Privoxy full changelog

Fixed misplaced parentheses.
Changed two regression tests to depend on config directive enable-remote-toggle instead of FEATURE_TOGGLE.

Bug fixes:
Fixed crashes with "listen-addr :8118" (SF Bug #902). The regression was introduced in 3.0.25 beta and reported by Marvin Renich in Debian bug #834941.

Prevent invalid reads in case of corrupt chunk-encoded content. CVE-2016-1982.
Remove empty Host headers in client requests. Previously they would result in invalid reads. CVE-2016-1983.

Fixed a DoS issue in case of client requests with incorrect chunk-encoded body. When compiled with assertions enabled (the default) they could previously cause Privoxy to abort(). Reported by Matthew Daley.
Fixed multiple segmentation faults and memory leaks in the pcrs code. This fix also increases the chances that an invalid pcrs command is rejected as such. Previously some invalid commands would be loaded without error. Note that Privoxy's pcrs sources (action and filter files) are considered trustworthy input and should not be writable by untrusted third-parties.
Fixed an 'invalid read' bug which could at least theoretically cause Privoxy to crash. So far, no crashes have been observed.

Bug fixes:
· If a generated redirect URL contains characters RFC 3986 doesn't permit, they are (re)encoded. Not doing this makes Privoxy versions from 3.0.5 to 3.0.17 susceptible to HTTP response splitting (CWE-113) attacks if the +fast-redirects{check-decoded-url} action is used. - Fix a logic bug that could cause Privoxy to reuse a server socket after it got tainted by a server-header-tagger-induced block that was triggered before the whole server response had been read. If keep-alive was enabled and the request following the blocked one was to the same host and using the same forwarding settings, Privoxy would send it on the tainted server socket. While the server would simply treat it as a pipelined request, Privoxy would later on fail to properly parse the server's response as it would try to parse the unread data from the first response as server headers for the second one. Regression introduced in 3.0.17.

· In case of missing server data, no error message is send to the client if the request arrived on a reused connection. The client is then supposed to silently retry the request without bothering the user. This should significantly reduce the frequency of the quot;No server or forwarder data receivedquot; error message many users reported.
· More reliable detection of prematurely closed client sockets with keep-alive enabled.
· FEATURE_CONNECTION_KEEP_ALIVE is decoupled from FEATURE_CONNECTION_SHARING and now available on all platforms.
· Improved handling of POST requests on reused connections.
· Should fix problems with stalled connections after submitting form data with some browser configurations.
· Fixed various latency calculation issues.
· Allows the client to pass NTLM authentication requests to a forwarding proxy. This was already assumed and hinted to work in 3.0.13 beta but actually didn't. Now it's confirmed to work with IE, Firefox and Chrome.