diff --git a/index.html b/index.html index 7f98409..6d7c673 100644 --- a/index.html +++ b/index.html @@ -1,7 +1,7 @@ - SVR.JS 3.14.11 + SVR.JS 3.14.12 -

Welcome to SVR.JS 3.14.11

+

Welcome to SVR.JS 3.14.12



@@ -84,9 +84,7 @@

Changes:

Tests
diff --git a/licenses/index.html b/licenses/index.html index 17ce22a..8be90ac 100644 --- a/licenses/index.html +++ b/licenses/index.html @@ -1,7 +1,7 @@ - SVR.JS 3.14.11 Licenses + SVR.JS 3.14.12 Licenses -

SVR.JS 3.14.11 Licenses

-

SVR.JS 3.14.11

+

SVR.JS 3.14.12 Licenses

+

SVR.JS 3.14.12

MIT License

@@ -37,7 +37,7 @@ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
-

Packages used by SVR.JS 3.14.11

+

Packages used by SVR.JS 3.14.12

License: MIT
diff --git a/svr.js b/svr.js index e7dccc8..6607add 100644 --- a/svr.js +++ b/svr.js @@ -69,7 +69,7 @@ function deleteFolderRecursive(path) { } var os = require("os"); -var version = "3.14.11"; +var version = "3.14.12"; var singlethreaded = false; if (process.versions) process.versions.svrjs = version; // Inject SVR.JS into process.versions @@ -590,7 +590,7 @@ function ipMatch(IP1, IP2) { // Normalize or expand IP addresses IP1 = IP1.toLowerCase(); if (IP1 == "localhost") IP1 = "::1"; - if (IP1.indexOf("::ffff:") == 0) IP1 = IP1.substr(7); + if (IP1.indexOf("::ffff:") == 0) IP1 = IP1.substring(7); if (IP1.indexOf(":") > -1) { IP1 = expandIPv6Address(IP1); } else { @@ -599,7 +599,7 @@ function ipMatch(IP1, IP2) { IP2 = IP2.toLowerCase(); if (IP2 == "localhost") IP2 = "::1"; - if (IP2.indexOf("::ffff:") == 0) IP2 = IP2.substr(7); + if (IP2.indexOf("::ffff:") == 0) IP2 = IP2.substring(7); if (IP2.indexOf(":") > -1) { IP2 = expandIPv6Address(IP2); } else { @@ -616,7 +616,7 @@ function checkForEnabledDirectoryListing(hostname, localAddress) { if (typeof hostnameM == "undefined" || hostnameM == "*") { return true; } else if (hostname && hostnameM.indexOf("*.") == 0 && hostnameM != "*.") { - var hostnamesRoot = hostnameM.substr(2); + var hostnamesRoot = hostnameM.substring(2); if (hostname == hostnamesRoot || (hostname.length > hostnamesRoot.length && hostname.indexOf("." + hostnamesRoot) == hostname.length - hostnamesRoot.length - 1)) { return true; } @@ -783,7 +783,7 @@ function ipBlockList(rawBlockList) { // Normalize the IP address or expand the IPv6 address rawValue = rawValue.toLowerCase(); - if (rawValue.indexOf("::ffff:") == 0) rawValue = rawValue.substr(7); + if (rawValue.indexOf("::ffff:") == 0) rawValue = rawValue.substring(7); if (rawValue.indexOf(":") > -1) { isIPv6 = true; rawValue = expandIPv6Address(rawValue); @@ -838,7 +838,7 @@ function ipBlockList(rawBlockList) { // Normalize or expand the IP address rawValue = rawValue.toLowerCase(); if (rawValue == "localhost") rawValue = "::1"; - if (rawValue.indexOf("::ffff:") == 0) rawValue = rawValue.substr(7); + if (rawValue.indexOf("::ffff:") == 0) rawValue = rawValue.substring(7); if (rawValue.indexOf(":") > -1) { isIPv6 = true; rawValue = expandIPv6Address(rawValue); @@ -1659,7 +1659,7 @@ if (!disableMods) { if (fs.existsSync(SSJSPath) && fs.statSync(SSJSPath).isFile()) { try { // Prepend necessary modules and variables to the custom server side script - var modhead = "var readline = require('readline');\r\nvar os = require('os');\r\nvar http = require('http');\r\nvar url = require('url');\r\nvar fs = require('fs');\r\nvar path = require('path');\r\n" + (hexstrbase64 === undefined ? "" : "var hexstrbase64 = require('../hexstrbase64/index.js');\r\n") + (crypto.__disabled__ === undefined ? "var crypto = require('crypto');\r\nvar https = require('https');\r\n" : "") + "var stream = require('stream');\r\nvar customvar1;\r\nvar customvar2;\r\nvar customvar3;\r\nvar customvar4;\r\n\r\nfunction Mod() {}\r\nMod.prototype.callback = function callback(req, res, serverconsole, responseEnd, href, ext, uobject, search, defaultpage, users, page404, head, foot, fd, elseCallback, configJSON, callServerError, getCustomHeaders, origHref, redirect, parsePostData, authUser) {\r\nreturn function () {\r\nvar disableEndElseCallbackExecute = false;\r\nfunction filterHeaders(e){var r={};return Object.keys(e).forEach((function(t){null!==e[t]&&void 0!==e[t]&&(\"object\"==typeof e[t]?r[t]=JSON.parse(JSON.stringify(e[t])):r[t]=e[t])})),r}\r\nfunction checkHostname(e){if(void 0===e||\"*\"==e)return!0;if(req.headers.host&&0==e.indexOf(\"*.\")&&\"*.\"!=e){var r=e.substr(2);if(req.headers.host==r||req.headers.host.indexOf(\".\"+r)==req.headers.host.length-r.length-1)return!0}else if(req.headers.host&&req.headers.host==e)return!0;return!1}\r\nfunction checkHref(e){return href==e||\"win32\"==os.platform()&&href.toLowerCase()==e.toLowerCase()}\r\n"; + var modhead = "var readline = require('readline');\r\nvar os = require('os');\r\nvar http = require('http');\r\nvar url = require('url');\r\nvar fs = require('fs');\r\nvar path = require('path');\r\n" + (hexstrbase64 === undefined ? "" : "var hexstrbase64 = require('../hexstrbase64/index.js');\r\n") + (crypto.__disabled__ === undefined ? "var crypto = require('crypto');\r\nvar https = require('https');\r\n" : "") + "var stream = require('stream');\r\nvar customvar1;\r\nvar customvar2;\r\nvar customvar3;\r\nvar customvar4;\r\n\r\nfunction Mod() {}\r\nMod.prototype.callback = function callback(req, res, serverconsole, responseEnd, href, ext, uobject, search, defaultpage, users, page404, head, foot, fd, elseCallback, configJSON, callServerError, getCustomHeaders, origHref, redirect, parsePostData, authUser) {\r\nreturn function () {\r\nvar disableEndElseCallbackExecute = false;\r\nfunction filterHeaders(e){var r={};return Object.keys(e).forEach((function(t){null!==e[t]&&void 0!==e[t]&&(\"object\"==typeof e[t]?r[t]=JSON.parse(JSON.stringify(e[t])):r[t]=e[t])})),r}\r\nfunction checkHostname(e){if(void 0===e||\"*\"==e)return!0;if(req.headers.host&&0==e.indexOf(\"*.\")&&\"*.\"!=e){var r=e.substring(2);if(req.headers.host==r||req.headers.host.indexOf(\".\"+r)==req.headers.host.length-r.length-1)return!0}else if(req.headers.host&&req.headers.host==e)return!0;return!1}\r\nfunction checkHref(e){return href==e||\"win32\"==os.platform()&&href.toLowerCase()==e.toLowerCase()}\r\n"; var modfoot = "\r\nif(!disableEndElseCallbackExecute) {\r\ntry{\r\nelseCallback();\r\n} catch(err) {\r\n}\r\n}\r\n}\r\n}\r\nmodule.exports = Mod;"; // Write the modified server side script to the temp folder fs.writeFileSync(__dirname + "/temp/" + tempServerSideScriptName, modhead + fs.readFileSync(SSJSPath) + modfoot); @@ -2421,7 +2421,7 @@ if (!cluster.isPrimary) { // Determine error file function getErrorFileName(list, callback, _i) { - if (err.code == "ERR_SSL_HTTP_REQUEST" && process.version && parseInt(process.version.split(".")[0].substr(1)) >= 16) { + if (err.code == "ERR_SSL_HTTP_REQUEST" && process.version && parseInt(process.version.split(".")[0].substring(1)) >= 16) { // Disable custom error page for HTTP SSL error callback(errorCode.toString() + ".html"); return; @@ -2516,7 +2516,7 @@ if (!cluster.isPrimary) { } cheaders["Content-Type"] = "text/html; charset=utf-8"; if (errorCode == 405 && !cheaders["Allow"]) cheaders["Allow"] = "GET, POST, HEAD, OPTIONS"; - if (err.code == "ERR_SSL_HTTP_REQUEST" && process.version && parseInt(process.version.split(".")[0].substr(1)) >= 16) { + if (err.code == "ERR_SSL_HTTP_REQUEST" && process.version && parseInt(process.version.split(".")[0].substring(1)) >= 16) { // Disable custom error page for HTTP SSL error res.writeHead(errorCode, http.STATUS_CODES[errorCode], cheaders); res.write(("{errorMessage}

{errorMessage}

{errorDesc}

{server}

").replace(/{errorMessage}/g, errorCode.toString() + " " + http.STATUS_CODES[errorCode].replace(/&/g, "&").replace(//g, ">")).replace(/{errorDesc}/g, serverHTTPErrorDescs[errorCode]).replace(/{stack}/g, stack.replace(/&/g, "&").replace(//g, ">").replace(/\r\n/g, "
").replace(/\n/g, "
").replace(/\r/g, "
").replace(/ {2}/g, "  ")).replace(/{server}/g, "" + ((exposeServerVersion ? "SVR.JS/" + version + " (" + getOS() + "; " + (process.isBun ? ("Bun/v" + process.versions.bun + "; like Node.JS/" + process.version) : ("Node.JS/" + process.version)) + ")" : "SVR.JS") + ((!exposeModsInErrorPages || extName == undefined) ? "" : " " + extName)).replace(/&/g, "&").replace(//g, ">")).replace(/{contact}/g, serverAdmin.replace(/&/g, "&").replace(//g, ">").replace(/\./g, "[dot]").replace(/@/g, "[at]"))); @@ -2857,7 +2857,7 @@ if (!cluster.isPrimary) { if (typeof hostname == "undefined" || hostname == "*") { return true; } else if (req.headers.host && hostname.indexOf("*.") == 0 && hostname != "*.") { - var hostnamesRoot = hostname.substr(2); + var hostnamesRoot = hostname.substring(2); if (req.headers.host == hostnamesRoot || (req.headers.host.length > hostnamesRoot.length && req.headers.host.indexOf("." + hostnamesRoot) == req.headers.host.length - hostnamesRoot.length - 1)) { return true; } @@ -3316,7 +3316,7 @@ if (!cluster.isPrimary) { // Adjust the pathname and href properties if the URI doesn't start with "/" if (preparedURI.indexOf("/") != 0) { if (nuobject.pathname) { - nuobject.pathname = nuobject.pathname.substr(1); + nuobject.pathname = nuobject.pathname.substring(1); nuobject.href = nuobject.pathname + (nuobject.search ? nuobject.search : ""); } } @@ -3352,7 +3352,7 @@ if (!cluster.isPrimary) { var search = uobject.search; var href = uobject.pathname; var ext = path.extname(href).toLowerCase(); - ext = ext.substr(1, ext.length); + ext = ext.substring(1, ext.length + 1); var decodedHref = ""; try { decodedHref = decodeURIComponent(href); @@ -3489,20 +3489,14 @@ if (!cluster.isPrimary) { return; } - var pth = decodeURIComponent(href).replace(/\/+/g, "/").substr(1); + var pth = decodeURIComponent(href).replace(/\/+/g, "/").substring(1); var readFrom = "./" + pth; + var dirImagesMissing = false; fs.stat(readFrom, function (err, stats) { if (err) { if (err.code == "ENOENT") { if (__dirname != process.cwd() && pth.match(/^\.dirimages\/(?:(?!\.png$).)+\.png$/)) { - stats = { - isDirectory: function isDirectory() { - return false; - }, - isFile: function isFile() { - return true; - } - }; + dirImagesMissing = true; readFrom = __dirname + "/" + pth; } else { callServerError(404); @@ -3534,7 +3528,7 @@ if (!cluster.isPrimary) { } // Check if index file exists - if (req.url == "/" || stats.isDirectory()) { + if (!dirImagesMissing && (req.url == "/" || stats.isDirectory())) { fs.stat((readFrom + "/index.html").replace(/\/+/g, "/"), function (e, s) { if (e || !s.isFile()) { fs.stat((readFrom + "/index.htm").replace(/\/+/g, "/"), function (e, s) { @@ -3566,6 +3560,15 @@ if (!cluster.isPrimary) { properDirectoryListingAndStaticFileServe(); } }); + } else if (dirImagesMissing) { + fs.stat(readFrom, function (e, s) { + if (e || !s.isFile()) { + properDirectoryListingAndStaticFileServe(); + } else { + stats = s; + properDirectoryListingAndStaticFileServe(); + } + }); } else { properDirectoryListingAndStaticFileServe(); } @@ -4103,7 +4106,7 @@ if (!cluster.isPrimary) { search = uobject.search; href = uobject.pathname; ext = path.extname(href).toLowerCase(); - ext = ext.substr(1, ext.length); + ext = ext.substring(1, ext.length + 1); try { decodedHref = decodeURIComponent(href); } catch (err) { @@ -4260,7 +4263,7 @@ if (!cluster.isPrimary) { if (currentPostfixPrefix.match(/\/+$/)) postfixPrefix = currentPostfixPrefix.replace(/\/+$/, ""); else if (urlWithPostfix.length == currentPostfixPrefix.length || urlWithPostfix[currentPostfixPrefix.length] == "?" || urlWithPostfix[currentPostfixPrefix.length] == "/" || urlWithPostfix[currentPostfixPrefix.length] == "#") postfixPrefix = currentPostfixPrefix; else return true; - urlWithPostfix = urlWithPostfix.substr(postfixPrefix.length); + urlWithPostfix = urlWithPostfix.substring(postfixPrefix.length); return false; } else { return true; @@ -4281,7 +4284,7 @@ if (!cluster.isPrimary) { search = uobject.search; href = uobject.pathname; ext = path.extname(href).toLowerCase(); - ext = ext.substr(1, ext.length); + ext = ext.substring(1, ext.length + 1); try { decodedHref = decodeURIComponent(href); @@ -4316,7 +4319,7 @@ if (!cluster.isPrimary) { search = uobject.search; href = uobject.pathname; ext = path.extname(href).toLowerCase(); - ext = ext.substr(1, ext.length); + ext = ext.substring(1, ext.length + 1); try { decodedHref = decodeURIComponent(href); } catch (err) { @@ -4342,7 +4345,7 @@ if (!cluster.isPrimary) { search = uobject.search; href = uobject.pathname; ext = path.extname(href).toLowerCase(); - ext = ext.substr(1, ext.length); + ext = ext.substring(1, ext.length + 1); try { decodedHref = decodeURIComponent(href); @@ -4377,7 +4380,7 @@ if (!cluster.isPrimary) { search = uobject.search; href = uobject.pathname; ext = path.extname(href).toLowerCase(); - ext = ext.substr(1, ext.length); + ext = ext.substring(1, ext.length + 1); try { decodedHref = decodeURIComponent(href); } catch (err) { @@ -4773,8 +4776,8 @@ function listenConnListener(msg) { function bruteForceListenerWrapper(worker) { return function bruteForceListener(message) { var ip = ""; - if (message.substr(0, 6) == "\x12AUTHQ") { - ip = message.substr(6); + if (message.substring(0, 6) == "\x12AUTHQ") { + ip = message.substring(6); if (!bruteForceDb[ip] || !bruteForceDb[ip].lastAttemptDate || (new Date() - 300000 >= bruteForceDb[ip].lastAttemptDate)) { if (bruteForceDb[ip] && bruteForceDb[ip].invalidAttempts >= 10) bruteForceDb[ip] = { invalidAttempts: 5 @@ -4783,13 +4786,13 @@ function bruteForceListenerWrapper(worker) { } else { worker.send("\x14AUTHD" + ip); } - } else if (message.substr(0, 6) == "\x12AUTHR") { - ip = message.substr(6); + } else if (message.substring(0, 6) == "\x12AUTHR") { + ip = message.substring(6); if (bruteForceDb[ip]) bruteForceDb[ip] = { invalidAttempts: 0 }; - } else if (message.substr(0, 6) == "\x12AUTHW") { - ip = message.substr(6); + } else if (message.substring(0, 6) == "\x12AUTHW") { + ip = message.substring(6); if (!bruteForceDb[ip]) bruteForceDb[ip] = { invalidAttempts: 0 }; @@ -4815,7 +4818,7 @@ function msgListener(msg) { } if (msg == "\x12CLOSE") { closedMaster = true; - } else if (msg == "\x12LISTEN" || msg.substr(0, 4) == "\x12AUTH") { + } else if (msg == "\x12LISTEN" || msg.substring(0, 4) == "\x12AUTH") { // Do nothing! } else if (msg == "\x12KILLOK") { if (typeof isWorkerHungUpBuff != "undefined") isWorkerHungUpBuff = false; @@ -4826,17 +4829,17 @@ function msgListener(msg) { } else if (msg == "\x12SAVEGOOD") { serverconsole.locmessage("Configuration saved."); } else if (msg.indexOf("\x12SAVEERR") == 0) { - serverconsole.locwarnmessage("There was a problem while saving configuration file. Reason: " + msg.substr(8)); + serverconsole.locwarnmessage("There was a problem while saving configuration file. Reason: " + msg.substring(8)); } else if (msg == "\x12END") { cluster.workers[Object.keys(cluster.workers)[0]].on("message", function (msg) { if (msg.length >= 8 && msg.indexOf("\x12ERRLIST") == 0) { - var tries = parseInt(msg.substr(8, 1)); - var errCode = msg.substr(9); + var tries = parseInt(msg.substring(8, 9)); + var errCode = msg.substring(9); serverconsole.locerrmessage(serverErrorDescs[errCode] ? serverErrorDescs[errCode] : serverErrorDescs["UNKNOWN"]); serverconsole.locmessage(tries + " attempts left."); } if (msg.length >= 9 && msg.indexOf("\x12ERRCRASH") == 0) { - var errno = errors[msg.substr(9)]; + var errno = errors[msg.substring(9)]; process.exit(errno ? errno : 1); } }); @@ -4916,7 +4919,7 @@ function start(init) { if (!process.isBun && /^v(?:[0-9]\.|1[0-7]\.|18\.(?:[0-9]|1[0-8])\.|18\.19\.0|20\.(?:[0-9]|10)\.|20\.11\.0|21\.[0-5]\.|21\.6\.0|21\.6\.1(?![0-9]))/.test(process.version)) serverconsole.locwarnmessage("Your Node.JS version is vulnerable to HTTP server DoS (CVE-2024-22019)."); if (!process.isBun && /^v(?:[0-9]\.|1[0-7]\.|18\.(?:1?[0-9])\.|18\.20\.0|20\.(?:[0-9]|1[01])\.|20\.12\.0|21\.[0-6]\.|21\.7\.0|21\.7\.1(?![0-9]))/.test(process.version)) serverconsole.locwarnmessage("Your Node.JS version is vulnerable to HTTP server request smuggling (CVE-2024-27982)."); if (process.getuid && process.getuid() == 0) serverconsole.locwarnmessage("You're running SVR.JS as root. It's recommended to run SVR.JS as an non-root user. Running SVR.JS as root may increase the risks of OS command execution vulnerabilities."); - if (secure && process.versions && process.versions.openssl && process.versions.openssl.substr(0, 2) == "1.") { + if (secure && process.versions && process.versions.openssl && process.versions.openssl.substring(0, 2) == "1.") { if (new Date() > new Date("11 September 2023")) { serverconsole.locwarnmessage("OpenSSL 1.x is no longer receiving security updates after 11th September 2023. Your HTTPS communication might be vulnerable. It is recommended to update to a newer version of Node.JS that includes OpenSSL 3.0 or higher to ensure the security of your server and data."); } else { @@ -5396,13 +5399,13 @@ function start(init) { } cluster.workers[Object.keys(cluster.workers)[0]].on("message", function (msg) { if (msg.length >= 8 && msg.indexOf("\x12ERRLIST") == 0) { - var tries = parseInt(msg.substr(8, 1)); - var errCode = msg.substr(9); + var tries = parseInt(msg.substring(8, 9)); + var errCode = msg.substring(9); serverconsole.locerrmessage(serverErrorDescs[errCode] ? serverErrorDescs[errCode] : serverErrorDescs["UNKNOWN"]); serverconsole.locmessage(tries + " attempts left."); } if (msg.length >= 9 && msg.indexOf("\x12ERRCRASH") == 0) { - var errno = errors[msg.substr(9)]; + var errno = errors[msg.substring(9)]; process.exit(errno ? errno : 1); } }); diff --git a/tests.html b/tests.html index 16b7770..243540b 100644 --- a/tests.html +++ b/tests.html @@ -1,7 +1,7 @@ - SVR.JS 3.14.11 Tests + SVR.JS 3.14.12 Tests -

SVR.JS 3.14.11 Tests

+

SVR.JS 3.14.12 Tests

Directory (without trailing slash)

Directory (with query)