From 1289d8afc8b50fb95cbfee37d3d394e119fe4832 Mon Sep 17 00:00:00 2001
From: rofl0r <rofl0r@users.noreply.github.com>
Date: Fri, 13 Oct 2023 19:54:26 +0000
Subject: [PATCH 01/37] conf: use case-independent match for Filtertype
 parameter

---
 src/conf.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/conf.c b/src/conf.c
index 002d2ff9..01162e67 100644
--- a/src/conf.c
+++ b/src/conf.c
@@ -1009,7 +1009,7 @@ static HANDLE_FUNC (handle_filtertype)
         if (!type) return -1;
 
         for(i=0;i<sizeof(ftmap)/sizeof(ftmap[0]);++i)
-                if(!strcmp(ftmap[i].type, type))
+                if(!strcasecmp(ftmap[i].type, type))
                         conf->filter_opts |= ftmap[i].flag;
 
         safefree (type);

From c83407396852e2300940c9b3da4d57841e256ede Mon Sep 17 00:00:00 2001
From: rofl0r <rofl0r@users.noreply.github.com>
Date: Sun, 15 Oct 2023 10:50:48 +0000
Subject: [PATCH 02/37] fix CI by running apt update

---
 .github/workflows/main.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 43541078..f077b192 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -27,8 +27,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v2
-    - name: install valgrind
-      run: sudo apt-get install --assume-yes valgrind
+    - run: sudo apt update
+    - run: sudo apt install --assume-yes valgrind
     - run: ./autogen.sh
     - run: ./configure --enable-debug --enable-transparent --enable-reverse
     - run: make

From 84285b640de76508e4deddbc6cbad751628769ae Mon Sep 17 00:00:00 2001
From: Victor Kislov <vityan888@gmail.com>
Date: Thu, 2 Nov 2023 21:24:42 +0200
Subject: [PATCH 03/37] BasicAuth: Accept special chars in username and
 password (#516)

Co-authored-by: Victor Kislov <victork@primis.tech>
---
 src/conf.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/conf.c b/src/conf.c
index 01162e67..4b5f33a8 100644
--- a/src/conf.c
+++ b/src/conf.c
@@ -225,7 +225,7 @@ struct {
                  handle_deny),
         STDCONF (bind, "(" IP "|" IPV6 ")", handle_bind),
         /* other */
-        STDCONF (basicauth, ALNUM WS ALNUM, handle_basicauth),
+        STDCONF (basicauth, USERNAME WS PASSWORD, handle_basicauth),
         STDCONF (errorfile, INT WS STR, handle_errorfile),
         STDCONF (addheader,  STR WS STR, handle_addheader),
 

From c4df45b7e416dc1a26bb4e4511e1e7de08fd49af Mon Sep 17 00:00:00 2001
From: strongleong <nikita_chul@mail.ru>
Date: Tue, 7 Nov 2023 13:55:01 +1100
Subject: [PATCH 04/37] BasicAuth: Added logging for failed login attemps

closes #514
---
 src/reqs.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/reqs.c b/src/reqs.c
index 45db118d..58c97a88 100644
--- a/src/reqs.c
+++ b/src/reqs.c
@@ -1688,6 +1688,10 @@ void handle_connection (struct conn_s *connptr, union sockaddr_union* addr)
                 if(failure) {
 e401:
                         update_stats (STAT_DENIED);
+                        log_message (LOG_INFO,
+                                     "Failed auth attempt (file descriptor: %d), ip %s",
+                                     connptr->client_fd,
+                                     connptr->client_ip_addr);
                         indicate_http_error (connptr, 401, "Unauthorized",
                                              "detail",
                                              "The administrator of this proxy has not configured "

From 92289d5a4c1bc53fa19fcf4dcc06e3e633134edb Mon Sep 17 00:00:00 2001
From: rofl0r <rofl0r@users.noreply.github.com>
Date: Wed, 1 May 2024 23:48:37 +0000
Subject: [PATCH 05/37] main: print filename of config file used on (re)load

---
 src/main.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/main.c b/src/main.c
index 7ea55408..268255f1 100644
--- a/src/main.c
+++ b/src/main.c
@@ -257,7 +257,7 @@ int reload_config (int reload_logging)
         int ret, ret2;
         struct config_s *c_next = get_next_config();
 
-        log_message (LOG_NOTICE, "Reloading config file");
+        log_message (LOG_NOTICE, "Reloading config file (%s)", config_file);
 
         if (reload_logging) shutdown_logging ();
 

From 12a8484265f7b00591293da492bb3c9987001956 Mon Sep 17 00:00:00 2001
From: rofl0r <rofl0r@users.noreply.github.com>
Date: Sun, 5 May 2024 10:37:29 +0000
Subject: [PATCH 06/37] fix potential UAF in header handling (CVE-2023-49606)

https://talosintelligence.com/vulnerability_reports/TALOS-2023-1889

this bug was brought to my attention today by the debian tinyproxy
package maintainer. the above link states that the issue was known
since last year and that maintainers have been contacted, but if
that is even true then it probably was done via a private email
to a potentially outdated email address of one of the maintainers,
not through the channels described clearly on the tinyproxy homepage:

> Feel free to report a new bug or suggest features via github issues.
> Tinyproxy developers hang out in #tinyproxy on irc.libera.chat.

no github issue was filed, and nobody mentioned a vulnerability on
the mentioned IRC chat. if the issue had been reported on github or
IRC, the bug would have been fixed within a day.
---
 src/reqs.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/src/reqs.c b/src/reqs.c
index 58c97a88..a65ed54d 100644
--- a/src/reqs.c
+++ b/src/reqs.c
@@ -779,7 +779,7 @@ static int remove_connection_headers (orderedmap hashofheaders)
         char *data;
         char *ptr;
         ssize_t len;
-        int i;
+        int i,j,df;
 
         for (i = 0; i != (sizeof (headers) / sizeof (char *)); ++i) {
                 /* Look for the connection header.  If it's not found, return. */
@@ -804,7 +804,12 @@ static int remove_connection_headers (orderedmap hashofheaders)
                  */
                 ptr = data;
                 while (ptr < data + len) {
-                        orderedmap_remove (hashofheaders, ptr);
+                        df = 0;
+                        /* check that ptr isn't one of headers to prevent
+                           double-free (CVE-2023-49606) */
+                        for (j = 0; j != (sizeof (headers) / sizeof (char *)); ++j)
+                                if(!strcasecmp(ptr, headers[j])) df = 1;
+                        if (!df) orderedmap_remove (hashofheaders, ptr);
 
                         /* Advance ptr to the next token */
                         ptr += strlen (ptr) + 1;

From e69788b761dd6dad99facebe094a86009a0c1fe1 Mon Sep 17 00:00:00 2001
From: rofl0r <rofl0r@users.noreply.github.com>
Date: Sun, 5 May 2024 20:56:17 +0200
Subject: [PATCH 07/37] Add SECURITY.md

given the catastrophic way TALOS Intelligence "communicated" with upstream
(i.e. by probably sending a single mail to an unused email address),
it's probably best to explicitly document how to approach upstream
when a security issue is discovered.
---
 SECURITY.md | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)
 create mode 100644 SECURITY.md

diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 00000000..93ef8148
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,28 @@
+# Security Policy
+
+## Supported Versions
+
+| Version   | Supported          |
+| --------- | ------------------ |
+| 1.11.x    | :white_check_mark: |
+| <= 1.10.x | :x:                |
+
+## Reporting a Vulnerability
+
+Open a public issue on github. The issue will most likely be fixed
+within a day, unless all maintainers happen to just be taking a
+vacation at the same time, which is unlikely.
+
+Even then, having the bug publicly known will allow competent people
+to come up with custom patches for distros, most likely quicker
+than black hats can craft a remote execution exploit.
+
+If you really really do not want to make the issue public, come
+to the tinyproxy IRC channel and ask for a maintainer, which you
+can then contact via private messages.
+
+Do not, however, like ["TALOS Intelligence"](https://talosintelligence.com/vulnerability_reports/TALOS-2023-1889)
+pull a random email address out of git log, then send an email
+nobody reads or responds to, and wait for 6 months for publication.
+this only gives black hats plenty time to sell, use and circulate
+zero days and get the best possible ROI.

From dd49e975a04a66c2a32e6d2fc7cd7ddf0cb9fe33 Mon Sep 17 00:00:00 2001
From: rofl0r <rofl0r@users.noreply.github.com>
Date: Wed, 8 May 2024 18:22:52 +0000
Subject: [PATCH 08/37] release 1.11.2

---
 VERSION | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/VERSION b/VERSION
index 720c7384..ca717669 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-1.11.1
+1.11.2

From 942d0c6b03673ad816c42176422d7fe691143064 Mon Sep 17 00:00:00 2001
From: Mohamed Akram <mohd.akram@outlook.com>
Date: Sun, 2 Jun 2024 18:52:59 +0400
Subject: [PATCH 09/37] Use appropriate installation path variables

---
 configure.ac               |  4 +++-
 docs/man8/Makefile.am      | 11 +++++++++++
 docs/man8/tinyproxy.txt.in |  6 +++++-
 etc/Makefile.am            |  1 +
 etc/tinyproxy.conf.in      |  5 +----
 5 files changed, 21 insertions(+), 6 deletions(-)

diff --git a/configure.ac b/configure.ac
index 51bbd5d8..37e7d276 100644
--- a/configure.ac
+++ b/configure.ac
@@ -173,6 +173,9 @@ fi
 dnl
 dnl Substitute the variables into the various Makefiles
 dnl
+# runstatedir isn't available for Autoconf < 2.70
+AS_IF([test -z "${runstatedir}"], [runstatedir='${localstatedir}/run'])
+AC_SUBST([runstatedir])
 AC_SUBST(CFLAGS)
 AC_SUBST(LDFLAGS)
 AC_SUBST(CPPFLAGS)
@@ -220,7 +223,6 @@ docs/Makefile
 docs/man5/Makefile
 docs/man5/tinyproxy.conf.txt
 docs/man8/Makefile
-docs/man8/tinyproxy.txt
 m4macros/Makefile
 tests/Makefile
 tests/scripts/Makefile
diff --git a/docs/man8/Makefile.am b/docs/man8/Makefile.am
index d2d7e19b..17281cd3 100644
--- a/docs/man8/Makefile.am
+++ b/docs/man8/Makefile.am
@@ -9,6 +9,17 @@ M_NAME=TINYPROXY
 man_MANS = \
 	$(MAN8_FILES:.txt=.8)
 
+edit = sed \
+	-e 's|@localstatedir[@]|$(localstatedir)|g' \
+	-e 's|@runstatedir[@]|$(runstatedir)|g' \
+	-e 's|@sysconfdir[@]|$(sysconfdir)|g' \
+	-e 's|@TINYPROXY_STATHOST[@]|$(TINYPROXY_STATHOST)|g'
+
+tinyproxy.txt: $(top_srcdir)/docs/man8/tinyproxy.txt.in Makefile
+	@rm -f $@ $@.tmp
+	$(AM_V_GEN) $(edit) $(top_srcdir)/docs/man8/$@.in > $@.tmp
+	@mv $@.tmp $@
+
 .txt.8:
 if HAVE_POD2MAN
 	$(AM_V_GEN) $(POD2MAN) --center="Tinyproxy manual" \
diff --git a/docs/man8/tinyproxy.txt.in b/docs/man8/tinyproxy.txt.in
index 7fa420f6..9cf2d426 100644
--- a/docs/man8/tinyproxy.txt.in
+++ b/docs/man8/tinyproxy.txt.in
@@ -156,7 +156,11 @@ configuration variable `StatFile`.
 
 =head1 FILES
 
-`/etc/tinyproxy/tinyproxy.conf`, `/var/run/tinyproxy/tinyproxy.pid`, `/var/log/tinyproxy/tinyproxy.log`
+F<@sysconfdir@/tinyproxy/tinyproxy.conf>
+
+F<@runstatedir@/tinyproxy/tinyproxy.pid>
+
+F<@localstatedir@/log/tinyproxy/tinyproxy.log>
 
 =head1 BUGS
 
diff --git a/etc/Makefile.am b/etc/Makefile.am
index 57a5c010..045baac3 100644
--- a/etc/Makefile.am
+++ b/etc/Makefile.am
@@ -12,6 +12,7 @@ edit = sed \
 	-e 's|@datarootdir[@]|$(datarootdir)|g' \
 	-e 's|@pkgsysconfdir[@]|$(pkgsysconfdir)|g' \
 	-e 's|@localstatedir[@]|$(localstatedir)|g' \
+	-e 's|@runstatedir[@]|$(runstatedir)|g' \
 	-e 's|@pkgdatadir[@]|$(pkgdatadir)|g' \
 	-e 's|@prefix[@]|$(prefix)|g' \
 	-e 's|@TINYPROXY_STATHOST[@]|$(TINYPROXY_STATHOST)|g'
diff --git a/etc/tinyproxy.conf.in b/etc/tinyproxy.conf.in
index d9598d3e..af91d039 100644
--- a/etc/tinyproxy.conf.in
+++ b/etc/tinyproxy.conf.in
@@ -124,7 +124,7 @@ LogLevel Info
 # can be used for signalling purposes.
 # If not specified, no pidfile will be written.
 #
-#PidFile "@localstatedir@/run/tinyproxy/tinyproxy.pid"
+#PidFile "@runstatedir@/tinyproxy/tinyproxy.pid"
 
 #
 # XTinyproxy: Tell Tinyproxy to include the X-Tinyproxy header, which
@@ -320,6 +320,3 @@ ViaProxyName "tinyproxy"
 # If not set then no rewriting occurs.
 #
 #ReverseBaseURL "http://localhost:8888/"
-
-
-

From 72b93f6d4b598a1f809f4e5ff383757c52fa9765 Mon Sep 17 00:00:00 2001
From: rofl0r <rofl0r@users.noreply.github.com>
Date: Sun, 16 Jun 2024 12:02:26 +0000
Subject: [PATCH 10/37] CI: update release workflow to non-deprecated actions

github continues to deprecate actions and idioms in their CI system.
hopefully these changes will last for a while and maintaining a simple
CI task doesn't turn into a neverending story.
---
 .github/workflows/release_tarball.yml | 41 +++++++--------------------
 1 file changed, 10 insertions(+), 31 deletions(-)

diff --git a/.github/workflows/release_tarball.yml b/.github/workflows/release_tarball.yml
index 99ef49e0..7999f179 100644
--- a/.github/workflows/release_tarball.yml
+++ b/.github/workflows/release_tarball.yml
@@ -12,7 +12,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
 
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v4
       with:
         submodules: recursive
 
@@ -26,36 +26,15 @@ jobs:
         PKGNAME="tinyproxy-$VERSION"
         ./configure
         make dist
-        echo "::set-output name=tarball_xz::${PKGNAME}.tar.xz"
-        echo "::set-output name=tarball_gz::${PKGNAME}.tar.gz"
-        echo "::set-output name=tarball_bz2::${PKGNAME}.tar.bz2"
+        echo "tarball_xz=${PKGNAME}.tar.xz" >> "$GITHUB_OUTPUT"
+        echo "tarball_gz=${PKGNAME}.tar.gz" >> "$GITHUB_OUTPUT"
+        echo "tarball_bz2=${PKGNAME}.tar.bz2" >> "$GITHUB_OUTPUT"
 
-    - name: upload tarball_xz
-      uses: actions/upload-release-asset@v1
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    - name: upload tarballs
+      uses: softprops/action-gh-release@v2
       with:
-        upload_url: ${{ github.event.release.upload_url }}
-        asset_path: ./${{ steps.archive.outputs.tarball_xz }}
-        asset_name: ${{ steps.archive.outputs.tarball_xz }}
-        asset_content_type: application/x-xz
+        files: |
+          ${{ steps.archive.outputs.tarball_xz }}
+          ${{ steps.archive.outputs.tarball_gz }}
+          ${{ steps.archive.outputs.tarball_bz2 }}
 
-    - name: upload tarball_gz
-      uses: actions/upload-release-asset@v1
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      with:
-        upload_url: ${{ github.event.release.upload_url }}
-        asset_path: ./${{ steps.archive.outputs.tarball_gz }}
-        asset_name: ${{ steps.archive.outputs.tarball_gz }}
-        asset_content_type: application/x-gzip
-
-    - name: upload tarball_bz2
-      uses: actions/upload-release-asset@v1
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      with:
-        upload_url: ${{ github.event.release.upload_url }}
-        asset_path: ./${{ steps.archive.outputs.tarball_bz2 }}
-        asset_name: ${{ steps.archive.outputs.tarball_bz2 }}
-        asset_content_type: application/x-bzip2

From d652ed85386675c4f59b5b511cb059a084d18f6d Mon Sep 17 00:00:00 2001
From: James McKinney <26463+jpmckinney@users.noreply.github.com>
Date: Thu, 20 Jun 2024 04:51:29 -0400
Subject: [PATCH 11/37] Omit the version number from headers and HTML responses
 (#543)

Omit the version number from headers, HTML responses, and templates
---
 data/templates/debug.html   |  5 +----
 data/templates/default.html |  2 +-
 data/templates/stats.html   |  4 ++--
 src/html-error.c            |  8 ++++----
 src/reqs.c                  | 11 +++++------
 src/stats.c                 | 10 +++++-----
 src/utils.c                 |  2 +-
 tests/scripts/webclient.pl  |  3 +--
 tests/scripts/webserver.pl  |  3 +--
 9 files changed, 21 insertions(+), 27 deletions(-)

diff --git a/data/templates/debug.html b/data/templates/debug.html
index 6ee33674..0e7f0549 100644
--- a/data/templates/debug.html
+++ b/data/templates/debug.html
@@ -30,9 +30,6 @@ <h1>{cause}</h1>
   <dt>clienthost</dt>
   <dd>{clienthost}</dd>
 
-  <dt>version</dt>
-  <dd>{version}</dd>
-
   <dt>package</dt>
   <dd>{package}</dd>
 
@@ -49,7 +46,7 @@ <h1>{cause}</h1>
 
 <hr />
 
-<p><em>Generated by <a href="{website}">{package}</a> version {version}.</em></p>
+<p><em>Generated by <a href="{website}">{package}</a>.</em></p>
 
 </body>
 
diff --git a/data/templates/default.html b/data/templates/default.html
index 67354b7a..8a9c8f6c 100644
--- a/data/templates/default.html
+++ b/data/templates/default.html
@@ -16,7 +16,7 @@ <h1>{cause}</h1>
 
 <hr />
 
-<p><em>Generated by <a href="{website}">{package}</a> version {version}.</em></p>
+<p><em>Generated by <a href="{website}">{package}</a>.</em></p>
 
 </body>
 
diff --git a/data/templates/stats.html b/data/templates/stats.html
index a8c3e074..f039c970 100644
--- a/data/templates/stats.html
+++ b/data/templates/stats.html
@@ -2,7 +2,7 @@
 
 <html lang="en">
   <head>
-    <title>Stats [{package} v{version}]</title>
+    <title>Stats [{package}]</title>
     <meta charset="UTF-8" />
     <style type="text/css">
       body {
@@ -62,7 +62,7 @@
       <div id="inner">
         <table>
           <tr>
-            <th colspan="2">{package} v{version} statistics</th>
+            <th colspan="2">{package} statistics</th>
           </tr>
           <tr class="odd">
             <td class="right">Open connections</td>
diff --git a/src/html-error.c b/src/html-error.c
index ccafc59b..5dec9195 100644
--- a/src/html-error.c
+++ b/src/html-error.c
@@ -140,14 +140,14 @@ int send_http_headers (
 {
         const char headers[] =
             "HTTP/1.%u %d %s\r\n"
-            "Server: %s/%s\r\n"
+            "Server: %s\r\n"
             "Content-Type: text/html\r\n"
             "%s"
             "Connection: close\r\n" "\r\n";
 
         return (write_message (connptr->client_fd, headers,
                                connptr->protocol.major != 1 ? 0 : connptr->protocol.minor,
-                               code, message, PACKAGE, VERSION,
+                               code, message, PACKAGE,
                                extra));
 }
 
@@ -169,7 +169,7 @@ int send_http_error_message (struct conn_s *connptr)
             "<h1>%s</h1>\n"
             "<p>%s</p>\n"
             "<hr />\n"
-            "<p><em>Generated by %s version %s.</em></p>\n" "</body>\n"
+            "<p><em>Generated by %s.</em></p>\n" "</body>\n"
             "</html>\n";
 
         const char p_auth_str[] =
@@ -199,7 +199,7 @@ int send_http_error_message (struct conn_s *connptr)
                                        connptr->error_number,
                                        connptr->error_string,
                                        connptr->error_string,
-                                       detail, PACKAGE, VERSION));
+                                       detail, PACKAGE));
         }
 
         ret = send_html_file (infile, connptr);
diff --git a/src/reqs.c b/src/reqs.c
index a65ed54d..cbbd1d55 100644
--- a/src/reqs.c
+++ b/src/reqs.c
@@ -308,7 +308,7 @@ static int send_connect_method_response (struct conn_s *connptr)
 {
         return write_message (connptr->client_fd,
                               "HTTP/1.%u 200 Connection established\r\n"
-                              "Proxy-agent: " PACKAGE "/" VERSION "\r\n"
+                              "Proxy-agent: " PACKAGE "\r\n"
                               "\r\n", connptr->protocol.major != 1 ? 0 :
                                       connptr->protocol.minor);
 }
@@ -881,15 +881,14 @@ write_via_header (int fd, orderedmap hashofheaders,
         data = orderedmap_find (hashofheaders, "via");
         if (data) {
                 ret = write_message (fd,
-                                     "Via: %s, %hu.%hu %s (%s/%s)\r\n",
-                                     data, major, minor, hostname, PACKAGE,
-                                     VERSION);
+                                     "Via: %s, %hu.%hu %s (%s)\r\n",
+                                     data, major, minor, hostname, PACKAGE);
 
                 orderedmap_remove (hashofheaders, "via");
         } else {
                 ret = write_message (fd,
-                                     "Via: %hu.%hu %s (%s/%s)\r\n",
-                                     major, minor, hostname, PACKAGE, VERSION);
+                                     "Via: %hu.%hu %s (%s)\r\n",
+                                     major, minor, hostname, PACKAGE);
         }
 
 done:
diff --git a/src/stats.c b/src/stats.c
index 1228aa33..19607336 100644
--- a/src/stats.c
+++ b/src/stats.c
@@ -87,9 +87,9 @@ showstats (struct conn_s *connptr)
                    "<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.1//EN\" "
                    "\"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd\">\n"
                    "<html>\n"
-                   "<head><title>%s version %s run-time statistics</title></head>\n"
+                   "<head><title>%s run-time statistics</title></head>\n"
                    "<body>\n"
-                   "<h1>%s version %s run-time statistics</h1>\n"
+                   "<h1>%s run-time statistics</h1>\n"
                    "<p>\n"
                    "Number of open connections: %lu<br />\n"
                    "Number of requests: %lu<br />\n"
@@ -98,13 +98,13 @@ showstats (struct conn_s *connptr)
                    "Number of refused connections due to high load: %lu\n"
                    "</p>\n"
                    "<hr />\n"
-                   "<p><em>Generated by %s version %s.</em></p>\n" "</body>\n"
+                   "<p><em>Generated by %s.</em></p>\n" "</body>\n"
                    "</html>\n",
-                   PACKAGE, VERSION, PACKAGE, VERSION,
+                   PACKAGE, PACKAGE,
                    stats->num_open,
                    stats->num_reqs,
                    stats->num_badcons, stats->num_denied,
-                   stats->num_refused, PACKAGE, VERSION);
+                   stats->num_refused, PACKAGE);
 
                 if (send_http_message (connptr, 200, "OK",
                                        message_buffer) < 0) {
diff --git a/src/utils.c b/src/utils.c
index ef2e6732..69faef6f 100644
--- a/src/utils.c
+++ b/src/utils.c
@@ -39,7 +39,7 @@ send_http_message (struct conn_s *connptr, int http_code,
                    const char *error_title, const char *message)
 {
         static const char *headers[] = {
-                "Server: " PACKAGE "/" VERSION,
+                "Server: " PACKAGE,
                 "Content-type: text/html",
                 "Connection: close"
         };
diff --git a/tests/scripts/webclient.pl b/tests/scripts/webclient.pl
index 4dddb69e..94df08b2 100755
--- a/tests/scripts/webclient.pl
+++ b/tests/scripts/webclient.pl
@@ -26,9 +26,8 @@
 
 my $EOL = "\015\012";
 
-my $VERSION = "0.1";
 my $NAME = "Tinyproxy-Web-Client";
-my $user_agent = "$NAME/$VERSION";
+my $user_agent = "$NAME";
 my $user_agent_header = "User-Agent: $user_agent$EOL";
 my $http_version = "1.0";
 my $method = "GET";
diff --git a/tests/scripts/webserver.pl b/tests/scripts/webserver.pl
index aa5eb137..2a6860fb 100755
--- a/tests/scripts/webserver.pl
+++ b/tests/scripts/webserver.pl
@@ -31,9 +31,8 @@
 use Pod::Usage;
 use Fcntl ':flock'; # import LOCK_* constants
 
-my $VERSION = "0.1";
 my $NAME = "Tinyproxy-Test-Web-Server";
-my $server_header = "Server: $NAME/$VERSION";
+my $server_header = "Server: $NAME";
 
 my $EOL = "\015\012";
 

From 73da8a35a32a80fdffa76cc1872f230abc6afc04 Mon Sep 17 00:00:00 2001
From: Robert Grumann <46533412+Gruummy@users.noreply.github.com>
Date: Sun, 14 Jul 2024 13:38:25 +0200
Subject: [PATCH 12/37] conf: add BasicAuthRealm feature (#547)

makes BasicAuth realm string editable in config file.

closes #235
---
 docs/man5/tinyproxy.conf.txt.in | 10 +++++++++-
 etc/tinyproxy.conf.in           |  7 +++++++
 src/conf-tokens.c               |  1 +
 src/conf-tokens.gperf           |  1 +
 src/conf-tokens.h               |  1 +
 src/conf.c                      |  9 +++++++++
 src/conf.h                      |  1 +
 src/html-error.c                | 32 +++++++++++++++++++++-----------
 8 files changed, 50 insertions(+), 12 deletions(-)

diff --git a/docs/man5/tinyproxy.conf.txt.in b/docs/man5/tinyproxy.conf.txt.in
index ed137e2b..4471cbd8 100644
--- a/docs/man5/tinyproxy.conf.txt.in
+++ b/docs/man5/tinyproxy.conf.txt.in
@@ -239,6 +239,14 @@ access is only granted for authenticated users.
 
     BasicAuth user password
 
+=item B<BasicAuthRealm>
+
+In case "BasicAuth" is configured, the "realm" information.
+"Proxy Authentication Required" status http 407 "error-response" can be
+customized.
+
+- defaults in code to "Tinyproxy" (PACKAGE_NAME), if not configured.
+
 =item B<AddHeader>
 
 Configure one or more HTTP request headers to be added to outgoing
@@ -420,7 +428,7 @@ This manpage was written by the Tinyproxy project team.
 
 =head1 COPYRIGHT
 
-Copyright (c) 1998-2020 the Tinyproxy authors.
+Copyright (c) 1998-2024 the Tinyproxy authors.
 
 This program is distributed under the terms of the GNU General Public
 License version 2 or above. See the COPYING file for additional
diff --git a/etc/tinyproxy.conf.in b/etc/tinyproxy.conf.in
index af91d039..b7d46a71 100644
--- a/etc/tinyproxy.conf.in
+++ b/etc/tinyproxy.conf.in
@@ -205,6 +205,13 @@ Allow ::1
 # users.
 #BasicAuth user password
 
+# BasicAuthRealm : In case BasicAuth is configured, the "realm" information.
+# "Proxy Authentication Required" status http 407 "error-response" can be
+# customized.
+#
+# - defaults in code to "Tinyproxy" (PACKAGE_NAME), if not configured.
+#BasicAuthRealm "Tinyproxy"
+
 #
 # AddHeader: Adds the specified headers to outgoing HTTP requests that
 # Tinyproxy makes. Note that this option will not work for HTTPS
diff --git a/src/conf-tokens.c b/src/conf-tokens.c
index 2a1ddbe8..c94135fd 100644
--- a/src/conf-tokens.c
+++ b/src/conf-tokens.c
@@ -57,6 +57,7 @@ config_directive_find (register const char *str, register size_t len)
       {"connectport", CD_connectport},
       {"logfile", CD_logfile},
       {"basicauth", CD_basicauth},
+      {"basicauthrealm", CD_basicauthrealm},
       {"addheader", CD_addheader},
       {"maxrequestsperchild", CD_maxrequestsperchild}
     };
diff --git a/src/conf-tokens.gperf b/src/conf-tokens.gperf
index f027a23b..1013d591 100644
--- a/src/conf-tokens.gperf
+++ b/src/conf-tokens.gperf
@@ -44,6 +44,7 @@ allow, CD_allow
 deny, CD_deny
 bind, CD_bind
 basicauth, CD_basicauth
+basicauthrealm, CD_basicauthrealm
 errorfile, CD_errorfile
 addheader, CD_addheader
 filter, CD_filter
diff --git a/src/conf-tokens.h b/src/conf-tokens.h
index a6338f8f..01c8ccb2 100644
--- a/src/conf-tokens.h
+++ b/src/conf-tokens.h
@@ -29,6 +29,7 @@ CD_allow,
 CD_deny,
 CD_bind,
 CD_basicauth,
+CD_basicauthrealm,
 CD_errorfile,
 CD_addheader,
 CD_filter,
diff --git a/src/conf.c b/src/conf.c
index 4b5f33a8..372c73f8 100644
--- a/src/conf.c
+++ b/src/conf.c
@@ -122,6 +122,7 @@ static HANDLE_FUNC (handle_disabled_feature)
 
 static HANDLE_FUNC (handle_allow);
 static HANDLE_FUNC (handle_basicauth);
+static HANDLE_FUNC (handle_basicauthrealm);
 static HANDLE_FUNC (handle_anonymous);
 static HANDLE_FUNC (handle_bind);
 static HANDLE_FUNC (handle_bindsame);
@@ -193,6 +194,7 @@ struct {
         regex_t *cre;
 } directives[] = {
         /* string arguments */
+        STDCONF (basicauthrealm, STR, handle_basicauthrealm),
         STDCONF (logfile, STR, handle_logfile),
         STDCONF (pidfile, STR, handle_pidfile),
         STDCONF (anonymous, STR, handle_anonymous),
@@ -294,6 +296,7 @@ void free_config (struct config_s *conf)
         char *k;
         htab_value *v;
         size_t it;
+        safefree (conf->basicauth_realm);
         safefree (conf->logf_name);
         safefree (conf->stathost);
         safefree (conf->user);
@@ -481,6 +484,7 @@ static void initialize_config_defaults (struct config_s *conf)
          * (FIXME: Should have a better API for all this)
          */
         conf->errorpages = NULL;
+        conf->basicauth_realm = safestrdup (PACKAGE_NAME);
         conf->stathost = safestrdup (TINYPROXY_STATHOST);
         conf->idletimeout = MAX_IDLE_TIME;
         conf->logf_name = NULL;
@@ -634,6 +638,11 @@ set_int_arg (unsigned int *var, const char *line, regmatch_t * match)
  *
  ***********************************************************************/
 
+static HANDLE_FUNC (handle_basicauthrealm)
+{
+        return set_string_arg (&conf->basicauth_realm, line, &match[2]);
+}
+
 static HANDLE_FUNC (handle_logfile)
 {
         return set_string_arg (&conf->logf_name, line, &match[2]);
diff --git a/src/conf.h b/src/conf.h
index 0a0f06f7..0b25afa4 100644
--- a/src/conf.h
+++ b/src/conf.h
@@ -39,6 +39,7 @@ typedef struct {
  */
 struct config_s {
         sblist *basicauth_list;
+        char *basicauth_realm;
         char *logf_name;
         unsigned int syslog;    /* boolean */
         unsigned int port;
diff --git a/src/html-error.c b/src/html-error.c
index 5dec9195..2b870402 100644
--- a/src/html-error.c
+++ b/src/html-error.c
@@ -172,21 +172,31 @@ int send_http_error_message (struct conn_s *connptr)
             "<p><em>Generated by %s.</em></p>\n" "</body>\n"
             "</html>\n";
 
-        const char p_auth_str[] =
-            "Proxy-Authenticate: Basic realm=\""
-            PACKAGE_NAME "\"\r\n";
-
-        const char w_auth_str[] =
-            "WWW-Authenticate: Basic realm=\""
-            PACKAGE_NAME "\"\r\n";
-
 	/* according to rfc7235, the 407 error must be accompanied by
            a Proxy-Authenticate header field. */
-        const char *add = connptr->error_number == 407 ? p_auth_str :
-                          (connptr->error_number == 401 ? w_auth_str : "");
+        const char *auth_str_type = 
+                connptr->error_number == 407 ? "Proxy-Authenticate" :
+                (connptr->error_number == 401 ? "WWW-Authenticate" : "");
+
+        const char auth_str_tpl[] = "%s: Basic realm=\"%s\"\r\n";
+        char* auth_str_add = NULL;
+
+        if (auth_str_type[0] != 0) {
+                int auth_str_size = snprintf (NULL, 0, auth_str_tpl, 
+                                        auth_str_type, config->basicauth_realm) + 1;
+                if (auth_str_size > 0) {
+                        auth_str_add = safemalloc (auth_str_size);
+                        if (auth_str_add != NULL) {
+                                snprintf (auth_str_add, auth_str_size, auth_str_tpl,
+                                        auth_str_type, config->basicauth_realm);
+                        }
+                }
+        }
 
         send_http_headers (connptr, connptr->error_number,
-                           connptr->error_string, add);
+                           connptr->error_string, auth_str_add ? auth_str_add : "");
+
+        if (auth_str_add) safefree (auth_str_add);
 
         error_file = get_html_file (connptr->error_number);
         if (!error_file || !(infile = fopen (error_file, "r"))) {

From c04ba4711a3cb8ff25f05a8914bb6778c8e3079f Mon Sep 17 00:00:00 2001
From: rofl0r <rofl0r@users.noreply.github.com>
Date: Sat, 19 Oct 2024 09:26:37 +0000
Subject: [PATCH 13/37] reqs: don't compile upstream code if feature disabled

fixes warning about implicit function declaration which is by default
treated as an error starting with GCC14.

closes #560
---
 src/reqs.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/reqs.c b/src/reqs.c
index cbbd1d55..998719ab 100644
--- a/src/reqs.c
+++ b/src/reqs.c
@@ -1286,6 +1286,7 @@ static void relay_connection (struct conn_s *connptr)
         return;
 }
 
+#ifdef UPSTREAM_SUPPORT
 static int
 connect_to_upstream_proxy(struct conn_s *connptr, struct request_s *request)
 {
@@ -1402,7 +1403,7 @@ connect_to_upstream_proxy(struct conn_s *connptr, struct request_s *request)
 
 	return establish_http_connection(connptr, request);
 }
-
+#endif
 
 /*
  * Establish a connection to the upstream proxy server.

From 05f6e4e000c98b94341101a67672a37af90d3d4a Mon Sep 17 00:00:00 2001
From: rofl0r <rofl0r@users.noreply.github.com>
Date: Mon, 15 Jul 2024 05:56:39 +0000
Subject: [PATCH 14/37] basic auth: fix error status 401 vs 407

if tinyproxy serves as a HTTP server (i.e. when serving stats),
use error code 401, else error code 407.

fixes #532
---
 src/reqs.c | 32 +++++++++++++++-----------------
 1 file changed, 15 insertions(+), 17 deletions(-)

diff --git a/src/reqs.c b/src/reqs.c
index 998719ab..74b173b6 100644
--- a/src/reqs.c
+++ b/src/reqs.c
@@ -1559,6 +1559,19 @@ static void handle_connection_failure(struct conn_s *connptr, int got_headers)
         }
 }
 
+static void auth_error(struct conn_s *connptr, int code) {
+        const char *tit = code == 401 ? "Unauthorized" : "Proxy Authentication Required";
+        const char *msg = code == 401 ?
+        "The administrator of this proxy has not configured it to service requests from you." :
+        "This proxy requires authentication.";
+
+        update_stats (STAT_DENIED);
+        log_message (LOG_INFO,
+                     "Failed auth attempt (file descriptor: %d), ip %s",
+                     connptr->client_fd,
+                     connptr->client_ip_addr);
+        indicate_http_error (connptr, code, tit, "detail", msg, NULL);
+}
 
 /*
  * This is the main drive for each connection. As you can tell, for the
@@ -1677,12 +1690,7 @@ void handle_connection (struct conn_s *connptr, union sockaddr_union* addr)
                 }
 
                 if (!authstring) {
-                        if (stathost_connect) goto e401;
-                        update_stats (STAT_DENIED);
-                        indicate_http_error (connptr, 407, "Proxy Authentication Required",
-                                             "detail",
-                                             "This proxy requires authentication.",
-                                             NULL);
+                        auth_error(connptr, stathost_connect ? 401 : 407);
                         HC_FAIL();
                 }
                 if ( /* currently only "basic" auth supported */
@@ -1691,17 +1699,7 @@ void handle_connection (struct conn_s *connptr, union sockaddr_union* addr)
                         basicauth_check (config->basicauth_list, authstring + 6) == 1)
                                 failure = 0;
                 if(failure) {
-e401:
-                        update_stats (STAT_DENIED);
-                        log_message (LOG_INFO,
-                                     "Failed auth attempt (file descriptor: %d), ip %s",
-                                     connptr->client_fd,
-                                     connptr->client_ip_addr);
-                        indicate_http_error (connptr, 401, "Unauthorized",
-                                             "detail",
-                                             "The administrator of this proxy has not configured "
-                                             "it to service requests from you.",
-                                             NULL);
+                        auth_error(connptr, stathost_connect ? 401 : 407);
                         HC_FAIL();
                 }
                 orderedmap_remove (hashofheaders, "proxy-authorization");

From cea0ebe657fed5d66fcfe4cc00d306cba0680323 Mon Sep 17 00:00:00 2001
From: rofl0r <rofl0r@users.noreply.github.com>
Date: Mon, 6 Jan 2025 19:25:57 +0000
Subject: [PATCH 15/37] tinyproxy.conf.5: explain what a site_spec looks like

---
 docs/man5/tinyproxy.conf.txt.in | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/docs/man5/tinyproxy.conf.txt.in b/docs/man5/tinyproxy.conf.txt.in
index 4471cbd8..873a741f 100644
--- a/docs/man5/tinyproxy.conf.txt.in
+++ b/docs/man5/tinyproxy.conf.txt.in
@@ -173,6 +173,10 @@ turns on the upstream proxy for the sites matching `site_spec`.
 
 `type` can be one of `http`, `socks4`, `socks5`, `none`.
 
+a `site_spec` is either a full domain name, a domain name starting with a
+`.`, in which case it is treated as a suffix, or an ip/mask tuple.
+the `site_spec` needs to be double-quoted.
+
 =item * I<upstream none "site_spec">
 turns off upstream support for sites matching `site_spec`, that means the
 connection is done directly.

From 56404a3dd68e15d5502716c835ecc9de2dc7a8ec Mon Sep 17 00:00:00 2001
From: rofl0r <rofl0r@users.noreply.github.com>
Date: Mon, 2 May 2022 12:36:04 +0000
Subject: [PATCH 16/37] replace orderedmap for connection headers with linear
 list

it turned out that a hashmap isn't the right datastructure, as the
special-case header Set-Cookie not only can, but is even heavily
recommended to be used multiple times.

we now use a dumb list as a key-value store for this purpose, but
restrict it to max 256 entries so the linear search can always be
completed in reasonable time in case of an attack.

closes #403
---
 src/Makefile.am         |   2 +-
 src/orderedmap.c        | 115 ----------------------------------------
 src/orderedmap.h        |  20 -------
 src/pseudomap.c         |  99 ++++++++++++++++++++++++++++++++++
 src/pseudomap.h         |  22 ++++++++
 src/reqs.c              |  79 +++++++++++++--------------
 src/reverse-proxy.c     |   4 +-
 src/reverse-proxy.h     |   4 +-
 src/transparent-proxy.c |   4 +-
 src/transparent-proxy.h |   4 +-
 10 files changed, 167 insertions(+), 186 deletions(-)
 delete mode 100644 src/orderedmap.c
 delete mode 100644 src/orderedmap.h
 create mode 100644 src/pseudomap.c
 create mode 100644 src/pseudomap.h

diff --git a/src/Makefile.am b/src/Makefile.am
index a7fef4ee..f9597b5a 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -50,7 +50,7 @@ tinyproxy_SOURCES = \
 	base64.c base64.h \
 	sblist.c sblist.h \
 	hsearch.c hsearch.h \
-	orderedmap.c orderedmap.h \
+	pseudomap.c pseudomap.h \
 	loop.c loop.h \
 	mypoll.c mypoll.h \
 	connect-ports.c connect-ports.h
diff --git a/src/orderedmap.c b/src/orderedmap.c
deleted file mode 100644
index 1818e276..00000000
--- a/src/orderedmap.c
+++ /dev/null
@@ -1,115 +0,0 @@
-#ifdef HAVE_CONFIG_H
-#  include <config.h>
-#else
-#  define _ALL_SOURCE
-#  define _GNU_SOURCE
-#endif
-#include <string.h>
-#include "sblist.h"
-#include "orderedmap.h"
-
-static void orderedmap_destroy_contents(struct orderedmap *o) {
-	char **p, *q;
-	size_t i;
-	htab_value *v;
-	if(!o) return;
-	if(o->values) {
-		while(sblist_getsize(o->values)) {
-			p = sblist_get(o->values, 0);
-			if(p) free(*p);
-			sblist_delete(o->values, 0);
-		}
-		sblist_free(o->values);
-	}
-	if(o->map) {
-		i = 0;
-		while((i = htab_next(o->map, i, &q, &v)))
-			free(q);
-		htab_destroy(o->map);
-	}
-}
-
-struct orderedmap *orderedmap_create(size_t nbuckets) {
-	struct orderedmap o = {0}, *new;
-	o.values = sblist_new(sizeof(void*), 32);
-	if(!o.values) goto oom;
-	o.map = htab_create(nbuckets);
-	if(!o.map) goto oom;
-	new = malloc(sizeof o);
-	if(!new) goto oom;
-	memcpy(new, &o, sizeof o);
-	return new;
-	oom:;
-	orderedmap_destroy_contents(&o);
-	return 0;
-}
-
-void* orderedmap_destroy(struct orderedmap *o) {
-	orderedmap_destroy_contents(o);
-	free(o);
-	return 0;
-}
-
-int orderedmap_append(struct orderedmap *o, const char *key, char *value) {
-	size_t index;
-	char *nk, *nv;
-	nk = nv = 0;
-	nk = strdup(key);
-	nv = strdup(value);
-	if(!nk || !nv) goto oom;
-	index = sblist_getsize(o->values);
-	if(!sblist_add(o->values, &nv)) goto oom;
-	if(!htab_insert(o->map, nk, HTV_N(index))) {
-		sblist_delete(o->values, index);
-		goto oom;
-	}
-	return 1;
-oom:;
-	free(nk);
-	free(nv);
-	return 0;
-}
-
-char* orderedmap_find(struct orderedmap *o, const char *key) {
-	char **p;
-	htab_value *v = htab_find(o->map, key);
-	if(!v) return 0;
-	p = sblist_get(o->values, v->n);
-	return p?*p:0;
-}
-
-int orderedmap_remove(struct orderedmap *o, const char *key) {
-	size_t i;
-	char *lk;
-	char *sk;
-	char **sv;
-	htab_value *lv, *v = htab_find2(o->map, key, &sk);
-	if(!v) return 0;
-	sv = sblist_get(o->values, v->n);
-	free(*sv);
-	sblist_delete(o->values, v->n);
-	i = 0;
-	while((i = htab_next(o->map, i, &lk, &lv))) {
-		if(lv->n > v->n) lv->n--;
-	}
-	htab_delete(o->map, key);
-	free(sk);
-	return 1;
-}
-
-size_t orderedmap_next(struct orderedmap *o, size_t iter, char** key, char** value) {
-	size_t h_iter;
-	htab_value* hval;
-	char **p;
-	if(iter < sblist_getsize(o->values)) {
-		h_iter = 0;
-		while((h_iter = htab_next(o->map, h_iter, key, &hval))) {
-			if(hval->n == iter) {
-				p = sblist_get(o->values, iter);
-				*value = p?*p:0;
-				return iter+1;
-			}
-		}
-	}
-	return 0;
-}
diff --git a/src/orderedmap.h b/src/orderedmap.h
deleted file mode 100644
index e3f4b0eb..00000000
--- a/src/orderedmap.h
+++ /dev/null
@@ -1,20 +0,0 @@
-#ifndef ORDEREDMAP_H
-#define ORDEREDMAP_H
-
-#include <stdlib.h>
-#include "sblist.h"
-#include "hsearch.h"
-
-typedef struct orderedmap {
-	sblist* values;
-	struct htab *map;
-} *orderedmap;
-
-struct orderedmap *orderedmap_create(size_t nbuckets);
-void* orderedmap_destroy(struct orderedmap *o);
-int orderedmap_append(struct orderedmap *o, const char *key, char *value );
-char* orderedmap_find(struct orderedmap *o, const char *key);
-int orderedmap_remove(struct orderedmap *o, const char *key);
-size_t orderedmap_next(struct orderedmap *o, size_t iter, char** key, char** value);
-
-#endif
diff --git a/src/pseudomap.c b/src/pseudomap.c
new file mode 100644
index 00000000..3b62e5bb
--- /dev/null
+++ b/src/pseudomap.c
@@ -0,0 +1,99 @@
+#include "config.h"
+#include "pseudomap.h"
+#include <strings.h>
+#include <stdlib.h>
+#include <string.h>
+
+/* this data structure implements a pseudo hashmap.
+   tinyproxy originally used a hashmap for keeping the key/value pairs
+   in HTTP requests; however later it turned out that items need to be
+   returned in order - so we implemented an "orderedmap".
+   again, later it turned out that there are are special case headers,
+   namely Set-Cookie that can happen more than once, so a hashmap isn't the
+   right structure to hold the key-value pairs in HTTP headers.
+   it's expected that:
+   1) the number of headers in a HTTP request we have to process is
+      not big enough to cause a noticable performance drop when we have
+      to iterate through our list to find the right header; and
+   2) use of plain HTTP is getting exceedingly extinct by the day, so
+      in most usecases CONNECT method is used anyway.
+*/
+
+/* restrict the number of headers to 256 to prevent an attacker from
+   launching a denial of service attack. */
+#define MAX_SIZE 256
+
+pseudomap *pseudomap_create(void) {
+	return sblist_new(sizeof(struct pseudomap_entry), 64);
+}
+
+void pseudomap_destroy(pseudomap *o) {
+	if(!o) return;
+	while(sblist_getsize(o)) {
+		/* retrieve latest element, and "shrink" list in place,
+		   so we don't have to constantly rearrange list items
+		   by using sblist_delete(). */
+		struct pseudomap_entry *e = sblist_get(o, sblist_getsize(o)-1);
+		free(e->key);
+		free(e->value);
+		--o->count;
+	}
+	sblist_free(o);
+}
+
+int pseudomap_append(pseudomap *o, const char *key, char *value ) {
+	struct pseudomap_entry e;
+	if(sblist_getsize(o) >= MAX_SIZE) return 0;
+	e.key = strdup(key);
+	e.value = strdup(value);
+	if(!e.key || !e.value) goto oom;
+	if(!sblist_add(o, &e)) goto oom;
+	return 1;
+oom:
+	free(e.key);
+	free(e.value);
+	return 0;
+}
+
+static size_t pseudomap_find_index(pseudomap *o, const char *key) {
+	size_t i;
+	struct pseudomap_entry *e;
+	for(i = 0; i < sblist_getsize(o); ++i) {
+		e = sblist_get(o, i);
+		if(!strcasecmp(key, e->key)) return i;
+	}
+	return (size_t)-1;
+}
+
+char* pseudomap_find(pseudomap *o, const char *key) {
+	struct pseudomap_entry *e;
+	size_t i = pseudomap_find_index(o, key);
+	if(i == (size_t)-1) return 0;
+	e = sblist_get(o, i);
+	return e->value;
+}
+
+/* remove *all* entries that match key, to mimic behaviour of hashmap */
+int pseudomap_remove(pseudomap *o, const char *key) {
+	struct pseudomap_entry *e;
+	size_t i;
+	int ret = 0;
+	while((i = pseudomap_find_index(o, key)) != (size_t)-1) {
+		e = sblist_get(o, i);
+		free(e->key);
+		free(e->value);
+		sblist_delete(o, i);
+		ret = 1;
+	}
+	return ret;
+}
+
+size_t pseudomap_next(pseudomap *o, size_t iter, char** key, char** value) {
+	struct pseudomap_entry *e;
+	if(iter >= sblist_getsize(o)) return 0;
+	e = sblist_get(o, iter);
+	*key = e->key;
+	*value = e->value;
+	return iter + 1;
+}
+
diff --git a/src/pseudomap.h b/src/pseudomap.h
new file mode 100644
index 00000000..24c67b7d
--- /dev/null
+++ b/src/pseudomap.h
@@ -0,0 +1,22 @@
+#ifndef PSEUDOMAP_H
+#define PSEUDOMAP_H
+
+#include <stdlib.h>
+#include "sblist.h"
+
+struct pseudomap_entry {
+	char *key;
+	char *value;
+};
+
+typedef sblist pseudomap;
+
+pseudomap *pseudomap_create(void);
+void pseudomap_destroy(pseudomap *o);
+int pseudomap_append(pseudomap *o, const char *key, char *value );
+char* pseudomap_find(pseudomap *o, const char *key);
+int pseudomap_remove(pseudomap *o, const char *key);
+size_t pseudomap_next(pseudomap *o, size_t iter, char** key, char** value);
+
+#endif
+
diff --git a/src/reqs.c b/src/reqs.c
index 74b173b6..52135a03 100644
--- a/src/reqs.c
+++ b/src/reqs.c
@@ -33,7 +33,7 @@
 #include "conns.h"
 #include "filter.h"
 #include "hsearch.h"
-#include "orderedmap.h"
+#include "pseudomap.h"
 #include "heap.h"
 #include "html-error.h"
 #include "log.h"
@@ -318,7 +318,7 @@ static int send_connect_method_response (struct conn_s *connptr)
  * build a new request line. Finally connect to the remote server.
  */
 static struct request_s *process_request (struct conn_s *connptr,
-                                          orderedmap hashofheaders)
+                                          pseudomap *hashofheaders)
 {
         char *url;
         struct request_s *request;
@@ -645,7 +645,7 @@ static int add_xtinyproxy_header (struct conn_s *connptr)
  * can be retrieved and manipulated later.
  */
 static int
-add_header_to_connection (orderedmap hashofheaders, char *header, size_t len)
+add_header_to_connection (pseudomap *hashofheaders, char *header, size_t len)
 {
         char *sep;
 
@@ -663,7 +663,7 @@ add_header_to_connection (orderedmap hashofheaders, char *header, size_t len)
         /* Calculate the new length of just the data */
         len -= sep - header - 1;
 
-        return orderedmap_append (hashofheaders, header, sep);
+        return pseudomap_append (hashofheaders, header, sep);
 }
 
 /*
@@ -676,7 +676,7 @@ add_header_to_connection (orderedmap hashofheaders, char *header, size_t len)
 /*
  * Read all the headers from the stream
  */
-static int get_all_headers (int fd, orderedmap hashofheaders)
+static int get_all_headers (int fd, pseudomap *hashofheaders)
 {
         char *line = NULL;
         char *header = NULL;
@@ -769,7 +769,7 @@ static int get_all_headers (int fd, orderedmap hashofheaders)
  * Extract the headers to remove.  These headers were listed in the Connection
  * and Proxy-Connection headers.
  */
-static int remove_connection_headers (orderedmap hashofheaders)
+static int remove_connection_headers (pseudomap *hashofheaders)
 {
         static const char *headers[] = {
                 "connection",
@@ -783,7 +783,7 @@ static int remove_connection_headers (orderedmap hashofheaders)
 
         for (i = 0; i != (sizeof (headers) / sizeof (char *)); ++i) {
                 /* Look for the connection header.  If it's not found, return. */
-                data = orderedmap_find(hashofheaders, headers[i]);
+                data = pseudomap_find(hashofheaders, headers[i]);
 
                 if (!data)
                         return 0;
@@ -809,7 +809,7 @@ static int remove_connection_headers (orderedmap hashofheaders)
                            double-free (CVE-2023-49606) */
                         for (j = 0; j != (sizeof (headers) / sizeof (char *)); ++j)
                                 if(!strcasecmp(ptr, headers[j])) df = 1;
-                        if (!df) orderedmap_remove (hashofheaders, ptr);
+                        if (!df) pseudomap_remove (hashofheaders, ptr);
 
                         /* Advance ptr to the next token */
                         ptr += strlen (ptr) + 1;
@@ -818,7 +818,7 @@ static int remove_connection_headers (orderedmap hashofheaders)
                 }
 
                 /* Now remove the connection header it self. */
-                orderedmap_remove (hashofheaders, headers[i]);
+                pseudomap_remove (hashofheaders, headers[i]);
         }
 
         return 0;
@@ -828,12 +828,12 @@ static int remove_connection_headers (orderedmap hashofheaders)
  * If there is a Content-Length header, then return the value; otherwise, return
  * -1.
  */
-static long get_content_length (orderedmap hashofheaders)
+static long get_content_length (pseudomap *hashofheaders)
 {
         char *data;
         long content_length = -1;
 
-        data = orderedmap_find (hashofheaders, "content-length");
+        data = pseudomap_find (hashofheaders, "content-length");
 
         if (data)
                 content_length = atol (data);
@@ -841,10 +841,10 @@ static long get_content_length (orderedmap hashofheaders)
         return content_length;
 }
 
-static int is_chunked_transfer (orderedmap hashofheaders)
+static int is_chunked_transfer (pseudomap *hashofheaders)
 {
         char *data;
-        data = orderedmap_find (hashofheaders, "transfer-encoding");
+        data = pseudomap_find (hashofheaders, "transfer-encoding");
         return data ? !strcmp (data, "chunked") : 0;
 }
 
@@ -856,7 +856,7 @@ static int is_chunked_transfer (orderedmap hashofheaders)
  * purposes.
  */
 static int
-write_via_header (int fd, orderedmap hashofheaders,
+write_via_header (int fd, pseudomap *hashofheaders,
                   unsigned int major, unsigned int minor)
 {
         char hostname[512];
@@ -878,13 +878,13 @@ write_via_header (int fd, orderedmap hashofheaders,
          * See if there is a "Via" header.  If so, again we need to do a bit
          * of processing.
          */
-        data = orderedmap_find (hashofheaders, "via");
+        data = pseudomap_find (hashofheaders, "via");
         if (data) {
                 ret = write_message (fd,
                                      "Via: %s, %hu.%hu %s (%s)\r\n",
                                      data, major, minor, hostname, PACKAGE);
 
-                orderedmap_remove (hashofheaders, "via");
+                pseudomap_remove (hashofheaders, "via");
         } else {
                 ret = write_message (fd,
                                      "Via: %hu.%hu %s (%s)\r\n",
@@ -895,11 +895,6 @@ write_via_header (int fd, orderedmap hashofheaders,
         return ret;
 }
 
-/*
- * Number of buckets to use internally in the hashmap.
- */
-#define HEADER_BUCKETS 32
-
 /*
  * Here we loop through all the headers the client is sending. If we
  * are running in anonymous mode, we will _only_ send the headers listed
@@ -907,7 +902,7 @@ write_via_header (int fd, orderedmap hashofheaders,
  *	- rjkaes
  */
 static int
-process_client_headers (struct conn_s *connptr, orderedmap hashofheaders)
+process_client_headers (struct conn_s *connptr, pseudomap *hashofheaders)
 {
         static const char *skipheaders[] = {
                 "host",
@@ -955,7 +950,7 @@ process_client_headers (struct conn_s *connptr, orderedmap hashofheaders)
          * Delete the headers listed in the skipheaders list
          */
         for (i = 0; i != (sizeof (skipheaders) / sizeof (char *)); i++) {
-                orderedmap_remove (hashofheaders, skipheaders[i]);
+                pseudomap_remove (hashofheaders, skipheaders[i]);
         }
 
         /* Send, or add the Via header */
@@ -976,7 +971,7 @@ process_client_headers (struct conn_s *connptr, orderedmap hashofheaders)
          * Output all the remaining headers to the remote machine.
          */
         iter = 0;
-        while((iter = orderedmap_next(hashofheaders, iter, &data, &header))) {
+        while((iter = pseudomap_next(hashofheaders, iter, &data, &header))) {
                 if (!is_anonymous_enabled (config)
                     || anonymous_search (config, data) > 0) {
                         ret =
@@ -1031,7 +1026,7 @@ static int process_server_headers (struct conn_s *connptr)
 
         char *response_line;
 
-        orderedmap hashofheaders;
+        pseudomap *hashofheaders;
         size_t iter;
         char *data, *header;
         ssize_t len;
@@ -1061,7 +1056,7 @@ static int process_server_headers (struct conn_s *connptr)
                 goto retry;
         }
 
-        hashofheaders = orderedmap_create (HEADER_BUCKETS);
+        hashofheaders = pseudomap_create ();
         if (!hashofheaders) {
                 safefree (response_line);
                 return -1;
@@ -1073,7 +1068,7 @@ static int process_server_headers (struct conn_s *connptr)
         if (get_all_headers (connptr->server_fd, hashofheaders) < 0) {
                 log_message (LOG_WARNING,
                              "Could not retrieve all the headers from the remote server.");
-                orderedmap_destroy (hashofheaders);
+                pseudomap_destroy (hashofheaders);
                 safefree (response_line);
 
                 indicate_http_error (connptr, 503,
@@ -1092,7 +1087,7 @@ static int process_server_headers (struct conn_s *connptr)
          * Instead we'll free all the memory and return.
          */
         if (connptr->protocol.major < 1) {
-                orderedmap_destroy (hashofheaders);
+                pseudomap_destroy (hashofheaders);
                 safefree (response_line);
                 return 0;
         }
@@ -1119,7 +1114,7 @@ static int process_server_headers (struct conn_s *connptr)
          * Delete the headers listed in the skipheaders list
          */
         for (i = 0; i != (sizeof (skipheaders) / sizeof (char *)); i++) {
-                orderedmap_remove (hashofheaders, skipheaders[i]);
+                pseudomap_remove (hashofheaders, skipheaders[i]);
         }
 
         /* Send, or add the Via header */
@@ -1141,7 +1136,7 @@ static int process_server_headers (struct conn_s *connptr)
 
         /* Rewrite the HTTP redirect if needed */
         if (config->reversebaseurl &&
-            (header = orderedmap_find (hashofheaders, "location"))) {
+            (header = pseudomap_find (hashofheaders, "location"))) {
 
                 /* Look for a matching entry in the reversepath list */
                 while (reverse) {
@@ -1166,7 +1161,7 @@ static int process_server_headers (struct conn_s *connptr)
                                      "Rewriting HTTP redirect: %s -> %s%s%s",
                                      header, config->reversebaseurl,
                                      (reverse->path + 1), (header + len));
-                        orderedmap_remove (hashofheaders, "location");
+                        pseudomap_remove (hashofheaders, "location");
                 }
         }
 #endif
@@ -1175,14 +1170,14 @@ static int process_server_headers (struct conn_s *connptr)
          * All right, output all the remaining headers to the client.
          */
         iter = 0;
-        while ((iter = orderedmap_next(hashofheaders, iter, &data, &header))) {
+        while ((iter = pseudomap_next(hashofheaders, iter, &data, &header))) {
 
                 ret = write_message (connptr->client_fd,
                                      "%s: %s\r\n", data, header);
                 if (ret < 0)
                         goto ERROR_EXIT;
         }
-        orderedmap_destroy (hashofheaders);
+        pseudomap_destroy (hashofheaders);
 
         /* Write the final blank line to signify the end of the headers */
         if (safe_write (connptr->client_fd, "\r\n", 2) < 0)
@@ -1191,7 +1186,7 @@ static int process_server_headers (struct conn_s *connptr)
         return 0;
 
 ERROR_EXIT:
-        orderedmap_destroy (hashofheaders);
+        pseudomap_destroy (hashofheaders);
         return -1;
 }
 
@@ -1595,7 +1590,7 @@ void handle_connection (struct conn_s *connptr, union sockaddr_union* addr)
         int got_headers = 0, fd = connptr->client_fd;
         size_t i;
         struct request_s *request = NULL;
-        orderedmap hashofheaders = NULL;
+        pseudomap *hashofheaders = NULL;
 
         char sock_ipaddr[IP_LENGTH];
         char peer_ipaddr[IP_LENGTH];
@@ -1650,7 +1645,7 @@ void handle_connection (struct conn_s *connptr, union sockaddr_union* addr)
         /*
          * The "hashofheaders" store the client's headers.
          */
-        hashofheaders = orderedmap_create (HEADER_BUCKETS);
+        hashofheaders = pseudomap_create ();
         if (hashofheaders == NULL) {
                 update_stats (STAT_BADCONN);
                 indicate_http_error (connptr, 503, "Internal error",
@@ -1679,12 +1674,12 @@ void handle_connection (struct conn_s *connptr, union sockaddr_union* addr)
         if (config->basicauth_list != NULL) {
                 char *authstring;
                 int failure = 1, stathost_connect = 0;
-                authstring = orderedmap_find (hashofheaders, "proxy-authorization");
+                authstring = pseudomap_find (hashofheaders, "proxy-authorization");
 
                 if (!authstring && config->stathost) {
-                        authstring = orderedmap_find (hashofheaders, "host");
+                        authstring = pseudomap_find (hashofheaders, "host");
                         if (authstring && !strncmp(authstring, config->stathost, strlen(config->stathost))) {
-                                authstring = orderedmap_find (hashofheaders, "authorization");
+                                authstring = pseudomap_find (hashofheaders, "authorization");
                                 stathost_connect = 1;
                         } else authstring = 0;
                 }
@@ -1702,7 +1697,7 @@ void handle_connection (struct conn_s *connptr, union sockaddr_union* addr)
                         auth_error(connptr, stathost_connect ? 401 : 407);
                         HC_FAIL();
                 }
-                orderedmap_remove (hashofheaders, "proxy-authorization");
+                pseudomap_remove (hashofheaders, "proxy-authorization");
         }
 
         /*
@@ -1713,7 +1708,7 @@ void handle_connection (struct conn_s *connptr, union sockaddr_union* addr)
         for (i = 0; i < sblist_getsize (config->add_headers); i++) {
                 http_header_t *header = sblist_get (config->add_headers, i);
 
-                orderedmap_append (hashofheaders, header->name, header->value);
+                pseudomap_append (hashofheaders, header->name, header->value);
         }
 
         request = process_request (connptr, hashofheaders);
@@ -1791,7 +1786,7 @@ void handle_connection (struct conn_s *connptr, union sockaddr_union* addr)
 
 done:
         free_request_struct (request);
-        orderedmap_destroy (hashofheaders);
+        pseudomap_destroy (hashofheaders);
         conn_destroy_contents (connptr);
         return;
 #undef HC_FAIL
diff --git a/src/reverse-proxy.c b/src/reverse-proxy.c
index 68f04a69..98b0963e 100644
--- a/src/reverse-proxy.c
+++ b/src/reverse-proxy.c
@@ -127,7 +127,7 @@ void free_reversepath_list (struct reversepath *reverse)
 /*
  * Rewrite the URL for reverse proxying.
  */
-char *reverse_rewrite_url (struct conn_s *connptr, orderedmap hashofheaders,
+char *reverse_rewrite_url (struct conn_s *connptr, pseudomap *hashofheaders,
                            char *url, int *status)
 {
         char *rewrite_url = NULL;
@@ -153,7 +153,7 @@ char *reverse_rewrite_url (struct conn_s *connptr, orderedmap hashofheaders,
                                 sprintf (rewrite_url, "%s%s", reverse->url, url + lrp);
                         }
                 } else if (config->reversemagic
-                           && (cookie = orderedmap_find (hashofheaders,
+                           && (cookie = pseudomap_find (hashofheaders,
                                                     "cookie"))) {
 
                         /* No match - try the magical tracking cookie next */
diff --git a/src/reverse-proxy.h b/src/reverse-proxy.h
index a9a5bdd5..7ded66d4 100644
--- a/src/reverse-proxy.h
+++ b/src/reverse-proxy.h
@@ -22,7 +22,7 @@
 #define TINYPROXY_REVERSE_PROXY_H
 
 #include "conns.h"
-#include "orderedmap.h"
+#include "pseudomap.h"
 
 struct reversepath {
         struct reversepath *next;
@@ -38,7 +38,7 @@ extern struct reversepath *reversepath_get (char *url,
                                             struct reversepath *reverse);
 void free_reversepath_list (struct reversepath *reverse);
 extern char *reverse_rewrite_url (struct conn_s *connptr,
-                                  orderedmap hashofheaders, char *url,
+                                  pseudomap *hashofheaders, char *url,
                                   int *status);
 
 #endif
diff --git a/src/transparent-proxy.c b/src/transparent-proxy.c
index d090ae37..d0ba2c86 100644
--- a/src/transparent-proxy.c
+++ b/src/transparent-proxy.c
@@ -53,7 +53,7 @@ static int build_url (char **url, const char *host, int port, const char *path)
 }
 
 int
-do_transparent_proxy (struct conn_s *connptr, orderedmap hashofheaders,
+do_transparent_proxy (struct conn_s *connptr, pseudomap *hashofheaders,
                       struct request_s *request, struct config_s *conf,
                       char **url)
 {
@@ -62,7 +62,7 @@ do_transparent_proxy (struct conn_s *connptr, orderedmap hashofheaders,
         size_t ulen = strlen (*url);
         size_t i;
 
-        data = orderedmap_find (hashofheaders, "host");
+        data = pseudomap_find (hashofheaders, "host");
         if (!data) {
                 union sockaddr_union dest_addr;
                 const void *dest_inaddr;
diff --git a/src/transparent-proxy.h b/src/transparent-proxy.h
index b56c446e..1167aed2 100644
--- a/src/transparent-proxy.h
+++ b/src/transparent-proxy.h
@@ -26,11 +26,11 @@
 #ifdef TRANSPARENT_PROXY
 
 #include "conns.h"
-#include "orderedmap.h"
+#include "pseudomap.h"
 #include "reqs.h"
 
 extern int do_transparent_proxy (struct conn_s *connptr,
-                                 orderedmap hashofheaders,
+                                 pseudomap *hashofheaders,
                                  struct request_s *request,
                                  struct config_s *config, char **url);
 

From 74f5f593bbd4b7fe62f077f44562203f29893791 Mon Sep 17 00:00:00 2001
From: Michael Adam <obnox@samba.org>
Date: Thu, 13 Feb 2025 11:01:53 +0100
Subject: [PATCH 17/37] build: fix shellcheck errors in autogen.sh

The following error types are addressed:

https://www.shellcheck.net/wiki/SC2164 -- Use 'cd ... || exit' or 'cd ... || return' in case cd fails.
  https://www.shellcheck.net/wiki/SC2086 -- Double quote to prevent globbing and word splitting.
  https://www.shellcheck.net/wiki/SC2006 -- Use $(...) notation instead of legacy backticks `...`.

Signed-off-by: Michael Adam <obnox@samba.org>
---
 autogen.sh | 19 +++++++++++++------
 1 file changed, 13 insertions(+), 6 deletions(-)

diff --git a/autogen.sh b/autogen.sh
index fb6da78b..b3011ccd 100755
--- a/autogen.sh
+++ b/autogen.sh
@@ -1,24 +1,31 @@
 #!/bin/sh
 
-srcdir=`dirname $0`
+srcdir=$(dirname "$0")
 test -z "$srcdir" && srcdir=.
-ORIGDIR=`pwd`
+ORIGDIR=$(pwd)
 
 set -x
 
-cd $srcdir
+cd "$srcdir" || {
+    echo "error changing to dir '$srcdir'"
+    exit
+}
 
 aclocal -I m4macros \
   && autoheader \
   && automake --gnu --add-missing \
   && autoconf
 
-cd $ORIGDIR
+cd "$ORIGDIR" || {
+    echo "error changing to idir '$ORIGDIR'"
+    exit
+
+}
 
 set -
 
-echo $srcdir/configure "$@"
-$srcdir/configure "$@"
+echo "$srcdir"/configure "$@"
+"$srcdir"/configure "$@"
 RC=$?
 if test $RC -ne 0; then
   echo

From 0712ec33adcd6070d3e6c62e5237d9d830e93337 Mon Sep 17 00:00:00 2001
From: Michael Adam <obnox@samba.org>
Date: Thu, 13 Feb 2025 11:37:08 +0100
Subject: [PATCH 18/37] tests: fix  shellcheck issues and syntax errors in
 run_tests.sh

This fixes several instances of the following shellcheck issues:

https://www.shellcheck.net/wiki/SC2046 -- Quote this to prevent word splitting.
https://shellcheck.net/wiki/SC3037 (warning): In POSIX sh, echo flags are undefined.
https://shellchelleck.net/wiki/SC2268 (style): Avoid x-prefix in comparisons as it no longer serves a purpose.
https://shellcheck.net/wiki/SC2009 (info): Consider using pgrep instead of grepping ps output.
https://shellcheck.net/wiki/SC3028 (warning): In POSIX sh, SECONDS is undefined.
SC2059 (info): Don't use variables in the printf format string
 COUNT appears unused. Verify use (or export if used externally).
https://shellcheck.net/wiki/SC2162 (info): read without -r will mangle backslashes.
https://shellcheck.net/wiki/SC2034 (warning): READ appears unused. Verify use (or export if used externally).
https://shellcheck.net/wiki/SC2317 (info): Command appears to be unreachable. Check usage (or ignore if invoked indirectly).
https://shellcheck.net/wiki/SC2086 (info): Double quote to prevent globbing and word splitting.

Signed-off-by: Michael Adam <obnox@samba.org>

tests: fix syntax errors in run_tests.sh

Signed-off-by: Michael Adam <obnox@samba.org>
---
 tests/scripts/run_tests.sh | 141 +++++++++++++++++++------------------
 1 file changed, 72 insertions(+), 69 deletions(-)

diff --git a/tests/scripts/run_tests.sh b/tests/scripts/run_tests.sh
index 5a8ecd8f..3bee7687 100755
--- a/tests/scripts/run_tests.sh
+++ b/tests/scripts/run_tests.sh
@@ -18,7 +18,7 @@
 # this program; if not, see <http://www.gnu.org/licenses/>.
 
 
-SCRIPTS_DIR=$(cd $(dirname $0) && pwd)
+SCRIPTS_DIR=$(cd "$(dirname "$0")" && pwd)
 BASEDIR=$SCRIPTS_DIR/../..
 TESTS_DIR=$SCRIPTS_DIR/..
 TESTENV_DIR=$TESTS_DIR/env
@@ -51,27 +51,27 @@ WEBCLIENT_LOG=$LOG_DIR/webclient.log
 WEBCLIENT_BIN=$SCRIPTS_DIR/webclient.pl
 
 provision_initial() {
-	if test -e $TESTENV_DIR ; then
+	if test -e "$TESTENV_DIR" ; then
 		TESTENV_DIR_OLD=$TESTENV_DIR.old
-		if test -e $TESTENV_DIR_OLD ; then
-			rm -rf $TESTENV_DIR_OLD
+		if test -e "$TESTENV_DIR_OLD" ; then
+			rm -rf "$TESTENV_DIR_OLD"
 		fi
-		mv $TESTENV_DIR $TESTENV_DIR.old
+		mv "$TESTENV_DIR" "$TESTENV_DIR".old
 	fi
 
-	mkdir -p $LOG_DIR
+	mkdir -p "$LOG_DIR"
 }
 
 provision_tinyproxy() {
-	mkdir -p $TINYPROXY_DATA_DIR
-	cp $BASEDIR/data/templates/default.html $TINYPROXY_DATA_DIR
-	cp $BASEDIR/data/templates/debug.html $TINYPROXY_DATA_DIR
-	cp $BASEDIR/data/templates/stats.html $TINYPROXY_DATA_DIR
-	mkdir -p $TINYPROXY_PID_DIR
-	mkdir -p $TINYPROXY_LOG_DIR
-	mkdir -p $TINYPROXY_CONF_DIR
-
-	cat >>$TINYPROXY_CONF_FILE<<EOF
+	mkdir -p "$TINYPROXY_DATA_DIR"
+	cp "$BASEDIR"/data/templates/default.html "$TINYPROXY_DATA_DIR"
+	cp "$BASEDIR"/data/templates/debug.html "$TINYPROXY_DATA_DIR"
+	cp "$BASEDIR"/data/templates/stats.html "$TINYPROXY_DATA_DIR"
+	mkdir -p "$TINYPROXY_PID_DIR"
+	mkdir -p "$TINYPROXY_LOG_DIR"
+	mkdir -p "$TINYPROXY_CONF_DIR"
+
+	cat >>"$TINYPROXY_CONF_FILE"<<EOF
 User $TINYPROXY_USER
 #Group $TINYPROXY_GROUP
 Port $TINYPROXY_PORT
@@ -103,85 +103,87 @@ AddHeader "X-My-Header3" "Powered by Tinyproxy"
 Upstream http 255.255.255.255:65535 ".invalid"
 EOF
 
-cat << 'EOF' > $TINYPROXY_FILTER_FILE
+cat << 'EOF' > "$TINYPROXY_FILTER_FILE"
 .*\.google-analytics\.com$
 EOF
 }
 
 start_tinyproxy() {
-	echo -n "starting tinyproxy..."
-	$VALGRIND $TINYPROXY_BIN -c $TINYPROXY_CONF_FILE 2> $TINYPROXY_STDERR_LOG
+	printf "starting tinyproxy..."
+	$VALGRIND "$TINYPROXY_BIN" -c "$TINYPROXY_CONF_FILE" 2> "$TINYPROXY_STDERR_LOG"
 	echo " done (listening on $TINYPROXY_IP:$TINYPROXY_PORT)"
 }
 
 reload_config() {
-	echo -n "signaling tinyproxy to reload config..."
-	pid=$(cat $TINYPROXY_PID_FILE)
+	printf "signaling tinyproxy to reload config..."
+	pid=$(cat "$TINYPROXY_PID_FILE")
 	#1: SIGHUP
-	kill -1 $pid && echo "ok" || echo "fail"
+	kill -1 "$pid" && echo "ok" || echo "fail"
 }
 
 stop_tinyproxy() {
-	echo -n "killing tinyproxy..."
-	pid=$(cat $TINYPROXY_PID_FILE)
-	kill $pid
-	if test "x$?" = "x0" ; then
+	printf "killing tinyproxy..."
+	pid=$(cat "$TINYPROXY_PID_FILE")
+	kill "$pid"
+	if test "$?" = "0" ; then
 		echo " ok"
 	else
 		echo " error killing pid $pid"
-		ps aux | grep tinyproxy
+		pgrep tinyproxy
 		echo "### printing logfile"
-		cat $TINYPROXY_LOG_FILE
+		cat "$TINYPROXY_LOG_FILE"
 		echo "### printing stderr logfile"
-		cat $TINYPROXY_STDERR_LOG
+		cat "$TINYPROXY_STDERR_LOG"
 	fi
 }
 
 provision_webserver() {
-	mkdir -p $WEBSERVER_PID_DIR
-	mkdir -p $WEBSERVER_LOG_DIR
+	mkdir -p "$WEBSERVER_PID_DIR"
+	mkdir -p "$WEBSERVER_LOG_DIR"
 }
 
 start_webserver() {
-	echo -n "starting web server..."
-	$WEBSERVER_BIN --port $WEBSERVER_PORT --log-dir $WEBSERVER_LOG_DIR --pid-file $WEBSERVER_PID_FILE
-	echo " done (listening on $WEBSERVER_IP:$WEBSERVER_PORT)"
+	printf "starting web server..."
+	"$WEBSERVER_BIN" --port "$WEBSERVER_PORT" --log-dir "$WEBSERVER_LOG_DIR" --pid-file "$WEBSERVER_PID_FILE"
+	echo " done. listening on $WEBSERVER_IP:$WEBSERVER_PORT"
+	"$WEBSERVER_BIN" --port "$WEBSERVER_PORT" --log-dir "$WEBSERVER_LOG_DIR" --pid-file "$WEBSERVER_PID_FILE"
+	echo " done. listening on $WEBSERVER_IP:$WEBSERVER_PORT"
 }
 
 stop_webserver() {
-	echo -n "killing webserver..."
-	kill $(cat $WEBSERVER_PID_FILE)
-	if test "x$?" = "x0" ; then
+	printf  "killing webserver..."
+	kill "$(cat "$WEBSERVER_PID_FILE")"
+	if test "$?" = "0" ; then
 		echo " ok"
 	else
 		echo " error"
-	fi
+    fi
 }
 
 wait_for_some_seconds() {
-	SECONDS=$1
-	if test "x$SECONDS" = "x" ; then
-		SECONDS=1
+	seconds=$1
+	if test "$seconds" = "" ; then
+		seconds=1
 	fi
 
-	echo -n "waiting for $SECONDS seconds."
+	printf 'waiting for %s seconds.' "$seconds"
 
-	for COUNT in $(seq 1 $SECONDS) ; do
+	for COUNT in $(seq 1 "$seconds") ; do
 		sleep 1
-		echo -n "."
+		printf ' %s ' "$COUNT"
 	done
-	echo " done"
+	echo ' done'
 }
 
 run_basic_webclient_request() {
-	$WEBCLIENT_BIN $1 $2 > $WEBCLIENT_LOG 2>&1
+	"$WEBCLIENT_BIN" "$1" "$2" > "$WEBCLIENT_LOG" 2>&1
 	WEBCLIENT_EXIT_CODE=$?
-	if test "x$WEBCLIENT_EXIT_CODE" = "x0" ; then
+	if test "$WEBCLIENT_EXIT_CODE" = "0" ; then
 		echo " ok"
 	else
-		echo "ERROR ($WEBCLIENT_EXIT_CODE)"
+		echo "ERROR: $WEBCLIENT_EXIT_CODE"
 		echo "webclient output:"
-		cat $WEBCLIENT_LOG
+		cat "$WEBCLIENT_LOG"
 		echo "######################################"
 	fi
 
@@ -192,15 +194,15 @@ run_failure_webclient_request() {
 	ec=$1
 	expected_error=$(($1 - 399))
 	shift
-	$WEBCLIENT_BIN "$1" "$2" "$3" "$4" > $WEBCLIENT_LOG 2>&1
+	"$WEBCLIENT_BIN" "$1" "$2" "$3" "$4" > "$WEBCLIENT_LOG" 2>&1
 	WEBCLIENT_EXIT_CODE=$?
-	if test "x$WEBCLIENT_EXIT_CODE" = "x$expected_error" ; then
+	if test "$WEBCLIENT_EXIT_CODE" = "$expected_error" ; then
 		echo " ok, got expected error code $ec"
 		return 0
 	else
-		echo "ERROR ($WEBCLIENT_EXIT_CODE)"
+		echo "ERROR: $WEBCLIENT_EXIT_CODE"
 		echo "webclient output:"
-		cat $WEBCLIENT_LOG
+		cat "$WEBCLIENT_LOG"
 		echo "######################################"
 	fi
 
@@ -221,35 +223,35 @@ wait_for_some_seconds 1
 FAILED=0
 
 basic_test() {
-echo -n "checking direct connection to web server..."
+printf "checking direct connection to web server..."
 run_basic_webclient_request "$WEBSERVER_IP:$WEBSERVER_PORT" /
-test "x$?" = "x0" || FAILED=$((FAILED + 1))
+test "$?" = "0" || FAILED=$((FAILED + 1))
 
-echo -n "testing connection through tinyproxy..."
+printf "testing connection through tinyproxy..."
 run_basic_webclient_request "$TINYPROXY_IP:$TINYPROXY_PORT" "http://$WEBSERVER_IP:$WEBSERVER_PORT/"
-test "x$?" = "x0" || FAILED=$((FAILED + 1))
+test "$?" = "0" || FAILED=$((FAILED + 1))
 
-echo -n "requesting statspage via stathost url..."
+printf "requesting statspage via stathost url..."
 run_basic_webclient_request "$TINYPROXY_IP:$TINYPROXY_PORT" "http://$TINYPROXY_STATHOST_IP"
-test "x$?" = "x0" || FAILED=$((FAILED + 1))
+test "$?" = "0" || FAILED=$((FAILED + 1))
 }
 
 ext_test() {
-echo -n "checking bogus request..."
+printf "checking bogus request..."
 run_failure_webclient_request 400 --method="BIG FART" "$TINYPROXY_IP:$TINYPROXY_PORT" "http://$WEBSERVER_IP:$WEBSERVER_PORT"
-test "x$?" = "x0" || FAILED=$((FAILED + 1))
+test "$?" = "0" || FAILED=$((FAILED + 1))
 
-echo -n "testing connection to filtered domain..."
+printf "testing connection to filtered domain..."
 run_failure_webclient_request 403 "$TINYPROXY_IP:$TINYPROXY_PORT" "http://badgoy.google-analytics.com/"
-test "x$?" = "x0" || FAILED=$((FAILED + 1))
+test "$?" = "0" || FAILED=$((FAILED + 1))
 
-echo -n "requesting connect method to denied port..."
+printf "requesting connect method to denied port..."
 run_failure_webclient_request 403 --method=CONNECT "$TINYPROXY_IP:$TINYPROXY_PORT" "localhost:12345"
-test "x$?" = "x0" || FAILED=$((FAILED + 1))
+test "$?" = "0" || FAILED=$((FAILED + 1))
 
-echo -n "testing unavailable backend..."
+printf "testing unavailable backend..."
 run_failure_webclient_request 502 "$TINYPROXY_IP:$TINYPROXY_PORT" "http://bogus.invalid"
-test "x$?" = "x0" || FAILED=$((FAILED + 1))
+test "$?" = "0" || FAILED=$((FAILED + 1))
 }
 
 basic_test
@@ -259,10 +261,11 @@ ext_test
 
 echo "$FAILED errors"
 
-if test "x$TINYPROXY_TESTS_WAIT" = "xyes"; then
+if test "$TINYPROXY_TESTS_WAIT" = "yes"; then
 	echo "You can continue using the webserver and tinyproxy."
-	echo -n "hit <enter> to stop the servers and exit: "
-	read READ
+	 rintf "hit <enter> to stop the servers and exit: "
+	read -r READ
+    echo "$READ" > /dev/null
 fi
 
 stop_tinyproxy

From f1347866a0b3155ca349f7e7917c75027cb00d2c Mon Sep 17 00:00:00 2001
From: Michael Adam <obnox@samba.org>
Date: Thu, 13 Feb 2025 15:29:44 +0100
Subject: [PATCH 19/37] tests: fix shellcheck issues in run_tests_valgrind.sh

This fixes instances of:

https://shellcheck.net/wiki/SC2086 (info): Double quote to prevent globbing and word splitting.
https://shellcheck.net/wiki/SC2034 (warning): BASEDIR appears unused.

Signed-off-by: Michael Adam <obnox@samba.org>
---
 tests/scripts/run_tests_valgrind.sh | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/tests/scripts/run_tests_valgrind.sh b/tests/scripts/run_tests_valgrind.sh
index 72b21154..1ebb4f71 100755
--- a/tests/scripts/run_tests_valgrind.sh
+++ b/tests/scripts/run_tests_valgrind.sh
@@ -18,11 +18,10 @@
 # this program; if not, see <http://www.gnu.org/licenses/>.
 
 
-SCRIPTS_DIR=$(dirname $0)
-BASEDIR=$SCRIPTS_DIR/../..
+SCRIPTS_DIR=$(dirname "$0")
 TESTS_DIR=$SCRIPTS_DIR/..
 TESTENV_DIR=$TESTS_DIR/env
 LOG_DIR=$TESTENV_DIR/var/log
 
-VALGRIND="valgrind --track-origins=yes --show-leak-kinds=all --tool=memcheck --leak-check=full --log-file=$LOG_DIR/valgrind.log" $SCRIPTS_DIR/run_tests.sh
+VALGRIND="valgrind --track-origins=yes --show-leak-kinds=all --tool=memcheck --leak-check=full --log-file=$LOG_DIR/valgrind.log" "$SCRIPTS_DIR"/run_tests.sh
 

From acd99f15b959777252825d7ebc50b067db9b136f Mon Sep 17 00:00:00 2001
From: Michael Adam <obnox@samba.org>
Date: Wed, 12 Feb 2025 18:57:59 +0100
Subject: [PATCH 20/37] build: add `make shellcheck`

This can be used to lint shell scripts
for syntactic correctness and style.

It requires shellcheck to be installed on the host.

Signed-off-by: Michael Adam <obnox@samba.org>
---
 Makefile.am | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/Makefile.am b/Makefile.am
index 4a3ead6f..f721d58e 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -27,6 +27,10 @@ EXTRA_DIST = \
 test: all
 	./tests/scripts/run_tests.sh
 
+.PHONY: shellcheck
+shellcheck:
+	@shellcheck `find . -name '*.sh'`
+
 test-wait:
 	TINYPROXY_TESTS_WAIT=yes $(MAKE) test
 

From 1a02315ce1ed4df64c73877e97c0618809b3d766 Mon Sep 17 00:00:00 2001
From: Michael Adam <obnox@samba.org>
Date: Mon, 10 Feb 2025 19:13:01 +0100
Subject: [PATCH 21/37] CI: add a shellcheck ci workflow

Signed-off-by: Michael Adam <obnox@samba.org>
---
 .github/workflows/shellcheck.yaml | 33 +++++++++++++++++++++++++++++++
 1 file changed, 33 insertions(+)
 create mode 100644 .github/workflows/shellcheck.yaml

diff --git a/.github/workflows/shellcheck.yaml b/.github/workflows/shellcheck.yaml
new file mode 100644
index 00000000..7e5edc7b
--- /dev/null
+++ b/.github/workflows/shellcheck.yaml
@@ -0,0 +1,33 @@
+name: shellcheck
+on:
+  push:
+    branches:
+      - master
+  pull_request:
+    paths-ignore:
+    branches:
+      - master
+
+# cancel the in-progress workflow when PR is refreshed.
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.head_ref || github.sha }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+
+jobs:
+  shellcheck:
+    name: Shellcheck
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+    - name: install shellcheck
+      run: |
+        sudo apt-get update
+        sudo apt-get install -y shellcheck
+    - name: Run autogen
+      run: ./autogen.sh
+    - name: Run ShellCheck
+      run: make shellcheck
+

From 0a2da97328a5708d50561cf038c0fb6dc168362a Mon Sep 17 00:00:00 2001
From: Michael Adam <obnox@samba.org>
Date: Fri, 14 Feb 2025 18:49:26 +0100
Subject: [PATCH 22/37] tests: remove duplicate code from run_tests.sh

Signed-off-by: Michael Adam <obnox@samba.org>
---
 tests/scripts/run_tests.sh | 2 --
 1 file changed, 2 deletions(-)

diff --git a/tests/scripts/run_tests.sh b/tests/scripts/run_tests.sh
index 3bee7687..7b76002b 100755
--- a/tests/scripts/run_tests.sh
+++ b/tests/scripts/run_tests.sh
@@ -146,8 +146,6 @@ start_webserver() {
 	printf "starting web server..."
 	"$WEBSERVER_BIN" --port "$WEBSERVER_PORT" --log-dir "$WEBSERVER_LOG_DIR" --pid-file "$WEBSERVER_PID_FILE"
 	echo " done. listening on $WEBSERVER_IP:$WEBSERVER_PORT"
-	"$WEBSERVER_BIN" --port "$WEBSERVER_PORT" --log-dir "$WEBSERVER_LOG_DIR" --pid-file "$WEBSERVER_PID_FILE"
-	echo " done. listening on $WEBSERVER_IP:$WEBSERVER_PORT"
 }
 
 stop_webserver() {

From d62b7d2871f645d493ccd43734208ce0bdf188ee Mon Sep 17 00:00:00 2001
From: rofl0r <rofl0r@users.noreply.github.com>
Date: Thu, 1 May 2025 16:36:57 +0000
Subject: [PATCH 23/37] remove unused vsyslog code

due to the use of an invalid macro HAVE_VSYSLOG_H (a corresponding
header doesn't exist on POSIX libcs, plus there was no configure
check setting it), the code here was never compiled in, and the
portable fallback was always used. since the fallback is already
there and known to work as intended, just use it always.

closes #574
---
 src/log.c | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/src/log.c b/src/log.c
index 14fc3fe9..a9ff71d2 100644
--- a/src/log.c
+++ b/src/log.c
@@ -165,12 +165,8 @@ void log_message (int level, const char *fmt, ...)
 
         if (config->syslog) {
                 pthread_mutex_lock(&log_mutex);
-#ifdef HAVE_VSYSLOG_H
-                vsyslog (level, fmt, args);
-#else
                 vsnprintf (str, STRING_LENGTH, fmt, args);
                 syslog (level, "%s", str);
-#endif
                 pthread_mutex_unlock(&log_mutex);
         } else {
                 char *p;

From d54e9a7a04a37edb429d311474a4a618bb28f240 Mon Sep 17 00:00:00 2001
From: rofl0r <rofl0r@users.noreply.github.com>
Date: Thu, 1 May 2025 16:41:07 +0000
Subject: [PATCH 24/37] remove unused strlcat checks and fallback code

the function isn't used anywhere in the current codebase, so don't
waste user's time checking for it.
---
 configure.ac |  2 +-
 src/text.c   | 24 ------------------------
 src/text.h   |  4 ----
 3 files changed, 1 insertion(+), 29 deletions(-)

diff --git a/configure.ac b/configure.ac
index 37e7d276..329c5633 100644
--- a/configure.ac
+++ b/configure.ac
@@ -146,7 +146,7 @@ AC_CHECK_HEADERS([sys/ioctl.h alloca.h memory.h malloc.h sysexits.h \
 dnl Checks for libary functions
 AC_FUNC_LSTAT_FOLLOWS_SLASHED_SYMLINK
 
-AC_CHECK_FUNCS([strlcpy strlcat setgroups])
+AC_CHECK_FUNCS([strlcpy setgroups])
 
 dnl Enable extra warnings
 DESIRED_FLAGS="-fdiagnostics-show-option -Wall -Wextra -Wno-unused-parameter -Wmissing-prototypes -Wstrict-prototypes -Wmissing-declarations -Wfloat-equal -Wundef -Wformat=2 -Wlogical-op -Wmissing-include-dirs -Wformat-nonliteral -Wold-style-definition -Wpointer-arith -Waggregate-return -Winit-self -Wpacked --std=c89 -ansi -Wno-overlength-strings -Wno-long-long -Wno-overlength-strings -Wdeclaration-after-statement -Wredundant-decls -Wmissing-noreturn -Wshadow -Wendif-labels -Wcast-qual -Wcast-align -Wwrite-strings -Wp,-D_FORTIFY_SOURCE=2 -fno-common"
diff --git a/src/text.c b/src/text.c
index 6bd46d22..e4bae39d 100644
--- a/src/text.c
+++ b/src/text.c
@@ -47,30 +47,6 @@ size_t strlcpy (char *dst, const char *src, size_t size)
 }
 #endif
 
-#ifndef HAVE_STRLCAT
-/*
- * Function API taken from OpenBSD. Like strncat(), but does not 0 fill the
- * buffer, and always NULL terminates the buffer. size is the length of the
- * buffer, which should be one more than the maximum resulting string
- * length.
- */
-size_t strlcat (char *dst, const char *src, size_t size)
-{
-        size_t len1 = strlen (dst);
-        size_t len2 = strlen (src);
-        size_t ret = len1 + len2;
-
-        if (len1 + len2 >= size)
-                len2 = size - len1 - 1;
-        if (len2 > 0) {
-                memcpy (dst + len1, src, len2);
-                dst[len1 + len2] = '\0';
-        }
-
-        return ret;
-}
-#endif
-
 /*
  * Removes any new-line or carriage-return characters from the end of the
  * string. This function is named after the same function in Perl.
diff --git a/src/text.h b/src/text.h
index 0beb9b11..cfe631ab 100644
--- a/src/text.h
+++ b/src/text.h
@@ -21,10 +21,6 @@
 #ifndef TINYPROXY_TEXT_H
 #define TINYPROXY_TEXT_H
 
-#ifndef HAVE_STRLCAT
-extern size_t strlcat (char *dst, const char *src, size_t size);
-#endif /* HAVE_STRLCAT */
-
 #ifndef HAVE_STRLCPY
 extern size_t strlcpy (char *dst, const char *src, size_t size);
 #endif /* HAVE_STRLCPY */

From 8b02f86ce0a416a58475d8b7ca5addca43242fee Mon Sep 17 00:00:00 2001
From: tangaac <tangyan01@loongson.cn>
Date: Wed, 7 May 2025 09:15:21 +0800
Subject: [PATCH 25/37] remove redundant config_directive_entry  CD_NIL

---
 src/conf-tokens.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/conf-tokens.c b/src/conf-tokens.c
index c94135fd..4463d230 100644
--- a/src/conf-tokens.c
+++ b/src/conf-tokens.c
@@ -18,7 +18,7 @@ config_directive_find (register const char *str, register size_t len)
   size_t i;
   static const struct config_directive_entry wordlist[] =
     {
-      {"",CD_NIL}, {"",CD_NIL},
+      {"",CD_NIL},
       {"allow", CD_allow},
       {"stathost", CD_stathost},
       {"listen", CD_listen},

From f0033b733bc375758f0694cb6fb39fb3eedd3986 Mon Sep 17 00:00:00 2001
From: rofl0r <rofl0r@users.noreply.github.com>
Date: Sat, 21 Jun 2025 10:50:29 +0000
Subject: [PATCH 26/37] tinyproxy.conf.5: add an IPv6 example to allow/deny
 section

closes #578
---
 docs/man5/tinyproxy.conf.txt.in | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/man5/tinyproxy.conf.txt.in b/docs/man5/tinyproxy.conf.txt.in
index 873a741f..9938ce19 100644
--- a/docs/man5/tinyproxy.conf.txt.in
+++ b/docs/man5/tinyproxy.conf.txt.in
@@ -226,7 +226,7 @@ list for Tinyproxy. The order in the config file is important.
 If there are no `Allow` or `Deny` lines, then all clients are
 allowed. Otherwise, the default action is to deny access.
 The argument to `Allow` or `Deny` can be a single IP address
-of a client host, like `127.0.0.1`, an IP address range, like
+of a client host, like `127.0.0.1` or `::1`, an IP address range, like
 `192.168.0.1/24` or a string that will be matched against the
 end of the client host name, i.e, this can be a full host name
 like `host.example.com` or a domain name like `.example.com` or

From 3c0fde94981b025271ffa1788ae425257841bf5a Mon Sep 17 00:00:00 2001
From: rofl0r <rofl0r@users.noreply.github.com>
Date: Fri, 17 Oct 2025 22:57:39 +0000
Subject: [PATCH 27/37] reqs: fix integer overflow in port number processing

closes #586
---
 src/reqs.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/src/reqs.c b/src/reqs.c
index 52135a03..a562c68a 100644
--- a/src/reqs.c
+++ b/src/reqs.c
@@ -174,7 +174,7 @@ static int strip_return_port (char *host)
 {
         char *ptr1;
         char *ptr2;
-        int port;
+        unsigned port;
 
         ptr1 = strrchr (host, ':');
         if (ptr1 == NULL)
@@ -186,8 +186,11 @@ static int strip_return_port (char *host)
                 return 0;
 
         *ptr1++ = '\0';
-        if (sscanf (ptr1, "%d", &port) != 1)    /* one conversion required */
-                return 0;
+
+        port = atoi(ptr1);
+        /* check that port string is in the valid range 1-0xffff) */
+        if(strlen(ptr1) > 5 || (port & 0xffff0000)) return 0;
+
         return port;
 }
 

From b383efe77d16dd1b7b9cd94a81dd640c96f8e469 Mon Sep 17 00:00:00 2001
From: rofl0r <rofl0r@users.noreply.github.com>
Date: Sat, 7 Mar 2026 14:30:42 +0000
Subject: [PATCH 28/37] fix making of man8

regression from 942d0c6b03673ad816c42176422d7fe691143064
---
 configure.ac | 1 +
 1 file changed, 1 insertion(+)

diff --git a/configure.ac b/configure.ac
index 329c5633..2f6f159b 100644
--- a/configure.ac
+++ b/configure.ac
@@ -223,6 +223,7 @@ docs/Makefile
 docs/man5/Makefile
 docs/man5/tinyproxy.conf.txt
 docs/man8/Makefile
+docs/man8/tinyproxy.txt
 m4macros/Makefile
 tests/Makefile
 tests/scripts/Makefile

From baecbf4c3e006fa68ab92f65bbd4138c47ede111 Mon Sep 17 00:00:00 2001
From: rofl0r <rofl0r@users.noreply.github.com>
Date: Sat, 7 Mar 2026 14:07:54 +0000
Subject: [PATCH 29/37] release 1.11.3

---
 VERSION | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/VERSION b/VERSION
index ca717669..0a5af26d 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-1.11.2
+1.11.3

From 86a8f272f6af3975b37f34ce38d4b5e152ff9864 Mon Sep 17 00:00:00 2001
From: rofl0r <rofl0r@users.noreply.github.com>
Date: Sun, 8 Mar 2026 16:31:03 +0000
Subject: [PATCH 30/37] version.sh: fix use of non-annotated tags

the script always returned 1.11.0-rc1, because apparently that tag
was annotated, unlike the newer ones.
---
 scripts/version.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/scripts/version.sh b/scripts/version.sh
index 03fb3aa0..4ad08b61 100755
--- a/scripts/version.sh
+++ b/scripts/version.sh
@@ -5,7 +5,7 @@ GIT_DIR="${SCRIPT_DIR}/../.git"
 
 if test -d "${GIT_DIR}" ; then
 	if type git >/dev/null 2>&1 ; then
-		gitstr=$(git describe --match '[0-9]*.[0-9]*.*' 2>/dev/null)
+		gitstr=$(git describe --tags --match '[0-9]*.[0-9]*.*' 2>/dev/null)
 		if test "x$?" != x0 ; then
 			sed 's/$/-git/' < VERSION
 		else

From 9240e60f358a86771d9df02f4012a6b8535f2a3a Mon Sep 17 00:00:00 2001
From: rofl0r <rofl0r@users.noreply.github.com>
Date: Sun, 8 Mar 2026 17:03:34 +0000
Subject: [PATCH 31/37] CI: also check that website generation works

---
 .github/workflows/main.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index f077b192..067105da 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -15,6 +15,7 @@ jobs:
     - run: ./configure
     - run: make
     - run: make test
+    - run: cd docs/web ; make
   test-macos:
     runs-on: macos-latest
     steps:

From 1c4af6745a247a7dc17cdf2ffa52e976df08c2bb Mon Sep 17 00:00:00 2001
From: Mohamed Akram <mohd.akram@outlook.com>
Date: Sun, 8 Mar 2026 19:28:09 +0400
Subject: [PATCH 32/37] Fix paths in man page

---
 configure.ac          | 1 -
 docs/man8/Makefile.am | 6 +++++-
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/configure.ac b/configure.ac
index 2f6f159b..329c5633 100644
--- a/configure.ac
+++ b/configure.ac
@@ -223,7 +223,6 @@ docs/Makefile
 docs/man5/Makefile
 docs/man5/tinyproxy.conf.txt
 docs/man8/Makefile
-docs/man8/tinyproxy.txt
 m4macros/Makefile
 tests/Makefile
 tests/scripts/Makefile
diff --git a/docs/man8/Makefile.am b/docs/man8/Makefile.am
index 17281cd3..28e361ef 100644
--- a/docs/man8/Makefile.am
+++ b/docs/man8/Makefile.am
@@ -29,8 +29,12 @@ else
 	@echo "*** pod2man is required to regenerate $(@) ***"; exit 1;
 endif
 
+CLEANFILES = \
+	tinyproxy.txt
+
 MAINTAINERCLEANFILES = \
 	$(MAN8_FILES:.txt=.8)
 
 EXTRA_DIST = \
-	$(MAN8_FILES:.txt=.8)
+	$(MAN8_FILES:.txt=.8) \
+	tinyproxy.txt.in

From 969852ccdb1d19d7ed302f0e1d324661be641e0a Mon Sep 17 00:00:00 2001
From: rofl0r <rofl0r@users.noreply.github.com>
Date: Thu, 12 Mar 2026 14:26:24 +0000
Subject: [PATCH 33/37] reqs: check negative length values when reading chunked
 data

this could lead to a DoS when a legitimate client reads from an
attacker-controlled web server.

closes #597
---
 src/reqs.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/reqs.c b/src/reqs.c
index a562c68a..94ce7673 100644
--- a/src/reqs.c
+++ b/src/reqs.c
@@ -613,6 +613,7 @@ static int pull_client_data_chunked (struct conn_s *connptr) {
                 }
 
                 chunklen = strtol (buffer, (char**)0, 16);
+                if (chunklen < 0) goto ERROR_EXIT;
 
                 if (pull_client_data (connptr, chunklen+2, 0) < 0)
                         goto ERROR_EXIT;

From e77570a56ccd3e2a2aaa6b1d75761be815ab7b5c Mon Sep 17 00:00:00 2001
From: rofl0r <rofl0r@users.noreply.github.com>
Date: Sat, 28 Mar 2026 18:22:03 +0100
Subject: [PATCH 34/37] fix catching timed-out socket (#599)

due to some ancient piece of code that's supposed to fix a bug
in 1990's internet explorer, sockets were switched between blocking
and non-blocking mode, making it hard to differentiate when
socket timeouts kicked in.

with the IE bug workaround removed, sockets are now always in
blocking mode so we no longer need to catch EAGAIN/EWOULDBLOCK
and treat them specially, they are now always treated as an
error (whenever they are returned, the timeout kicked in).

this should fix once and for all the cases where tinyproxy
would not respect the user-provided socket timeouts, potentially
causing endless loops.

closes #598
---
 src/buffer.c | 14 -----------
 src/reqs.c   | 67 ++++++----------------------------------------------
 src/sock.c   | 27 ---------------------
 src/sock.h   |  3 ---
 4 files changed, 7 insertions(+), 104 deletions(-)

diff --git a/src/buffer.c b/src/buffer.c
index b3381838..4cf15a0f 100644
--- a/src/buffer.c
+++ b/src/buffer.c
@@ -241,13 +241,6 @@ ssize_t read_buffer (int fd, struct buffer_s * buffptr)
                 bytesin = -1;
         } else {
                 switch (errno) {
-#ifdef EWOULDBLOCK
-                case EWOULDBLOCK:
-#else
-#  ifdef EAGAIN
-                case EAGAIN:
-#  endif
-#endif
                 case EINTR:
                         bytesin = 0;
                         break;
@@ -295,13 +288,6 @@ ssize_t write_buffer (int fd, struct buffer_s * buffptr)
                 return bytessent;
         } else {
                 switch (errno) {
-#ifdef EWOULDBLOCK
-                case EWOULDBLOCK:
-#else
-#  ifdef EAGAIN
-                case EAGAIN:
-#  endif
-#endif
                 case EINTR:
                         return 0;
                 case ENOBUFS:
diff --git a/src/reqs.c b/src/reqs.c
index 94ce7673..a82fff34 100644
--- a/src/reqs.c
+++ b/src/reqs.c
@@ -524,11 +524,10 @@ static struct request_s *process_request (struct conn_s *connptr,
  * server headers can be processed.
  *	- rjkaes
  */
-static int pull_client_data (struct conn_s *connptr, long int length, int iehack)
+static int pull_client_data (struct conn_s *connptr, long int length)
 {
         char *buffer;
         ssize_t len;
-        int ret;
 
         buffer =
             (char *) safemalloc (min (MAXBUFFSIZE, (unsigned long int) length));
@@ -549,43 +548,6 @@ static int pull_client_data (struct conn_s *connptr, long int length, int iehack
                 length -= len;
         } while (length > 0);
 
-        if (iehack) {
-                /*
-                 * BUG FIX: Internet Explorer will leave two bytes (carriage
-                 * return and line feed) at the end of a POST message.  These
-                 * need to be eaten for tinyproxy to work correctly.
-                 */
-                ret = socket_nonblocking (connptr->client_fd);
-                if (ret != 0) {
-                        log_message(LOG_ERR, "Failed to set the client socket "
-                                    "to non-blocking: %s", strerror(errno));
-                        goto ERROR_EXIT;
-                }
-        
-                len = recv (connptr->client_fd, buffer, 2, MSG_PEEK);
-        
-                ret = socket_blocking (connptr->client_fd);
-                if (ret != 0) {
-                        log_message(LOG_ERR, "Failed to set the client socket "
-                                    "to blocking: %s", strerror(errno));
-                        goto ERROR_EXIT;
-                }
-        
-                if (len < 0 && errno != EAGAIN)
-                        goto ERROR_EXIT;
-        
-                if ((len == 2) && CHECK_CRLF (buffer, len)) {
-                        ssize_t bytes_read;
-        
-                        bytes_read = read (connptr->client_fd, buffer, 2);
-                        if (bytes_read == -1) {
-                                log_message
-                                        (LOG_WARNING,
-                                         "Could not read two bytes from POST message");
-                        }
-                }
-        }
-
         safefree (buffer);
         return 0;
 
@@ -615,7 +577,7 @@ static int pull_client_data_chunked (struct conn_s *connptr) {
                 chunklen = strtol (buffer, (char**)0, 16);
                 if (chunklen < 0) goto ERROR_EXIT;
 
-                if (pull_client_data (connptr, chunklen+2, 0) < 0)
+                if (pull_client_data (connptr, chunklen+2) < 0)
                         goto ERROR_EXIT;
 
                 if(!chunklen) break;
@@ -1008,7 +970,7 @@ process_client_headers (struct conn_s *connptr, pseudomap *hashofheaders)
 PULL_CLIENT_DATA:
         if (connptr->content_length.client > 0) {
                 ret = pull_client_data (connptr,
-                                        connptr->content_length.client, 1);
+                                        connptr->content_length.client);
         } else if (connptr->content_length.client == -2)
                 ret = pull_client_data_chunked (connptr);
 
@@ -1195,8 +1157,8 @@ static int process_server_headers (struct conn_s *connptr)
 }
 
 /*
- * Switch the sockets into nonblocking mode and begin relaying the bytes
- * between the two connections. We continue to use the buffering code
+ * Begin relaying the bytes between the two connections.
+ * We continue to use the buffering code
  * since we want to be able to buffer a certain amount for slower
  * connections (as this was the reason why I originally modified
  * tinyproxy oh so long ago...)
@@ -1269,14 +1231,6 @@ static void relay_connection (struct conn_s *connptr)
         /*
          * Try to send any remaining data to the server if we can.
          */
-        ret = socket_blocking (connptr->server_fd);
-        if (ret != 0) {
-                log_message(LOG_ERR,
-                            "Failed to set server socket to blocking: %s",
-                            strerror(errno));
-                return;
-        }
-
         while (buffer_size (connptr->cbuffer) > 0) {
                 if (write_buffer (connptr->server_fd, connptr->cbuffer) < 0)
                         break;
@@ -1573,16 +1527,9 @@ static void auth_error(struct conn_s *connptr, int code) {
 }
 
 /*
- * This is the main drive for each connection. As you can tell, for the
- * first few steps we are using a blocking socket. If you remember the
- * older tinyproxy code, this use to be a very confusing state machine.
- * Well, no more! :) The sockets are only switched into nonblocking mode
- * when we start the relay portion. This makes most of the original
- * tinyproxy code, which was confusing, redundant. Hail progress.
- * 	- rjkaes
-
+ * This is the main drive for each connection.
  * this function is called directly from child_thread() with the newly
- * received fd from accept(). 
+ * received fd from accept().
  */
 void handle_connection (struct conn_s *connptr, union sockaddr_union* addr)
 {
diff --git a/src/sock.c b/src/sock.c
index b3b0920d..ec8ad4c8 100644
--- a/src/sock.c
+++ b/src/sock.c
@@ -212,33 +212,6 @@ int opensock (const char *host, int port, const char *bind_to)
         return sockfd;
 }
 
-/*
- * Set the socket to non blocking -rjkaes
- */
-int socket_nonblocking (int sock)
-{
-        int flags;
-
-        assert (sock >= 0);
-
-        flags = fcntl (sock, F_GETFL, 0);
-        return fcntl (sock, F_SETFL, flags | O_NONBLOCK);
-}
-
-/*
- * Set the socket to blocking -rjkaes
- */
-int socket_blocking (int sock)
-{
-        int flags;
-
-        assert (sock >= 0);
-
-        flags = fcntl (sock, F_GETFL, 0);
-        return fcntl (sock, F_SETFL, flags & ~O_NONBLOCK);
-}
-
-
 /**
  * Try to listen on one socket based on the addrinfo
  * as returned from getaddrinfo.
diff --git a/src/sock.h b/src/sock.h
index 70c44739..9763490d 100644
--- a/src/sock.h
+++ b/src/sock.h
@@ -53,9 +53,6 @@ union sockaddr_union {
 extern int opensock (const char *host, int port, const char *bind_to);
 extern int listen_sock (const char *addr, uint16_t port, sblist* listen_fds);
 
-extern int socket_nonblocking (int sock);
-extern int socket_blocking (int sock);
-
 extern void set_socket_timeout(int fd);
 
 extern int getsock_ip (int fd, char *ipaddr);

From bb7edc4778041b3bc8ad7fca448b67d98039cc7d Mon Sep 17 00:00:00 2001
From: rofl0r <rofl0r@users.noreply.github.com>
Date: Sun, 29 Mar 2026 16:48:54 +0200
Subject: [PATCH 35/37] reqs: prevent potential int overflow when parsing
 chunked data (#603)

follow-up to 969852ccdb1d19d7ed302f0e1d324661be641e0a

closes #602
---
 src/reqs.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/reqs.c b/src/reqs.c
index a82fff34..34a715c2 100644
--- a/src/reqs.c
+++ b/src/reqs.c
@@ -575,7 +575,8 @@ static int pull_client_data_chunked (struct conn_s *connptr) {
                 }
 
                 chunklen = strtol (buffer, (char**)0, 16);
-                if (chunklen < 0) goto ERROR_EXIT;
+                /* prevent negative or huge values causing overflow */
+                if (chunklen < 0 || chunklen > 0x0fffffff) goto ERROR_EXIT;
 
                 if (pull_client_data (connptr, chunklen+2) < 0)
                         goto ERROR_EXIT;

From 879bf844abffa0bf5fae6aff0c73179024dd9f98 Mon Sep 17 00:00:00 2001
From: rofl0r <rofl0r@users.noreply.github.com>
Date: Fri, 3 Apr 2026 11:21:23 +0200
Subject: [PATCH 36/37] reqs: fix case-sensitive matching of "chunked" (#605)

the chunked transfer encoding needs to be matched in a case-
insensitive manner.

closes #604
---
 src/reqs.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/reqs.c b/src/reqs.c
index 34a715c2..a0fdd87d 100644
--- a/src/reqs.c
+++ b/src/reqs.c
@@ -812,7 +812,7 @@ static int is_chunked_transfer (pseudomap *hashofheaders)
 {
         char *data;
         data = pseudomap_find (hashofheaders, "transfer-encoding");
-        return data ? !strcmp (data, "chunked") : 0;
+        return data ? !strcasecmp (data, "chunked") : 0;
 }
 
 /*

From 09312a185ae25cc486b4ff5987638a7917a48bce Mon Sep 17 00:00:00 2001
From: rofl0r <rofl0r@users.noreply.github.com>
Date: Sat, 18 Apr 2026 00:03:15 +0200
Subject: [PATCH 37/37] reqs: improve stathost detection (#606)

until now, only the basicauth code checked the host header, regular connections didn't.

- add a new helper function to compare a hostname with optional
  trailingcolon/port against the stathost.
- add stathost check via host header before transparent proxy check,
  else stathost might be misdetected as a trans host request.
- refactor existing stathost checks to use the new helper

this should make it easier to access the stathost, for example by
injecting a host header into a curl command line with -H:

    $ curl -H "Host: tinyproxy.stats" 127.0.0.1:8080

the stathost can also be specified as an ip address, e.g.
Stathost "127.0.0.10" + a separate Listen statement for that ip.
in such a case e.g.

    $ curl http://127.0.0.10:8080

would work too, even if curl didn't add a Host header (but it does anyway).
---
 src/reqs.c | 37 +++++++++++++++++++++++++------------
 1 file changed, 25 insertions(+), 12 deletions(-)

diff --git a/src/reqs.c b/src/reqs.c
index a0fdd87d..2e7542cb 100644
--- a/src/reqs.c
+++ b/src/reqs.c
@@ -316,6 +316,17 @@ static int send_connect_method_response (struct conn_s *connptr)
                                       connptr->protocol.minor);
 }
 
+/* determine whether a hostname with optional trailing colon/port is the
+   stathost */
+static int is_stathost (const char* host)
+{
+        const char *p = config->stathost;
+        const char *q = host;
+        if (!p || !q) return 0;
+        while (*p && *(p++) == *(q++));
+        return *p == 0 && (*q == 0 || *q == ':');
+}
+
 /*
  * Break the request line apart and figure out where to connect and
  * build a new request line. Finally connect to the remote server.
@@ -384,6 +395,16 @@ static struct request_s *process_request (struct conn_s *connptr,
                 goto fail;
         }
 
+        /*
+         * Check to see if they're requesting the stat host
+         */
+        if (is_stathost (pseudomap_find (hashofheaders, "host"))) {
+got_stathost:
+                log_message (LOG_NOTICE, "Request for the stathost.");
+                connptr->show_stats = TRUE;
+                goto fail;
+        }
+
 #ifdef REVERSE_SUPPORT
         if (config->reversepath_list != NULL) {
                 /*
@@ -497,19 +518,11 @@ static struct request_s *process_request (struct conn_s *connptr,
                 }
         }
 #endif
-
-
-        /*
-         * Check to see if they're requesting the stat host
-         */
-        if (config->stathost && strcmp (config->stathost, request->host) == 0) {
-                log_message (LOG_NOTICE, "Request for the stathost.");
-                connptr->show_stats = TRUE;
-                goto fail;
-        }
+        /* check whether hostname from url is the stathost */
+        if (is_stathost (request->host))
+                goto got_stathost;
 
         safefree (url);
-
         return request;
 
 fail:
@@ -1630,7 +1643,7 @@ void handle_connection (struct conn_s *connptr, union sockaddr_union* addr)
 
                 if (!authstring && config->stathost) {
                         authstring = pseudomap_find (hashofheaders, "host");
-                        if (authstring && !strncmp(authstring, config->stathost, strlen(config->stathost))) {
+                        if (authstring && is_stathost(authstring)) {
                                 authstring = pseudomap_find (hashofheaders, "authorization");
                                 stathost_connect = 1;
                         } else authstring = 0;