-loopback IP address has been configured on the system. This
232 is mainly an issue if the system is using DHCP and Privoxy is
233 started before the network is completely configured. Reported by
234 Raphael Marichez in #3349356. Additional insight from Petr
239 <p>Privoxy log messages now use the ISO 8601 date format
240 %Y-%m-%d. It's only slightly longer than the old format, but
241 contains the full date including the year and allows sorting by
242 date (when grepping in multiple log files) without hassle.</p>
246 <p>In get_last_url(), do not bother trying to decode URLs that do
247 not contain at least one '%' sign. It reduces the log noise and a
248 number of unnecessary memory allocations.</p>
252 <p>In case of SOCKS5 failures, dump the socks response in the log
257 <p>Simplify the signal setup in main()</p>
261 <p>Streamline socks5_connect() slightly</p>
265 <p>In socks5_connect(), require a complete socks response from
266 the server Previously Privoxy didn't care how much data the
267 server response contained as long as the first two bytes
268 contained the expected values. While at it, shrink the buffer
269 size so Privoxy can't read more than a whole socks response.</p>
273 <p>In chat(), do not bother to generate a client request in case
274 of direct CONNECT requests. It will not be used anyway.</p>
278 <p>Reduce server_last_modified()'s stack size.</p>
282 <p>Shorten get_http_time() by using strftime().</p>
286 <p>Constify the known_http_methods pointers in
287 unknown_method().</p>
291 <p>Constify the time_formats pointers in parse_header_time().</p>
295 <p>Constify the formerly_valid_actions pointers in
296 action_used_to_be_valid().</p>
300 <p>Introduce a GNUMakefile MAN_PAGE variable that defaults to
301 privoxy.1. The Debian package uses section 8 for the man page and
302 this should simplify the patch.</p>
306 <p>Deduplicate the INADDR_NONE definition for Solaris by moving
307 it to jbsockets.h</p>
311 <p>In block_url(), ditch the obsolete workaround for ancient
312 Netscape versions that supposedly couldn't properly deal with
317 <p>Remove a useless NULL pointer check in load_trustfile().</p>
321 <p>Remove two useless NULL pointer checks in
322 load_one_re_filterfile().</p>
326 <p>Change url_code_map[] from an array of pointers to an array of
327 arrays It removes an unnecessary layer of indirection and on
328 64bit system reduces the size of the binary a bit.</p>
332 <p>Fix various typos. Fixes taken from Debian's 29_typos.dpatch
333 by Roland Rosenfeld.</p>
337 <p>Add a dok-tidy GNUMakefile target to clean up the messy HTML
338 generated by the other dok targets.</p>
342 <p>GNUisms in the GNUMakefile have been removed.</p>
346 <p>Change the HTTP version in static responses to 1.1</p>
350 <p>Synced config.sub and config.guess with upstream
351 2011-11-11/386c7218162c145f5f9e1ff7f558a3fbb66c37c5.</p>
355 <p>Add a dedicated function to parse the values of toggles.
356 Reduces duplicated code in load_config() and provides better
357 error handling. Invalid or missing toggle values are now a fatal
358 error instead of being silently ignored.</p>
362 <p>Terminate HTML lines in static error messages with \n instead
367 <p>Simplify cgi_error_unknown() a bit.</p>
371 <p>In LogPutString(), don't bother looking at pszText when not
372 actually logging anything.</p>
376 <p>Change ssplit()'s fourth parameter from int to size_t. Fixes a
381 <p>Add a warning that the statistics currently can't be trusted.
382 Mention Privoxy-Log-Parser's --statistics option as an
383 alternative for the time being.</p>
387 <p>In rfc2553_connect_to(), start setting cgi->error_message
392 <p>Change the expected status code returned for http://p.p/die
393 depending on whether or not FEATURE_GRACEFUL_TERMINATION is
398 <p>In cgi_die(), mark the client connection for closing. If the
399 client will fetch the style sheet through another connection it
400 gets the main thread out of the accept() state and should thus
401 trigger the actual shutdown.</p>
405 <p>Add a proper CGI message for cgi_die().</p>
409 <p>Don't enforce a logical line length limit in
410 read_config_line()</p>
414 <p>Slightly refactor server_last_modified() to remove useless
419 <p>In get_content_type(), also recognize '.jpeg' as JPEG
424 <p>Add '.png' to the list of recognized file extensions in
425 get_content_type()</p>
429 <p>In block_url(), consistently use the block reason "Request
430 blocked by Privoxy" In two places the reason was "Request for
431 blocked URL" which hides the fact that the request got blocked by
432 Privoxy and isn't necessarily correct as the block may be due to
437 <p>In listen_loop(), reload the configuration files after
438 accepting a new connection instead of before. Previously the
439 first connection that arrived after a configuration change would
440 still be handled with the old configuration.</p>
444 <p>In chat()'s receive-data loop, skip a client socket check if
445 the socket will be written to right away anyway. This can
446 increase the transfer speed for unfiltered content on fast
447 network connections.</p>
451 <p>The socket timeout is used for SOCKS negotiations as well
452 which previously couldn't timeout.</p>
456 <p>Don't keep the client connection alive if any configuration
457 file changed since the time the connection came in. This is
458 closer to Privoxy's behaviour before keep-alive support for
459 client connection has been added and also less confusing in
464 <p>Treat all Content-Type header values containing the pattern
465 'script' as a sign of text. Reported by pribog in #3134970.</p>
471 <p>Action file improvements:</p>
475 <p>Moved the site-specific block pattern section below the one
476 for the generic patterns so for requests that are matched in
477 both, the block reason for the domain is shown which is usually
478 more useful than showing the one for the generic pattern.</p>
482 <p>Remove -prevent-compression from the fragile alias It's no
483 longer used anywhere by default and isn't known to break stuff
488 <p>Add a (disabled) section to block various Facebook tracking
489 URLs Reported by Dan Stahlke in #3421764.</p>
493 <p>Add a (disabled) section to rewrite and redirect
494 click-tracking URLs used on news.google.com Reported by Dan
495 Stahlke in #3421755.</p>
499 <p>Unblock linuxcounter.net/ Reported by Dan Stahlke in
504 <p>Block 'www91.intel.com/' which is used by Omniture. Reported
505 by Adam Piggott in #3167370.</p>
509 <p>Disable the handle-as-empty-doc-returns-ok option and mark it
510 as deprecated. Reminded by tceverling in #2790091.</p>
514 <p>Add ".ivwbox.de/" to the "Cross-site user tracking" section.
515 Reported by Nettozahler in #3172525.</p>
519 <p>Unblock and fast-redirect ".awin1.com/.*=http://" Reported by
520 Adam Piggott in #3170921.</p>
524 <p>Block "b.collective-media.net/".</p>
528 <p>Widen the Debian popcon exception to "qa.debian.org/popcon".
529 Seen in Debian's 05_default_action.dpatch by Roland
534 <p>Block ".gemius.pl/" which only seems to be used for user
535 tracking. Reported by johnd16 in #3002731. Additional input from
540 <p>Disable banners-by-size filters for '.thinkgeek.com/' The
541 filter only seems to catch pictures of the inventory.</p>
545 <p>Block requests for 'go.idmnet.bbelements.com/please/showit/'
546 Reported by kacperdominik in #3372959.</p>
550 <p>Unblock adainitiative.org/</p>
554 <p>Add a fast-redirects exception for
555 '.googleusercontent.com/.*=cache'</p>
559 <p>Add a fast-redirects exception for
560 webcache.googleusercontent.com/</p>
564 <p>Unblock http://adassier.wordpress.com/ and
565 http://adassier.files.wordpress.com/</p>
571 <p>Filter file improvements:</p>
575 <p>Let the yahoo filter hide '.ads'</p>
579 <p>Let the msn filter hide overlay ads for Facebook 'likes' in
580 search results and elements with the id 's_notf_div'. They only
581 seem to be used to advertise site 'enhancements'.</p>
585 <p>Let the js-events filter additionally disarm setInterval()
586 Suggested by dg1727 in #3423775.</p>
592 <p>Documentation improvements:</p>
596 <p>Clarify the effect of compiling Privoxy with zlib support
597 Suggested by dg1727 in #3423782.</p>
601 <p>Point out that the SourceForge messaging system works like a
602 black hole and should thus not be used to contact individual
607 <p>Mention some of the problems one can experience when not
608 explicitly configuring an IP addresses as listen address.</p>
612 <p>Explicitly mention that hostnames can be used instead of IP
613 addresses for the listen-address, that only the first address
614 returned will be used and what happens if the address is invalid.
615 Requested by Calestyo in #3302213.</p>
621 <p>Log message improvements:</p>
625 <p>If only the server connection is kept alive, do not pretend to
626 wait for a new client request.</p>
630 <p>Remove a superfluous log message in forget_connection()</p>
634 <p>In chat(), properly report missing server responses as such
635 instead of calling them empty</p>
639 <p>In forwarded_connect(), fix a log message nobody should ever
644 <p>Fix a log message in socks5_connect(), a failed write
645 operation was logged as failed read operation</p>
649 <p>Let load_one_actions_file() properly complain about a missing
650 '{' at the beginning of the file Simply stating that a line is
651 invalid isn't particularly helpful.</p>
655 <p>Do not claim to listen on a socket until Privoxy actually
656 does. Patch submitted by Petr Pisar #3354485</p>
660 <p>Prevent a duplicated LOG_LEVEL_CLF message when sending out
661 the "no-server-data" response</p>
665 <p>Also log the client socket when dropping a connection.</p>
669 <p>Include the destination host in the 'Request ... marked for
670 blocking. limit-connect{...} doesn't allow CONNECT ...' message
671 Patch submitted by Saperski in #3296250.</p>
675 <p>Prevent a duplicated log message if none of the resolved IP
676 addresses were reachable</p>
680 <p>In connect_to(), do not pretend to retry if
681 forwarded-connect-retries is zero or unset.</p>
685 <p>When a specified user or group can't be found, put the name in
686 single-quotes when logging it.</p>
690 <p>In rfc2553_connect_to(), explain getnameinfo() errors
695 <p>Remove a useless log message in chat()</p>
699 <p>When retrying to connect, also log the maximum number of
700 connection attempts</p>
704 <p>Rephrase a log message in compile_dynamic_pcrs_job_list().
705 Divide the error code and its meaning with a colon. Call the pcrs
706 job dynamic and not the filter. Filters may contain dynamic and
707 non-dynamic pcrs jobs at the same time. Only mention the name of
708 the filter or tagger, but don't claim it's a filter when it could
713 <p>In a fatal error message in load_one_actions_file(), cover
714 both URL and TAG patterns.</p>
718 <p>In pcrs_strerror(), properly report unknown positive error
719 code values as such. Previously they were handled like 0 (no
724 <p>In compile_dynamic_pcrs_job_list(), also log the actual error
725 code as pcrs_strerror() doesn't handle all errors reported by
730 <p>Don't bother trying to continue chatting if the client didn't
731 ask for it. Reduces log noise a bit.</p>
735 <p>Make two fatal error message in load_one_actions_file() more
740 <p>In cgi_send_user_manual(), log when rejecting a file name due
745 <p>In load_file(), log a message if opening a file failed The CGI
746 error message alone isn't too helpful.</p>
750 <p>In connection_destination_matches(), improve two log messages
751 to help understand why the destinations don't match.</p>
755 <p>Rephrase a log message in serve(). Client request arrival
756 should be differentiated from closed client connections now.</p>
760 <p>In serve(), log if a client connection isn't reused due to a
761 configuration file change.</p>
765 <p>Let mark_server_socket_tainted() always mark the server socket
766 tainted, just don't talk about it in cases where it has no
767 effect. It doesn't change Privoxy's behaviour, but makes
768 understanding the log file easier.</p>
778 <p>Added a --disable-ipv6-support switch for platforms where
779 support is detected but doesn't actually work.</p>
783 <p>Do not check for the existence of strerror() and memmove()
788 <p>Remove a useless test for setpgrp(2). Privoxy doesn't need it
789 and it can cause problems when cross-compiling.</p>
793 <p>Rename the --disable-acl-files switch to
794 --disable-acl-support. Since about 2001, ACL directives are
795 specified in the standard config file.</p>
799 <p>Update the URL of the 'Removing outdated PCRE version after
800 the next stable release' posting. The old URL stopped working
801 after one of SF's recent site "optimizations". Reported by Han
808 <p>Privoxy-Regression-Test:</p>
812 <p>Added --shuffle-tests option to increase the chances of
813 detection race conditions.</p>
817 <p>Added a --local-test-file option that allows to use
818 Privoxy-Regression-Test without Privoxy</p>
822 <p>Added tests for missing socks4 and socks4a forwarders</p>
826 <p>The --privoxy-address option now works with IPv6 addresses
827 containing brackets, too</p>
831 <p>Perform limited sanity checks for parameters that are supposed
832 to have numerical values.</p>
836 <p>Added a --sleep-time option to specify a number of seconds to
837 sleep between tests, defaults to 0.</p>
841 <p>Disable the range-requests tagger for tests that break if it's
846 <p>Log messages use the ISO 8601 date format %Y-%m-%d.</p>
850 <p>Fix spelling in two error messages.</p>
854 <p>In the --help output, include a list of supported tests and
855 their default levels.</p>
859 <p>Adjust the tests to properly deal with FEATURE_TOGGLE being
866 <p>Privoxy-Log-Parser:</p>
870 <p>Perform limited sanity checks for command line parameters that
871 are supposed to have numerical values.</p>
875 <p>Implement a --unbreak-lines-only option to try to revert MUA
880 <p>Accept and highlight: Added header: Content-Encoding:
885 <p>Accept and highlight: Compressed content from 29258 to 8630
890 <p>Accept and highlight: Client request arrived in time on socket
895 <p>Highlight: Didn't receive data in time: a.fsdn.com:443</p>
899 <p>Accept log messages with ISO 8601 time stamps, too</p>
909 <p>Bump generated Firefox version to 8.0</p>
913 <p>Only randomize the release date if the new
914 --randomize-release-date option is enabled. Firefox versions
915 after 4 use a fixed date string without meaning.</p>
922 <h2 class="SECT2"><a name="UPGRADERSNOTE" id="UPGRADERSNOTE">3.1. Note
923 to Upgraders</a></h2>
925 <p>A quick list of things to be aware of before upgrading from earlier
926 versions of <span class="APPLICATION">Privoxy</span>:</p>
930 <p>The recommended way to upgrade <span class=
931 "APPLICATION">Privoxy</span> is to backup your old configuration
932 files, install the new ones, verify that <span class=
933 "APPLICATION">Privoxy</span> is working correctly and finally merge
934 back your changes using <span class="APPLICATION">diff</span> and
935 maybe <span class="APPLICATION">patch</span>.</p>
937 <p>There are a number of new features in each <span class=
938 "APPLICATION">Privoxy</span> release and most of them have to be
939 explicitly enabled in the configuration files. Old configuration
940 files obviously don't do that and due to syntax changes using old
941 configuration files with a new <span class=
942 "APPLICATION">Privoxy</span> isn't always possible anyway.</p>
946 <p>Note that some installers remove earlier versions completely,
947 including configuration files, therefore you should really save any
948 important configuration files!</p>
952 <p>On the other hand, other installers don't overwrite existing
953 configuration files, thinking you will want to do that
958 <p><tt class="FILENAME">standard.action</tt> has been merged into
959 the <tt class="FILENAME">default.action</tt> file.</p>
963 <p>In the default configuration only fatal errors are logged now.
964 You can change that in the <a href="config.html#DEBUG">debug
965 section</a> of the configuration file. You may also want to enable
966 more verbose logging until you verified that the new <span class=
967 "APPLICATION">Privoxy</span> version is working as expected.</p>
971 <p>Three other config file settings are now off by default:
972 <a href="config.html#ENABLE-REMOTE-TOGGLE">enable-remote-toggle</a>,
974 "config.html#ENABLE-REMOTE-HTTP-TOGGLE">enable-remote-http-toggle</a>,
976 "config.html#ENABLE-EDIT-ACTIONS">enable-edit-actions</a>. If you
977 use or want these, you will need to explicitly enable them, and be
978 aware of the security issues involved.</p>
984 <div class="NAVFOOTER">
985 <hr class="c1" width="100%">
987 <table summary="Footer navigation table" width="100%" border="0"
988 cellpadding="0" cellspacing="0">
990 <td width="33%" align="left" valign="top"><a href="installation.html"
991 accesskey="P">Prev</a></td>
993 <td width="34%" align="center" valign="top"><a href="index.html"
994 accesskey="H">Home</a></td>
996 <td width="33%" align="right" valign="top"><a href="quickstart.html"
997 accesskey="N">Next</a></td>
1001 <td width="33%" align="left" valign="top">Installation</td>
1003 <td width="34%" align="center" valign="top"> </td>
1005 <td width="33%" align="right" valign="top">Quickstart to Using