forked from svrjs/svrjs
Update to SVR.JS 3.4.30
This commit is contained in:
parent
1e30dd768d
commit
5c1570242e
4 changed files with 18 additions and 11 deletions
|
@ -1,7 +1,7 @@
|
|||
<!DOCTYPE html>
|
||||
<html>
|
||||
<head>
|
||||
<title>SVR.JS 3.4.29</title>
|
||||
<title>SVR.JS 3.4.30</title>
|
||||
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
|
||||
<meta charset="UTF-8" />
|
||||
<style>
|
||||
|
@ -12,7 +12,7 @@
|
|||
</style>
|
||||
</head>
|
||||
<body>
|
||||
<h1>Welcome to SVR.JS 3.4.29</h1>
|
||||
<h1>Welcome to SVR.JS 3.4.30</h1>
|
||||
<br/>
|
||||
<img src="/logo.png" style="width: 256px;" />
|
||||
<br/>
|
||||
|
@ -119,7 +119,7 @@
|
|||
</div>
|
||||
<p>Changes:</p>
|
||||
<ul>
|
||||
<li>Added new config.json property - exposeModsInErrorPages</li>
|
||||
<li>Mitigated security vulnerability: SVR.JS mods and server-side JavaScript using req.url are no longer vulnerable to path traversal (not including query strings).</li>
|
||||
</ul>
|
||||
<p>Bugs:</p>
|
||||
<ul>
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
<!DOCTYPE html>
|
||||
<html>
|
||||
<head>
|
||||
<title>SVR.JS 3.4.29 Licenses</title>
|
||||
<title>SVR.JS 3.4.30 Licenses</title>
|
||||
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
|
||||
<meta charset="UTF-8" />
|
||||
<style>
|
||||
|
@ -12,8 +12,8 @@
|
|||
</style>
|
||||
</head>
|
||||
<body>
|
||||
<h1>SVR.JS 3.4.29 Licenses</h1>
|
||||
<h2>SVR.JS 3.4.29</h2>
|
||||
<h1>SVR.JS 3.4.30 Licenses</h1>
|
||||
<h2>SVR.JS 3.4.30</h2>
|
||||
<div style="display: inline-block; text-align: left; border-width: 2px; border-style: solid; border-color: gray; padding: 8px;">
|
||||
MIT License<br/>
|
||||
<br/>
|
||||
|
@ -37,7 +37,7 @@
|
|||
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE<br/>
|
||||
SOFTWARE.<br/>
|
||||
</div>
|
||||
<h2>Packages used by SVR.JS 3.4.29 and utilities</h2>
|
||||
<h2>Packages used by SVR.JS 3.4.30 and utilities</h2>
|
||||
<div style="width: 100%; background-color: #ccc; border: 1px solid green; text-align: left; margin: 10px 0;">
|
||||
<div style="float: right;">License: MIT</div>
|
||||
<div style="font-size: 20px;">
|
||||
|
|
11
svr.js
11
svr.js
|
@ -71,7 +71,7 @@ function deleteFolderRecursive(path) {
|
|||
}
|
||||
|
||||
var os = require("os");
|
||||
var version = "3.4.29";
|
||||
var version = "3.4.30";
|
||||
var singlethreaded = false;
|
||||
|
||||
if (process.versions) process.versions.svrjs = version; //Inject SVR.JS into process.versions
|
||||
|
@ -3863,6 +3863,7 @@ if (!cluster.isPrimary) {
|
|||
|
||||
//SANITIZE URL
|
||||
var sanitizedHref = sanitizeURL(href);
|
||||
var preparedReqUrl = uobject.pathname + (uobject.search ? uobject.search : "") + (uobject.hash ? uobject.hash : "");
|
||||
|
||||
if (href.toLowerCase() != sanitizedHref.toLowerCase() && !isProxy) {
|
||||
var sanitizedURL = uobject;
|
||||
|
@ -3878,6 +3879,10 @@ if (!cluster.isPrimary) {
|
|||
serverconsole.resmessage("URL sanitized: " + req.url + " => " + sanitizedURL);
|
||||
redirect(sanitizedURL, false);
|
||||
return;
|
||||
} else if(req.url != preparedReqUrl && !isProxy) {
|
||||
serverconsole.resmessage("URL sanitized: " + req.url + " => " + preparedReqUrl);
|
||||
redirect(preparedReqUrl, false);
|
||||
return;
|
||||
}
|
||||
|
||||
//URL REWRITING
|
||||
|
@ -3916,7 +3921,9 @@ if (!cluster.isPrimary) {
|
|||
}
|
||||
|
||||
var sHref = sanitizeURL(href);
|
||||
if (sHref != href.replace(/\/\.(?=\/|$)/g, "/").replace(/\/+/g, "/")) {
|
||||
var preparedReqUrl2 = uobject.pathname + (uobject.search ? uobject.search : "") + (uobject.hash ? uobject.hash : "");
|
||||
|
||||
if (req.url != preparedReqUrl2 || sHref != href.replace(/\/\.(?=\/|$)/g, "/").replace(/\/+/g, "/")) {
|
||||
callServerError(403);
|
||||
serverconsole.errmessage("Content blocked.");
|
||||
return;
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
<!DOCTYPE html>
|
||||
<html>
|
||||
<head>
|
||||
<title>SVR.JS 3.4.29 Tests</title>
|
||||
<title>SVR.JS 3.4.30 Tests</title>
|
||||
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
|
||||
<meta charset="UTF-8" />
|
||||
<style>
|
||||
|
@ -12,7 +12,7 @@
|
|||
</style>
|
||||
</head>
|
||||
<body>
|
||||
<h1>SVR.JS 3.4.29 Tests</h1>
|
||||
<h1>SVR.JS 3.4.30 Tests</h1>
|
||||
<h2>Directory</h2>
|
||||
<iframe src="/testdir" width="50%" height="300px"></iframe>
|
||||
<h2>Directory (with query)</h2>
|
||||
|
|
Reference in a new issue