From 54678c7e25bab6dcbad7fc6796173d0fb8c1ce0a Mon Sep 17 00:00:00 2001
From: Dorian Niemiec <dorian.niemiec@svrjs.org>
Date: Sat, 16 Dec 2023 00:16:04 +0100
Subject: [PATCH] Update to SVR.JS 3.4.40

---
 index.html          | 7 +++----
 licenses/index.html | 8 ++++----
 svr.js              | 5 ++++-
 tests.html          | 4 ++--
 4 files changed, 13 insertions(+), 11 deletions(-)

diff --git a/index.html b/index.html
index 7a8b047..69bec33 100644
--- a/index.html
+++ b/index.html
@@ -1,7 +1,7 @@
 <!DOCTYPE html>
 <html>
   <head>
-    <title>SVR.JS 3.4.39</title>
+    <title>SVR.JS 3.4.40</title>
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
     <meta charset="UTF-8" />
     <style>
@@ -12,7 +12,7 @@
     </style>
   </head>
   <body>
-    <h1>Welcome to SVR.JS 3.4.39</h1>
+    <h1>Welcome to SVR.JS 3.4.40</h1>
     <br/>
     <img src="/logo.png" style="width: 256px;" />
     <br/>
@@ -119,8 +119,7 @@
     </div>
     <p>Changes:</p>
     <ul>
-      <li>Invalid compression exclusion list regexes no longer crash SVR.JS.</li>
-      <li>Fixed multiple XSS vulnerabilities.</li>
+      <li>SVR.JS now refuses to start with misconfigured SNI in order to prevent ReDoS vulnerabilities.</li>
     </ul>
     <br/>
     <a href="/tests.html">Tests</a><br/>
diff --git a/licenses/index.html b/licenses/index.html
index 54d37a2..b6daaab 100644
--- a/licenses/index.html
+++ b/licenses/index.html
@@ -1,7 +1,7 @@
 <!DOCTYPE html>
 <html>
   <head>
-    <title>SVR.JS 3.4.39 Licenses</title>
+    <title>SVR.JS 3.4.40 Licenses</title>
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
     <meta charset="UTF-8" />
     <style>
@@ -12,8 +12,8 @@
     </style>
   </head>
   <body>
-    <h1>SVR.JS 3.4.39 Licenses</h1>
-    <h2>SVR.JS 3.4.39</h2>
+    <h1>SVR.JS 3.4.40 Licenses</h1>
+    <h2>SVR.JS 3.4.40</h2>
     <div style="display: inline-block; text-align: left; border-width: 2px; border-style: solid; border-color: gray; padding: 8px;">
       MIT License<br/>
       <br/>
@@ -37,7 +37,7 @@
       OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE<br/>
       SOFTWARE.<br/>
     </div>
-    <h2>Packages used by SVR.JS 3.4.39 and utilities</h2>
+    <h2>Packages used by SVR.JS 3.4.40 and utilities</h2>
     <div style="width: 100%; background-color: #ccc; border: 1px solid green; text-align: left; margin: 10px 0;">
       <div style="float: right;">License: MIT</div>
       <div style="font-size: 20px;">
diff --git a/svr.js b/svr.js
index 028f285..77ca7e5 100644
--- a/svr.js
+++ b/svr.js
@@ -71,7 +71,7 @@ function deleteFolderRecursive(path) {
 }
 
 var os = require("os");
-var version = "3.4.39";
+var version = "3.4.40";
 var singlethreaded = false;
 
 if (process.versions) process.versions.svrjs = version; //Inject SVR.JS into process.versions
@@ -1109,6 +1109,9 @@ if (secure) {
   var sniNames = Object.keys(sni);
   var sniCredentials = [];
   for (var i = 0; i < sniNames.length; i++) {
+    if(typeof sniNames[i] === "string" && sniNames[i].match(/\*[^*.:]*\*[^*.:]*(?:\.|:|$)/)) {
+      throw new Error("Refusing to start, because the current SNI configuration would make the server vulnerable to ReDoS.");
+    }
     sniCredentials.push({
       name: sniNames[i],
       cert: fs.readFileSync((sni[sniNames[i]].cert[0] != "/" && !sni[sniNames[i]].cert.match(/^[A-Z0-9]:\\/)) ? __dirname + "/" + sni[sniNames[i]].cert : sni[sniNames[i]].cert).toString(),
diff --git a/tests.html b/tests.html
index 63d5098..31bb41e 100644
--- a/tests.html
+++ b/tests.html
@@ -1,7 +1,7 @@
 <!DOCTYPE html>
 <html>
   <head>
-    <title>SVR.JS 3.4.39 Tests</title>
+    <title>SVR.JS 3.4.40 Tests</title>
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
     <meta charset="UTF-8" />
     <style>
@@ -12,7 +12,7 @@
     </style>
   </head>
   <body>
-    <h1>SVR.JS 3.4.39 Tests</h1>
+    <h1>SVR.JS 3.4.40 Tests</h1>
     <h2>Directory</h2>
     <iframe src="/testdir" width="50%" height="300px"></iframe>
     <h2>Directory (with query)</h2>