From 27e62da887c84efc0476165225d97a26331dd147 Mon Sep 17 00:00:00 2001 From: Dorian Niemiec Date: Sat, 16 Dec 2023 09:01:30 +0100 Subject: [PATCH] Update to SVR.JS 3.12.2 --- index.html | 9 +++++---- licenses/index.html | 8 ++++---- svr.js | 20 +++++++++++++++++++- tests.html | 4 ++-- 4 files changed, 30 insertions(+), 11 deletions(-) diff --git a/index.html b/index.html index fcbad35..295e255 100644 --- a/index.html +++ b/index.html @@ -1,7 +1,7 @@ - SVR.JS 3.12.1 + SVR.JS 3.12.2 -

Welcome to SVR.JS 3.12.1

+

Welcome to SVR.JS 3.12.2



@@ -134,8 +134,9 @@

Changes:


Tests
diff --git a/licenses/index.html b/licenses/index.html index 0633669..568c744 100644 --- a/licenses/index.html +++ b/licenses/index.html @@ -1,7 +1,7 @@ - SVR.JS 3.12.1 Licenses + SVR.JS 3.12.2 Licenses -

SVR.JS 3.12.1 Licenses

-

SVR.JS 3.12.1

+

SVR.JS 3.12.2 Licenses

+

SVR.JS 3.12.2

MIT License

@@ -37,7 +37,7 @@ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
-

Packages used by SVR.JS 3.12.1

+

Packages used by SVR.JS 3.12.2

License: MIT
diff --git a/svr.js b/svr.js index b2726d8..06eccce 100644 --- a/svr.js +++ b/svr.js @@ -80,7 +80,7 @@ function deleteFolderRecursive(path) { } var os = require("os"); -var version = "3.12.1"; +var version = "3.12.2"; var singlethreaded = false; if (process.versions) process.versions.svrjs = version; // Inject SVR.JS into process.versions @@ -1282,6 +1282,7 @@ if (!fs.existsSync(__dirname + "/config.json")) { } var certificateError = null; +var sniReDos = false; // Load SNI if (secure) { @@ -1291,6 +1292,9 @@ if (secure) { var sniNames = Object.keys(sni); var sniCredentials = []; sniNames.forEach(function (sniName) { + if(typeof sniName === "string" && sniName.match(/\*[^*.:]*\*[^*.:]*(?:\.|:|$)/)) { + sniReDos = true; + } sniCredentials.push({ name: sniName, cert: fs.readFileSync((sni[sniName].cert[0] != "/" && !sni[sniName].cert.match(/^[A-Z0-9]:\\/)) ? __dirname + "/" + sni[sniName].cert : sni[sniName].cert).toString(), @@ -2111,6 +2115,11 @@ if (!cluster.isPrimary) { cert: sniCredentialsSingle.cert, key: sniCredentialsSingle.key }); + try { + var snMatches = sniCredentialsSingle.name.match(/^([^:[]*|\[[^]]*\]?)((?::.*)?)$/); + if(!snMatches[1][0].match(/^\.+$/)) snMatches[1][0] = snMatches[1][0].replace(/\.+$/,""); + server._contexts[server._contexts.length-1][0] = new RegExp("^" + snMatches[1].replace(/([.^$+?\-\\[\]{}])/g, "\\$1").replace(/\*/g, "[^.:]*") + ((snMatches[1][0] == "[" || snMatches[1].match(/^(?:25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])\.(?:25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])\.(?:25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])\.(?:25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])$/)) ? "" : "\.?") + snMatches[2].replace(/([.^$+?\-\\[\]{}])/g, "\\$1").replace(/\*/g, "[^.]*") + "$", "i"); + } catch(ex) {} }); } server.on("request", reqhandler); @@ -2955,9 +2964,17 @@ if (!cluster.isPrimary) { reqcounter++; + // Process the Host header + var oldHostHeader = req.headers.host; + if (typeof req.headers.host == "string") { + req.headers.host = req.headers.host.toLowerCase(); + if(!req.headers.host.match(/^\.+$/)) req.headers.host = req.headers.host.replace(/\.$/g,""); + } + if (!isProxy) serverconsole.reqmessage("Client " + ((!reqip || reqip == "") ? "[unknown client]" : (reqip + ((reqport && reqport !== 0) && reqport != "" ? ":" + reqport : ""))) + " wants " + (req.method == "GET" ? "content in " : (req.method == "POST" ? "to post content in " : (req.method == "PUT" ? "to add content in " : (req.method == "DELETE" ? "to delete content in " : (req.method == "PATCH" ? "to patch content in " : "to access content using " + req.method + " method in "))))) + (req.headers.host == undefined ? "" : req.headers.host) + req.url); else serverconsole.reqmessage("Client " + ((!reqip || reqip == "") ? "[unknown client]" : (reqip + ((reqport && reqport !== 0) && reqport != "" ? ":" + reqport : ""))) + " wants " + (req.method == "GET" ? "content in " : (req.method == "POST" ? "to post content in " : (req.method == "PUT" ? "to add content in " : (req.method == "DELETE" ? "to delete content in " : (req.method == "PATCH" ? "to patch content in " : "to access content using " + req.method + " method in "))))) + req.url); if (req.headers["user-agent"] != undefined) serverconsole.reqmessage("Client uses " + req.headers["user-agent"]); + if (oldHostHeader && oldHostHeader != req.headers.host) serverconsole.resmessage("Host name rewritten: " + oldHostHeader + " => " + req.headers.host); var acceptEncoding = req.headers["accept-encoding"]; if (!acceptEncoding) acceptEncoding = ""; @@ -4889,6 +4906,7 @@ function start(init) { } if (certificateError) throw new Error("There was a problem with SSL certificate/private key: " + certificateError.message); if (wwwrootError) throw new Error("There was a problem with your web root: " + wwwrootError.message); + if (sniReDos) throw new Error("Refusing to start, because the current SNI configuration would make the server vulnerable to ReDoS."); } // Information about starting the server diff --git a/tests.html b/tests.html index 12d7b96..60b1c3a 100644 --- a/tests.html +++ b/tests.html @@ -1,7 +1,7 @@ - SVR.JS 3.12.1 Tests + SVR.JS 3.12.2 Tests -

SVR.JS 3.12.1 Tests

+

SVR.JS 3.12.2 Tests

Directory (without trailing slash)

Directory (with query)