Date: Mon, 30 May 2022 19:10:27 +0000
Subject: [PATCH 10/58] update html documentation, add quickstart section
---
docs/web/tp.html.head | 26 +++++++++++++++++++++-----
1 file changed, 21 insertions(+), 5 deletions(-)
diff --git a/docs/web/tp.html.head b/docs/web/tp.html.head
index 6ce2b0b1..351564ce 100644
--- a/docs/web/tp.html.head
+++ b/docs/web/tp.html.head
@@ -41,25 +41,27 @@
Tinyproxy requires only a minimal POSIX environment to build and operate. It can use additional libraries to add functionality though.
-Tinyproxy allows forwarding of HTTPS connections without modifying traffic in any way through the CONNECT method (see the ConnectPort directive).
+Tinyproxy allows forwarding of HTTPS connections without modifying traffic in any way through the CONNECT method (see the ConnectPort directive, which you should disable, unless you want to restrict the users).
Tinyproxy supports being configured as a transparent proxy, so that a proxy can be used without requiring any client-side configuration. You can also use it as a reverse proxy front-end to your websites.
-Using the AddHeader directive, you can add/insert HTTP headers to outgoing traffic.
+Using the AddHeader directive, you can add/insert HTTP headers to outgoing traffic (HTTP only).
If you're looking to build a custom web proxy, Tinyproxy is easy to modify to your custom needs. The source is straightforward, adhering to the KISS principle. As such, it can be used as a foundation for anything you may need a web proxy to do.
-Tinyproxy has privacy features which can let you configure which HTTP headers should be allowed through, and which should be blocked. This allows you to restrict both what data comes to your web browser from the HTTP server (e.g., cookies), and to restrict what data is allowed through from your web browser to the HTTP server (e.g., version information).
+Tinyproxy has privacy features which can let you configure which HTTP headers should be allowed through, and which should be blocked. This allows you to restrict both what data comes to your web browser from the HTTP server (e.g., cookies), and to restrict what data is allowed through from your web browser to the HTTP server (e.g., version information). Note that these features do not affect HTTPS connections.
Using the remote monitoring facility, you can access proxy statistics from afar, letting you know exactly how busy the proxy is.
You can configure Tinyproxy to control access by only allowing requests from a certain subnet, or from a certain interface, thus ensuring that random, unauthorized people will not be using your proxy.
-With a bit of configuration (specifically, making Tinyproxy created files owned by a non-root user and running it on a port greater than 1024), Tinyproxy can be made to run without any special privileges, thus minimizing the chance of system compromise. Furthermore, it was designed with an eye towards preventing buffer overflows. The simplicity of the code ensures it remains easy to spot such bugs.
+With a bit of configuration (specifically, making Tinyproxy created files owned by a non-root user and running it on a port greater than 1024), Tinyproxy can be made to run without any special privileges, thus minimizing the chance of system compromise. In fact, it is recommended to run it as a regular/restricted user. Furthermore, it was designed with an eye towards preventing buffer overflows. The simplicity of the code ensures it remains easy to spot such bugs.
Downloads
+Note that many distributions ship horribly outdated versions of tinyproxy, therefore it is recommended to compile it from source.
+
- On Red Hat Enterprise Linux, or its derivatives such as CentOS, install Tinyproxy from the EPEL repository by running yum install tinyproxy.
- On Fedora, install Tinyproxy by running yum install tinyproxy.
@@ -70,7 +72,7 @@
- Mac OS X users can check MacPorts to see if the Tinyproxy port there is recent enough.
-If you feel that the Tinyproxy binary package in your operating system is not recent, please contact the package maintainer for that particular operating system. If this fails, you can always compile the latest stable version from source code.
+If you feel that the Tinyproxy binary package in your operating system is not recent (likely), please contact the package maintainer for that particular operating system. If this fails, you can always compile the latest stable, or even better, the latest git master version, from source code.
We distribute Tinyproxy in source code form, and it has to be compiled in order to be used on your system. Please see the INSTALL file in the source code tree for build instructions. The current stable version of Tinyproxy is available on the releases page. The Tinyproxy NEWS file contains the release notes. You can verify the tarball using its PGP signature. You can also browse the older releases of Tinyproxy.
@@ -78,5 +80,19 @@
git clone https://github.com/tinyproxy/tinyproxy.git
+
+Quickstart
+
+The quickest way to get started is using a minimal config file like the below:
+
+
+Port 8888
+Listen 127.0.0.1
+Timeout 600
+Allow 127.0.0.1
+
+
+And then simply run tinyproxy -d -c tinyproxy.conf as your current user. This starts tinyproxy in foreground mode with tinyproxy.conf as its config, while logging to stdout. Now, all programs supporting a HTTP proxy can use 127.0.0.1:8888 as a proxy. You can try it out using http_proxy=127.0.0.1:8888 curl example.com.
+
Documentation
From 121be4a74e1c917f49d54a0cd34f7e20fb58123d Mon Sep 17 00:00:00 2001
From: rofl0r
Date: Fri, 15 Jul 2022 23:43:13 +0000
Subject: [PATCH 11/58] echo http protocol version on CONNECT request response
while at it, the function doing it was renamed from the misleading
ssl name to what it actually does.
also inlined the strings that were previously defined as macros.
addressing #152
---
src/reqs.c | 25 ++++++++++---------------
1 file changed, 10 insertions(+), 15 deletions(-)
diff --git a/src/reqs.c b/src/reqs.c
index 50aaec64..fcc0dbf2 100644
--- a/src/reqs.c
+++ b/src/reqs.c
@@ -301,21 +301,16 @@ establish_http_connection (struct conn_s *connptr, struct request_s *request)
}
/*
- * These two defines are for the SSL tunnelling.
+ * Send the appropriate response to the client to establish a
+ * connection via CONNECT method.
*/
-#define SSL_CONNECTION_RESPONSE "HTTP/1.0 200 Connection established"
-#define PROXY_AGENT "Proxy-agent: " PACKAGE "/" VERSION
-
-/*
- * Send the appropriate response to the client to establish a SSL
- * connection.
- */
-static int send_ssl_response (struct conn_s *connptr)
+static int send_connect_method_response (struct conn_s *connptr)
{
return write_message (connptr->client_fd,
- "%s\r\n"
- "%s\r\n"
- "\r\n", SSL_CONNECTION_RESPONSE, PROXY_AGENT);
+ "HTTP/1.%u 200 Connection established\r\n"
+ "Proxy-agent: " PACKAGE "/" VERSION "\r\n"
+ "\r\n", connptr->protocol.major != 1 ? 0 :
+ connptr->protocol.minor);
}
/*
@@ -1762,10 +1757,10 @@ void handle_connection (struct conn_s *connptr, union sockaddr_union* addr)
HC_FAIL();
}
} else {
- if (send_ssl_response (connptr) < 0) {
+ if (send_connect_method_response (connptr) < 0) {
log_message (LOG_ERR,
- "handle_connection: Could not send SSL greeting "
- "to client.");
+ "handle_connection: Could not send CONNECT"
+ " method greeting to client.");
update_stats (STAT_BADCONN);
HC_FAIL();
}
From 84f203fb1c4733608c7283bbe794005a469c4b00 Mon Sep 17 00:00:00 2001
From: rofl0r
Date: Sat, 20 Aug 2022 14:43:24 +0000
Subject: [PATCH 12/58] fix reversepath directive using https url giving
misleading error
it's not possible to use a https url in a ReversePath directive, without
removing the security provided by https, and would require adding a
dependency on a TLS library like openssl and a lot of code complexity
to fetch the requested resource via https and relay it back to the client.
in case the reversepath directive kicked in, but the protocol wasn't
recognized, and support for transparent proxying built-in, the code
wrongfully tried to turn the request into a trans request, leading
to a bogus rewritten url like http://localhost:8888https://www.endpoint.com
and an error message that we're trying to connect to the machine the
proxy runs on.
now instead use the generic code that signals an invalid protocol/url
was used.
closes #419
---
src/reqs.c | 19 ++++++++++++-------
1 file changed, 12 insertions(+), 7 deletions(-)
diff --git a/src/reqs.c b/src/reqs.c
index fcc0dbf2..bce69819 100644
--- a/src/reqs.c
+++ b/src/reqs.c
@@ -322,9 +322,11 @@ static struct request_s *process_request (struct conn_s *connptr,
{
char *url;
struct request_s *request;
- int ret;
+ int ret, skip_trans;
size_t request_len;
+ skip_trans = 0;
+
/* NULL out all the fields so frees don't cause segfaults. */
request =
(struct request_s *) safecalloc (1, sizeof (struct request_s));
@@ -397,6 +399,7 @@ static struct request_s *process_request (struct conn_s *connptr,
}
safefree (url);
url = reverse_url;
+ skip_trans = 1;
} else if (config->reverseonly) {
log_message (LOG_ERR,
"Bad request, no mapping for '%s' found",
@@ -446,11 +449,13 @@ static struct request_s *process_request (struct conn_s *connptr,
connptr->connect_method = TRUE;
} else {
#ifdef TRANSPARENT_PROXY
- if (!do_transparent_proxy
- (connptr, hashofheaders, request, config, &url)) {
- goto fail;
- }
-#else
+ if (!skip_trans) {
+ if (!do_transparent_proxy
+ (connptr, hashofheaders, request, config, &url))
+ goto fail;
+ } else
+#endif
+ {
indicate_http_error (connptr, 501, "Not Implemented",
"detail",
"Unknown method or unsupported protocol.",
@@ -458,7 +463,7 @@ static struct request_s *process_request (struct conn_s *connptr,
log_message (LOG_INFO, "Unknown method (%s) or protocol (%s)",
request->method, url);
goto fail;
-#endif
+ }
}
#ifdef FILTER_ENABLE
From 3764b8551463b900b5b4e3ec0cd9bb9182191cb7 Mon Sep 17 00:00:00 2001
From: rofl0r
Date: Thu, 8 Sep 2022 15:18:04 +0000
Subject: [PATCH 13/58] prevent junk from showing up in error page in invalid
requests
fixes #457
---
src/reqs.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/src/reqs.c b/src/reqs.c
index bce69819..45db118d 100644
--- a/src/reqs.c
+++ b/src/reqs.c
@@ -343,8 +343,12 @@ static struct request_s *process_request (struct conn_s *connptr,
goto fail;
}
+ /* zero-terminate the strings so they don't contain junk in error page */
+ request->method[0] = url[0] = request->protocol[0] = 0;
+
ret = sscanf (connptr->request_line, "%[^ ] %[^ ] %[^ ]",
request->method, url, request->protocol);
+
if (ret == 2 && !strcasecmp (request->method, "GET")) {
request->protocol[0] = 0;
From 6ffd9af2c7b88a43be8865cc8e1d450643786b1d Mon Sep 17 00:00:00 2001
From: rofl0r
Date: Wed, 1 Feb 2023 13:16:58 +0000
Subject: [PATCH 14/58] hsearch: fix potential UB (pointer arithmetics on
nullptr)
closes #471
addresses #470
---
src/hsearch.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/src/hsearch.c b/src/hsearch.c
index be0434c2..dfe1404a 100644
--- a/src/hsearch.c
+++ b/src/hsearch.c
@@ -80,9 +80,10 @@ static int resize(struct htab *htab, size_t nel)
{
size_t newsize;
size_t i, j;
+ size_t oldmask = htab->mask;
struct elem *e, *newe;
struct elem *oldtab = htab->elems;
- struct elem *oldend = htab->elems + htab->mask + 1;
+ struct elem *oldend;
if (nel > MAXSIZE)
nel = MAXSIZE;
@@ -95,6 +96,8 @@ static int resize(struct htab *htab, size_t nel)
htab->mask = newsize - 1;
if (!oldtab)
return 1;
+
+ oldend = oldtab + oldmask + 1;
for (e = oldtab; e < oldend; e++)
if (e->item.key) {
for (i=e->hash,j=1; ; i+=j++) {
From 470cc0863d276c339db0e84b64055523823c2587 Mon Sep 17 00:00:00 2001
From: rofl0r
Date: Wed, 1 Feb 2023 13:32:45 +0000
Subject: [PATCH 15/58] conf: fix potential crash with invalid input data
closes #474
---
src/conf.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/conf.c b/src/conf.c
index 7f94b654..257cafe3 100644
--- a/src/conf.c
+++ b/src/conf.c
@@ -427,7 +427,7 @@ static int config_parse (struct config_s *conf, FILE * f)
while(isspace(*p))p++;
if(!*p) continue;
q = p;
- while(!isspace(*q))q++;
+ while(*q && !isspace(*q))q++;
c = *q;
*q = 0;
e = config_directive_find(p, strlen(p));
From 31339cb1615765f2fbb4ec7779400535bad6da46 Mon Sep 17 00:00:00 2001
From: rofl0r
Date: Wed, 1 Feb 2023 15:46:58 +0000
Subject: [PATCH 16/58] tinyproxy.conf.5: update text for bind directive
the existing text was sort of misleading as it was written in a
pre-HTTPS era.
addressing #475
---
docs/man5/tinyproxy.conf.txt.in | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/docs/man5/tinyproxy.conf.txt.in b/docs/man5/tinyproxy.conf.txt.in
index 1e1ee3ef..23f72a47 100644
--- a/docs/man5/tinyproxy.conf.txt.in
+++ b/docs/man5/tinyproxy.conf.txt.in
@@ -57,7 +57,7 @@ only on one specific address.
=item B
This allows you to specify which address Tinyproxy will bind
-to for outgoing connections to web servers or upstream proxies.
+to for outgoing connections.
This parameter may be specified multiple times, then Tinyproxy
will try all the specified addresses in order.
From ef60434b392f9efe85510a1086be5ea1e24fd2a1 Mon Sep 17 00:00:00 2001
From: rofl0r
Date: Mon, 20 Mar 2023 20:35:58 +0000
Subject: [PATCH 17/58] docs: typo fix
closes #487
---
etc/tinyproxy.conf.in | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/etc/tinyproxy.conf.in b/etc/tinyproxy.conf.in
index d2687093..d9598d3e 100644
--- a/etc/tinyproxy.conf.in
+++ b/etc/tinyproxy.conf.in
@@ -3,7 +3,7 @@
##
## This example tinyproxy.conf file contains example settings
## with explanations in comments. For decriptions of all
-## parameters, see the tinproxy.conf(5) manual page.
+## parameters, see the tinyproxy.conf(5) manual page.
##
#
From 2bec15ee40dd26920e4f275acd3a7c84a1b6012c Mon Sep 17 00:00:00 2001
From: Mario-Klebsch <62026480+Mario-Klebsch@users.noreply.github.com>
Date: Tue, 23 May 2023 15:04:48 +0200
Subject: [PATCH 18/58] Allow configuring IPv6 address for upstream proxy
(#492)
* Added support to configure IPv6 upstream proxy servers using bracket syntax.
* Added regular expression for IPv6 scope identifier to re for IPv6 address.
---
src/conf.c | 16 ++++++++++------
1 file changed, 10 insertions(+), 6 deletions(-)
diff --git a/src/conf.c b/src/conf.c
index 257cafe3..002d2ff9 100644
--- a/src/conf.c
+++ b/src/conf.c
@@ -66,9 +66,10 @@
#define PASSWORD "([^@]*)"
#define IP "((([0-9]{1,3})\\.){3}[0-9]{1,3})"
#define IPMASK "(" IP "(/" DIGIT "+)?)"
+#define IPV6SCOPE "((%[^ \t\\/]{1,16})?)"
#define IPV6 "(" \
- "(([0-9a-f:]{2,39}))|" \
- "(([0-9a-f:]{0,29}:" IP "))" \
+ "([0-9a-f:]{2,39})" IPV6SCOPE "|" \
+ "([0-9a-f:]{0,29}:" IP ")" IPV6SCOPE \
")"
#define IPV6MASK "(" IPV6 "(/" DIGIT "+)?)"
@@ -80,7 +81,7 @@
* number. Given the usual structure of the configuration file, sixteen
* substring matches should be plenty.
*/
-#define RE_MAX_MATCHES 24
+#define RE_MAX_MATCHES 33
#define CP_WARN(FMT, ...) \
log_message (LOG_WARNING, "line %lu: " FMT, lineno, __VA_ARGS__)
@@ -249,7 +250,7 @@ struct {
"(" "(none)" WS STR ")|" \
"(" "(http|socks4|socks5)" WS \
"(" USERNAME /*username*/ ":" PASSWORD /*password*/ "@" ")?"
- "(" IP "|" ALNUM ")"
+ "(" IP "|" "\\[(" IPV6 ")\\]" "|" ALNUM ")"
":" INT "(" WS STR ")?" ")", handle_upstream),
#endif
/* loglevel */
@@ -1114,10 +1115,13 @@ static HANDLE_FUNC (handle_upstream)
pass = get_string_arg (line, &match[mi]);
mi++;
- ip = get_string_arg (line, &match[mi]);
+ if (match[mi+4].rm_so != -1) /* IPv6 address in square brackets */
+ ip = get_string_arg (line, &match[mi+4]);
+ else
+ ip = get_string_arg (line, &match[mi]);
if (!ip)
return -1;
- mi += 5;
+ mi += 16;
port = (int) get_long_arg (line, &match[mi]);
mi += 3;
From 1e615e66a9944d3169f5cbba62a85c125693b7cf Mon Sep 17 00:00:00 2001
From: ivanwick
Date: Wed, 24 May 2023 07:06:15 -0700
Subject: [PATCH 19/58] tinyproxy.conf.5: document config strings that require
double quotes (#493)
* tinyproxy.conf.5: document config strings that require double quotes
String config values matched by the STR regex must be enclosed in double
quotes
Edit descriptions for brevity
conf.c: move boolean arguments comment before BOOL group
addresses #491
* Revert conf.c: move boolean arguments comment before BOOL group
---
docs/man5/tinyproxy.conf.txt.in | 47 +++++++++++++++++----------------
1 file changed, 24 insertions(+), 23 deletions(-)
diff --git a/docs/man5/tinyproxy.conf.txt.in b/docs/man5/tinyproxy.conf.txt.in
index 23f72a47..28f4ab9f 100644
--- a/docs/man5/tinyproxy.conf.txt.in
+++ b/docs/man5/tinyproxy.conf.txt.in
@@ -22,8 +22,8 @@ configuration file.
The Tinyproxy configuration file contains key-value pairs, one per
line. Lines starting with `#` and empty lines are comments and are
ignored. Keywords are case-insensitive, whereas values are
-case-sensitive. Values may be enclosed in double-quotes (") if they
-contain spaces.
+case-sensitive. Some string values must be enclosed in double
+quotes (") as noted below.
The possible keywords and their descriptions are as follows:
@@ -76,29 +76,29 @@ allowed to have before it is closed by Tinyproxy.
This parameter controls which HTML file Tinyproxy returns when a
given HTTP error occurs. It takes two arguments, the error number
-and the location of the HTML error file.
+and the location of the HTML error file. Enclose the file location
+in double quotes.
=item B
-This parameter controls the HTML template file returned when an
-error occurs for which no specific error file has been set.
+The HTML template file returned when an error occurs for which no
+specific error file has been set. Enclose in double quotes.
=item B
-This configures the host name or IP address that is treated
-as the `stat host`: Whenever a request for this host is received,
-Tinyproxy will return an internal statistics page instead of
-forwarding the request to that host. The template for this
-page can be configured with the `StatFile` configuration option.
-The default value of `StatHost` is `@TINYPROXY_STATHOST@`.
+The host name or IP address that is treated as the `stat host`.
+Enclose in double quotes. Whenever Tinyproxy receives a request for
+the `stat host` it returns an internal statistics page instead of
+forwarding the request to that host. The template for this page can be
+configured with the `StatFile` configuration option. The default value
+of `StatHost` is `@TINYPROXY_STATHOST@`.
=item B
-This configures the HTML file that Tinyproxy sends when
-a request for the stathost is received. If this parameter is
-not set, Tinyproxy returns a hard-coded basic statistics page.
-See the STATHOST section in the L manual page
-for details.
+The HTML file that Tinyproxy sends in response to a request for the
+`stat host`. Enclose in double quotes. If this parameter is not set,
+Tinyproxy returns a hard-coded basic statistics page. See the STATHOST
+section in the L manual page for details.
Note that the StatFile and the error files configured with ErrorFile
and DefaultErrorFile are template files that can contain a few
@@ -109,9 +109,9 @@ manual page contains a description of all template variables.
=item B
-This controls the location of the file to which Tinyproxy
-writes its debug output. Alternatively, Tinyproxy can log
-to syslog -- see the Syslog option.
+The location of the file to which Tinyproxy writes its debug output.
+Enclose in double quotes. Alternatively, Tinyproxy can log to syslog
+-- see the Syslog option.
=item B
@@ -144,8 +144,8 @@ and below would be suppressed. Allowed values are:
=item B
-This option controls the location of the file where the main
-Tinyproxy process stores its process ID for signaling purposes.
+The location of the file where the main Tinyproxy process stores its
+process ID for signaling purposes. Enclose in double quotes.
=item B
@@ -250,7 +250,8 @@ RFC 2616 requires proxies to add a `Via` header to the HTTP
requests, but using the real host name can be a security
concern. If the `ViaProxyname` option is present, then its
string value will be used as the host name in the Via header.
-Otherwise, the server's host name will be used.
+Otherwise, the server's host name will be used. Enclose in double
+quotes.
=item B
@@ -344,7 +345,7 @@ If an `Anonymous` keyword is present, then anonymous proxying
is enabled. The headers listed with `Anonymous` are allowed
through, while all others are denied. If no Anonymous keyword
is present, then all headers are allowed through. You must
-include quotes around the headers.
+include double quotes around the headers.
Most sites require cookies to be enabled for them to work correctly, so
you will need to allow cookies through if you access those sites.
From d7c20e663f3f85238665fed52b0bb35bcc3fc942 Mon Sep 17 00:00:00 2001
From: rofl0r
Date: Thu, 25 May 2023 19:42:02 +0000
Subject: [PATCH 20/58] tinyproxy.conf.5: document syntax for upstream IPv6
addresses
follow-up to 2bec15ee40dd26920e4f275acd3a7c84a1b6012c
---
docs/man5/tinyproxy.conf.txt.in | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/docs/man5/tinyproxy.conf.txt.in b/docs/man5/tinyproxy.conf.txt.in
index 28f4ab9f..ed137e2b 100644
--- a/docs/man5/tinyproxy.conf.txt.in
+++ b/docs/man5/tinyproxy.conf.txt.in
@@ -179,6 +179,10 @@ connection is done directly.
=back
+It's recommended to use raw IP addresses to specify the upstream host, so
+no costly DNS lookup has to be done everytime it is used.
+IPv6 addresses need to be enclosed in square brackets.
+
The site can be specified in various forms as a hostname, domain
name or as an IP range:
From 2935519eb7f0d1d740fc1c89a3dc2279c9c80208 Mon Sep 17 00:00:00 2001
From: rofl0r
Date: Wed, 7 Jun 2023 18:57:05 +0000
Subject: [PATCH 21/58] fix omission to reset socklen parameter for accept()
since accept() uses the socklen parameter as in/out, after processing
an IPv4 the socklen fed to it waiting for the next client was only
the length of sockaddr_in, so if a connection from an IPv6 came in
the client sockaddr was only partially filled in.
this caused wrongly printed ipv6 addresses in log, and failure to
match them correctly against the acl.
closes #495
---
src/child.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/child.c b/src/child.c
index 985357da..8bae89b2 100644
--- a/src/child.c
+++ b/src/child.c
@@ -81,7 +81,7 @@ void child_main_loop (void)
int connfd;
union sockaddr_union cliaddr_storage;
struct sockaddr *cliaddr = (void*) &cliaddr_storage;
- socklen_t clilen = sizeof(cliaddr_storage);
+ socklen_t clilen;
int nfds = sblist_getsize(listen_fds);
pollfd_struct *fds = safecalloc(nfds, sizeof *fds);
ssize_t i;
@@ -167,6 +167,7 @@ void child_main_loop (void)
* Continue handling this connection.
*/
+ clilen = sizeof(cliaddr_storage);
connfd = accept (listenfd, cliaddr, &clilen);
From 1289d8afc8b50fb95cbfee37d3d394e119fe4832 Mon Sep 17 00:00:00 2001
From: rofl0r
Date: Fri, 13 Oct 2023 19:54:26 +0000
Subject: [PATCH 22/58] conf: use case-independent match for Filtertype
parameter
---
src/conf.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/conf.c b/src/conf.c
index 002d2ff9..01162e67 100644
--- a/src/conf.c
+++ b/src/conf.c
@@ -1009,7 +1009,7 @@ static HANDLE_FUNC (handle_filtertype)
if (!type) return -1;
for(i=0;ifilter_opts |= ftmap[i].flag;
safefree (type);
From c83407396852e2300940c9b3da4d57841e256ede Mon Sep 17 00:00:00 2001
From: rofl0r
Date: Sun, 15 Oct 2023 10:50:48 +0000
Subject: [PATCH 23/58] fix CI by running apt update
---
.github/workflows/main.yml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 43541078..f077b192 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -27,8 +27,8 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- - name: install valgrind
- run: sudo apt-get install --assume-yes valgrind
+ - run: sudo apt update
+ - run: sudo apt install --assume-yes valgrind
- run: ./autogen.sh
- run: ./configure --enable-debug --enable-transparent --enable-reverse
- run: make
From 84285b640de76508e4deddbc6cbad751628769ae Mon Sep 17 00:00:00 2001
From: Victor Kislov
Date: Thu, 2 Nov 2023 21:24:42 +0200
Subject: [PATCH 24/58] BasicAuth: Accept special chars in username and
password (#516)
Co-authored-by: Victor Kislov
---
src/conf.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/conf.c b/src/conf.c
index 01162e67..4b5f33a8 100644
--- a/src/conf.c
+++ b/src/conf.c
@@ -225,7 +225,7 @@ struct {
handle_deny),
STDCONF (bind, "(" IP "|" IPV6 ")", handle_bind),
/* other */
- STDCONF (basicauth, ALNUM WS ALNUM, handle_basicauth),
+ STDCONF (basicauth, USERNAME WS PASSWORD, handle_basicauth),
STDCONF (errorfile, INT WS STR, handle_errorfile),
STDCONF (addheader, STR WS STR, handle_addheader),
From c4df45b7e416dc1a26bb4e4511e1e7de08fd49af Mon Sep 17 00:00:00 2001
From: strongleong
Date: Tue, 7 Nov 2023 13:55:01 +1100
Subject: [PATCH 25/58] BasicAuth: Added logging for failed login attemps
closes #514
---
src/reqs.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/src/reqs.c b/src/reqs.c
index 45db118d..58c97a88 100644
--- a/src/reqs.c
+++ b/src/reqs.c
@@ -1688,6 +1688,10 @@ void handle_connection (struct conn_s *connptr, union sockaddr_union* addr)
if(failure) {
e401:
update_stats (STAT_DENIED);
+ log_message (LOG_INFO,
+ "Failed auth attempt (file descriptor: %d), ip %s",
+ connptr->client_fd,
+ connptr->client_ip_addr);
indicate_http_error (connptr, 401, "Unauthorized",
"detail",
"The administrator of this proxy has not configured "
From 92289d5a4c1bc53fa19fcf4dcc06e3e633134edb Mon Sep 17 00:00:00 2001
From: rofl0r
Date: Wed, 1 May 2024 23:48:37 +0000
Subject: [PATCH 26/58] main: print filename of config file used on (re)load
---
src/main.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/main.c b/src/main.c
index 7ea55408..268255f1 100644
--- a/src/main.c
+++ b/src/main.c
@@ -257,7 +257,7 @@ int reload_config (int reload_logging)
int ret, ret2;
struct config_s *c_next = get_next_config();
- log_message (LOG_NOTICE, "Reloading config file");
+ log_message (LOG_NOTICE, "Reloading config file (%s)", config_file);
if (reload_logging) shutdown_logging ();
From 12a8484265f7b00591293da492bb3c9987001956 Mon Sep 17 00:00:00 2001
From: rofl0r
Date: Sun, 5 May 2024 10:37:29 +0000
Subject: [PATCH 27/58] fix potential UAF in header handling (CVE-2023-49606)
https://talosintelligence.com/vulnerability_reports/TALOS-2023-1889
this bug was brought to my attention today by the debian tinyproxy
package maintainer. the above link states that the issue was known
since last year and that maintainers have been contacted, but if
that is even true then it probably was done via a private email
to a potentially outdated email address of one of the maintainers,
not through the channels described clearly on the tinyproxy homepage:
> Feel free to report a new bug or suggest features via github issues.
> Tinyproxy developers hang out in #tinyproxy on irc.libera.chat.
no github issue was filed, and nobody mentioned a vulnerability on
the mentioned IRC chat. if the issue had been reported on github or
IRC, the bug would have been fixed within a day.
---
src/reqs.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/src/reqs.c b/src/reqs.c
index 58c97a88..a65ed54d 100644
--- a/src/reqs.c
+++ b/src/reqs.c
@@ -779,7 +779,7 @@ static int remove_connection_headers (orderedmap hashofheaders)
char *data;
char *ptr;
ssize_t len;
- int i;
+ int i,j,df;
for (i = 0; i != (sizeof (headers) / sizeof (char *)); ++i) {
/* Look for the connection header. If it's not found, return. */
@@ -804,7 +804,12 @@ static int remove_connection_headers (orderedmap hashofheaders)
*/
ptr = data;
while (ptr < data + len) {
- orderedmap_remove (hashofheaders, ptr);
+ df = 0;
+ /* check that ptr isn't one of headers to prevent
+ double-free (CVE-2023-49606) */
+ for (j = 0; j != (sizeof (headers) / sizeof (char *)); ++j)
+ if(!strcasecmp(ptr, headers[j])) df = 1;
+ if (!df) orderedmap_remove (hashofheaders, ptr);
/* Advance ptr to the next token */
ptr += strlen (ptr) + 1;
From e69788b761dd6dad99facebe094a86009a0c1fe1 Mon Sep 17 00:00:00 2001
From: rofl0r
Date: Sun, 5 May 2024 20:56:17 +0200
Subject: [PATCH 28/58] Add SECURITY.md
given the catastrophic way TALOS Intelligence "communicated" with upstream
(i.e. by probably sending a single mail to an unused email address),
it's probably best to explicitly document how to approach upstream
when a security issue is discovered.
---
SECURITY.md | 28 ++++++++++++++++++++++++++++
1 file changed, 28 insertions(+)
create mode 100644 SECURITY.md
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 00000000..93ef8148
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,28 @@
+# Security Policy
+
+## Supported Versions
+
+| Version | Supported |
+| --------- | ------------------ |
+| 1.11.x | :white_check_mark: |
+| <= 1.10.x | :x: |
+
+## Reporting a Vulnerability
+
+Open a public issue on github. The issue will most likely be fixed
+within a day, unless all maintainers happen to just be taking a
+vacation at the same time, which is unlikely.
+
+Even then, having the bug publicly known will allow competent people
+to come up with custom patches for distros, most likely quicker
+than black hats can craft a remote execution exploit.
+
+If you really really do not want to make the issue public, come
+to the tinyproxy IRC channel and ask for a maintainer, which you
+can then contact via private messages.
+
+Do not, however, like ["TALOS Intelligence"](https://talosintelligence.com/vulnerability_reports/TALOS-2023-1889)
+pull a random email address out of git log, then send an email
+nobody reads or responds to, and wait for 6 months for publication.
+this only gives black hats plenty time to sell, use and circulate
+zero days and get the best possible ROI.
From dd49e975a04a66c2a32e6d2fc7cd7ddf0cb9fe33 Mon Sep 17 00:00:00 2001
From: rofl0r
Date: Wed, 8 May 2024 18:22:52 +0000
Subject: [PATCH 29/58] release 1.11.2
---
VERSION | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/VERSION b/VERSION
index 720c7384..ca717669 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-1.11.1
+1.11.2
From 942d0c6b03673ad816c42176422d7fe691143064 Mon Sep 17 00:00:00 2001
From: Mohamed Akram
Date: Sun, 2 Jun 2024 18:52:59 +0400
Subject: [PATCH 30/58] Use appropriate installation path variables
---
configure.ac | 4 +++-
docs/man8/Makefile.am | 11 +++++++++++
docs/man8/tinyproxy.txt.in | 6 +++++-
etc/Makefile.am | 1 +
etc/tinyproxy.conf.in | 5 +----
5 files changed, 21 insertions(+), 6 deletions(-)
diff --git a/configure.ac b/configure.ac
index 51bbd5d8..37e7d276 100644
--- a/configure.ac
+++ b/configure.ac
@@ -173,6 +173,9 @@ fi
dnl
dnl Substitute the variables into the various Makefiles
dnl
+# runstatedir isn't available for Autoconf < 2.70
+AS_IF([test -z "${runstatedir}"], [runstatedir='${localstatedir}/run'])
+AC_SUBST([runstatedir])
AC_SUBST(CFLAGS)
AC_SUBST(LDFLAGS)
AC_SUBST(CPPFLAGS)
@@ -220,7 +223,6 @@ docs/Makefile
docs/man5/Makefile
docs/man5/tinyproxy.conf.txt
docs/man8/Makefile
-docs/man8/tinyproxy.txt
m4macros/Makefile
tests/Makefile
tests/scripts/Makefile
diff --git a/docs/man8/Makefile.am b/docs/man8/Makefile.am
index d2d7e19b..17281cd3 100644
--- a/docs/man8/Makefile.am
+++ b/docs/man8/Makefile.am
@@ -9,6 +9,17 @@ M_NAME=TINYPROXY
man_MANS = \
$(MAN8_FILES:.txt=.8)
+edit = sed \
+ -e 's|@localstatedir[@]|$(localstatedir)|g' \
+ -e 's|@runstatedir[@]|$(runstatedir)|g' \
+ -e 's|@sysconfdir[@]|$(sysconfdir)|g' \
+ -e 's|@TINYPROXY_STATHOST[@]|$(TINYPROXY_STATHOST)|g'
+
+tinyproxy.txt: $(top_srcdir)/docs/man8/tinyproxy.txt.in Makefile
+ @rm -f $@ $@.tmp
+ $(AM_V_GEN) $(edit) $(top_srcdir)/docs/man8/$@.in > $@.tmp
+ @mv $@.tmp $@
+
.txt.8:
if HAVE_POD2MAN
$(AM_V_GEN) $(POD2MAN) --center="Tinyproxy manual" \
diff --git a/docs/man8/tinyproxy.txt.in b/docs/man8/tinyproxy.txt.in
index 7fa420f6..9cf2d426 100644
--- a/docs/man8/tinyproxy.txt.in
+++ b/docs/man8/tinyproxy.txt.in
@@ -156,7 +156,11 @@ configuration variable `StatFile`.
=head1 FILES
-`/etc/tinyproxy/tinyproxy.conf`, `/var/run/tinyproxy/tinyproxy.pid`, `/var/log/tinyproxy/tinyproxy.log`
+F<@sysconfdir@/tinyproxy/tinyproxy.conf>
+
+F<@runstatedir@/tinyproxy/tinyproxy.pid>
+
+F<@localstatedir@/log/tinyproxy/tinyproxy.log>
=head1 BUGS
diff --git a/etc/Makefile.am b/etc/Makefile.am
index 57a5c010..045baac3 100644
--- a/etc/Makefile.am
+++ b/etc/Makefile.am
@@ -12,6 +12,7 @@ edit = sed \
-e 's|@datarootdir[@]|$(datarootdir)|g' \
-e 's|@pkgsysconfdir[@]|$(pkgsysconfdir)|g' \
-e 's|@localstatedir[@]|$(localstatedir)|g' \
+ -e 's|@runstatedir[@]|$(runstatedir)|g' \
-e 's|@pkgdatadir[@]|$(pkgdatadir)|g' \
-e 's|@prefix[@]|$(prefix)|g' \
-e 's|@TINYPROXY_STATHOST[@]|$(TINYPROXY_STATHOST)|g'
diff --git a/etc/tinyproxy.conf.in b/etc/tinyproxy.conf.in
index d9598d3e..af91d039 100644
--- a/etc/tinyproxy.conf.in
+++ b/etc/tinyproxy.conf.in
@@ -124,7 +124,7 @@ LogLevel Info
# can be used for signalling purposes.
# If not specified, no pidfile will be written.
#
-#PidFile "@localstatedir@/run/tinyproxy/tinyproxy.pid"
+#PidFile "@runstatedir@/tinyproxy/tinyproxy.pid"
#
# XTinyproxy: Tell Tinyproxy to include the X-Tinyproxy header, which
@@ -320,6 +320,3 @@ ViaProxyName "tinyproxy"
# If not set then no rewriting occurs.
#
#ReverseBaseURL "http://localhost:8888/"
-
-
-
From 72b93f6d4b598a1f809f4e5ff383757c52fa9765 Mon Sep 17 00:00:00 2001
From: rofl0r
Date: Sun, 16 Jun 2024 12:02:26 +0000
Subject: [PATCH 31/58] CI: update release workflow to non-deprecated actions
github continues to deprecate actions and idioms in their CI system.
hopefully these changes will last for a while and maintaining a simple
CI task doesn't turn into a neverending story.
---
.github/workflows/release_tarball.yml | 41 +++++++--------------------
1 file changed, 10 insertions(+), 31 deletions(-)
diff --git a/.github/workflows/release_tarball.yml b/.github/workflows/release_tarball.yml
index 99ef49e0..7999f179 100644
--- a/.github/workflows/release_tarball.yml
+++ b/.github/workflows/release_tarball.yml
@@ -12,7 +12,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v4
with:
submodules: recursive
@@ -26,36 +26,15 @@ jobs:
PKGNAME="tinyproxy-$VERSION"
./configure
make dist
- echo "::set-output name=tarball_xz::${PKGNAME}.tar.xz"
- echo "::set-output name=tarball_gz::${PKGNAME}.tar.gz"
- echo "::set-output name=tarball_bz2::${PKGNAME}.tar.bz2"
+ echo "tarball_xz=${PKGNAME}.tar.xz" >> "$GITHUB_OUTPUT"
+ echo "tarball_gz=${PKGNAME}.tar.gz" >> "$GITHUB_OUTPUT"
+ echo "tarball_bz2=${PKGNAME}.tar.bz2" >> "$GITHUB_OUTPUT"
- - name: upload tarball_xz
- uses: actions/upload-release-asset@v1
- env:
- GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+ - name: upload tarballs
+ uses: softprops/action-gh-release@v2
with:
- upload_url: ${{ github.event.release.upload_url }}
- asset_path: ./${{ steps.archive.outputs.tarball_xz }}
- asset_name: ${{ steps.archive.outputs.tarball_xz }}
- asset_content_type: application/x-xz
+ files: |
+ ${{ steps.archive.outputs.tarball_xz }}
+ ${{ steps.archive.outputs.tarball_gz }}
+ ${{ steps.archive.outputs.tarball_bz2 }}
- - name: upload tarball_gz
- uses: actions/upload-release-asset@v1
- env:
- GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- with:
- upload_url: ${{ github.event.release.upload_url }}
- asset_path: ./${{ steps.archive.outputs.tarball_gz }}
- asset_name: ${{ steps.archive.outputs.tarball_gz }}
- asset_content_type: application/x-gzip
-
- - name: upload tarball_bz2
- uses: actions/upload-release-asset@v1
- env:
- GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- with:
- upload_url: ${{ github.event.release.upload_url }}
- asset_path: ./${{ steps.archive.outputs.tarball_bz2 }}
- asset_name: ${{ steps.archive.outputs.tarball_bz2 }}
- asset_content_type: application/x-bzip2
From d652ed85386675c4f59b5b511cb059a084d18f6d Mon Sep 17 00:00:00 2001
From: James McKinney <26463+jpmckinney@users.noreply.github.com>
Date: Thu, 20 Jun 2024 04:51:29 -0400
Subject: [PATCH 32/58] Omit the version number from headers and HTML responses
(#543)
Omit the version number from headers, HTML responses, and templates
---
data/templates/debug.html | 5 +----
data/templates/default.html | 2 +-
data/templates/stats.html | 4 ++--
src/html-error.c | 8 ++++----
src/reqs.c | 11 +++++------
src/stats.c | 10 +++++-----
src/utils.c | 2 +-
tests/scripts/webclient.pl | 3 +--
tests/scripts/webserver.pl | 3 +--
9 files changed, 21 insertions(+), 27 deletions(-)
diff --git a/data/templates/debug.html b/data/templates/debug.html
index 6ee33674..0e7f0549 100644
--- a/data/templates/debug.html
+++ b/data/templates/debug.html
@@ -30,9 +30,6 @@ {cause}
clienthost
{clienthost}
- version
- {version}
-
package
{package}
@@ -49,7 +46,7 @@ {cause}
-Generated by {package} version {version}.
+Generated by {package}.
diff --git a/data/templates/default.html b/data/templates/default.html
index 67354b7a..8a9c8f6c 100644
--- a/data/templates/default.html
+++ b/data/templates/default.html
@@ -16,7 +16,7 @@ {cause}
-Generated by {package} version {version}.
+Generated by {package}.