Update to SVR.JS 3.9.6

2023-09-10 11:13:23 +02:00 · 2023-09-10 11:13:23 +02:00 · 9fa9c047d1
commit 9fa9c047d1
parent faa043cb99
5 changed files with 46 additions and 36 deletions
--- a/config.json
+++ b/config.json
@ -14,7 +14,7 @@
  "enableDirectoryListingWithDefaultHead": false,
  "serverAdministratorEmail": "[no contact information]",
  "stackHidden": false,
-  "enableRemoteLogBrowsing": true,
+  "enableRemoteLogBrowsing": false,
  "exposeServerVersion": true,
  "disableServerSideScriptExpose": true,
  "rewriteMap": [
--- a/index.html
+++ b/index.html
@ -1,7 +1,7 @@
 <!DOCTYPE html>
 <html>
  <head>
-    <title>SVR.JS 3.9.4</title>
+    <title>SVR.JS 3.9.6</title>
    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
    <meta charset="UTF-8" />
    <style>
@ -12,7 +12,7 @@
    </style>
  </head>
  <body>
-    <h1>Welcome to SVR.JS 3.9.4</h1>
+    <h1>Welcome to SVR.JS 3.9.6</h1>
    <br/>
    <img src="/logo.png" style="width: 256px;" />
    <br/>
@ -36,7 +36,7 @@
        &nbsp;&nbsp;"enableDirectoryListingWithDefaultHead": false,<br/>
        &nbsp;&nbsp;"serverAdministratorEmail": "[no contact information]",<br/>
        &nbsp;&nbsp;"stackHidden": false,<br/>
-        &nbsp;&nbsp;"enableRemoteLogBrowsing": true,<br/>
+        &nbsp;&nbsp;"enableRemoteLogBrowsing": false,<br/>
        &nbsp;&nbsp;"exposeServerVersion": true,<br/>
        &nbsp;&nbsp;"disableServerSideScriptExpose": false,<br/>
        &nbsp;&nbsp;"rewriteMap": [<br/>
@ -117,11 +117,10 @@
    </div>
    <p>Changes:</p>
    <ul>
-      <li>Changed warning about no support for HTTP/2.</li>
+      <li>Changed enableRemoteLogBrowsing property to be false by default.</li>
-      <li>Added "svrmodpack" deprecation warning.</li>
+      <li>Fixed log files only partially saving on failed master startup.</li>
-      <li>Removed unmaintained primitive analytics mod.</li>
+      <li>Mitigated security vulnerability: Sensitive data is no longer leaked from temp directory inside SVR.JS installation directory.</li>
-      <li>Removed unmaintained and undocumented hexstrbase64 library.</li>
+      <li>SVR.JS now logs certificate loading errors.</li>
      <li>Added TypeError workaround for Bun 1.0.0</li>
    </ul>
    <p>Bugs:</p>
    <ul>
--- a/licenses/index.html
+++ b/licenses/index.html
@ -1,7 +1,7 @@
 <!DOCTYPE html>
 <html>
  <head>
-    <title>SVR.JS 3.9.4 Licenses</title>
+    <title>SVR.JS 3.9.6 Licenses</title>
    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
    <meta charset="UTF-8" />
    <style>
@ -12,8 +12,8 @@
    </style>
  </head>
  <body>
-    <h1>SVR.JS 3.9.4 Licenses</h1>
+    <h1>SVR.JS 3.9.6 Licenses</h1>
-    <h2>SVR.JS 3.9.4</h2>
+    <h2>SVR.JS 3.9.6</h2>
    <div style="display: inline-block; text-align: left; border-width: 2px; border-style: solid; border-color: gray; padding: 8px;">
      MIT License<br/>
      <br/>
@ -37,7 +37,7 @@
      OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE<br/>
      SOFTWARE.<br/>
    </div>
-    <h2>Packages used by SVR.JS 3.9.4 and utilities</h2>
+    <h2>Packages used by SVR.JS 3.9.6 and utilities</h2>
    <div style="width: 100%; background-color: #ccc; border: 1px solid green; text-align: left; margin: 10px 0;">
      <div style="float: right;">License: MIT</div>
      <div style="font-size: 20px;">
--- a/svr.js
+++ b/svr.js
@ -81,7 +81,7 @@ function deleteFolderRecursive(path) {
 }
 var os = require("os");
-var version = "3.9.4";
+var version = "3.9.6";
 var singlethreaded = false;
 if (process.versions) process.versions.svrjs = version; // Inject SVR.JS into process.versions
@ -1265,19 +1265,24 @@ if (!fs.existsSync(__dirname + "/config.json")) {
  saveConfig();
 }
 var certificateError = null;
 // Load SNI
 if (secure) {
-  key = fs.readFileSync((configJSON.key[0] != "/" && !configJSON.key.match(/^[A-Z0-9]:\\/)) ? __dirname + "/" + configJSON.key : configJSON.key).toString();
+  try {
-  cert = fs.readFileSync((configJSON.cert[0] != "/" && !configJSON.cert.match(/^[A-Z0-9]:\\/)) ? __dirname + "/" + configJSON.cert : configJSON.cert).toString();
+    key = fs.readFileSync((configJSON.key[0] != "/" && !configJSON.key.match(/^[A-Z0-9]:\\/)) ? __dirname + "/" + configJSON.key : configJSON.key).toString();
-  var sniNames = Object.keys(sni);
+    cert = fs.readFileSync((configJSON.cert[0] != "/" && !configJSON.cert.match(/^[A-Z0-9]:\\/)) ? __dirname + "/" + configJSON.cert : configJSON.cert).toString();
-  var sniCredentials = [];
+    var sniNames = Object.keys(sni);
-  sniNames.forEach(function (sniName) {
+    var sniCredentials = [];
-    sniCredentials.push({
+    sniNames.forEach(function (sniName) {
-      name: sniName,
+      sniCredentials.push({
-      cert: fs.readFileSync((sni[sniName].cert[0] != "/" && !sni[sniName].cert.match(/^[A-Z0-9]:\\/)) ? __dirname + "/" + sni[sniName].cert : sni[sniName].cert).toString(),
+        name: sniName,
-      key: fs.readFileSync((sni[sniName].key[0] != "/" && !sni[sniName].key.match(/^[A-Z0-9]:\\/)) ? __dirname + "/" + sni[sniName].key : sni[sniName].key).toString()
+        cert: fs.readFileSync((sni[sniName].cert[0] != "/" && !sni[sniName].cert.match(/^[A-Z0-9]:\\/)) ? __dirname + "/" + sni[sniName].cert : sni[sniName].cert).toString(),
        key: fs.readFileSync((sni[sniName].key[0] != "/" && !sni[sniName].key.match(/^[A-Z0-9]:\\/)) ? __dirname + "/" + sni[sniName].key : sni[sniName].key).toString()
      });
    });
-  });
+  } catch(err) {
    certificateError = err;
  }
 }
 var logFile = undefined;
@ -1793,11 +1798,10 @@ if (useWebRootServerSideScript) {
 } else {
  forbiddenPaths.serverSideScripts.push(getInitializePath("./serverSideScript.js"));
 }
 forbiddenPaths.serverSideScripts.push(getInitializePath("./temp/serverSideScript.js"));
 forbiddenPaths.serverSideScriptDirectories = [];
 forbiddenPaths.serverSideScriptDirectories.push(getInitializePath("./temp/modloader"));
 forbiddenPaths.serverSideScriptDirectories.push(getInitializePath("./node_modules"));
 forbiddenPaths.serverSideScriptDirectories.push(getInitializePath("./mods"));
 forbiddenPaths.temp = getInitializePath("./temp");
 forbiddenPaths.log = getInitializePath("./log");
 // Create server
@ -2283,7 +2287,7 @@ if (!cluster.isPrimary) {
                      if(err) {
                        callback(errorCode.toString() + ".html");
                      } else {
-                        callback("." + errorCode.toString());  
+                        callback("." + errorCode.toString());
                      }
                    } catch(err2) {
                      callServerError(500, undefined, generateErrorStack(err2));
@ -2303,7 +2307,7 @@ if (!cluster.isPrimary) {
                  if(err) {
                    callback(errorCode.toString() + ".html");
                  } else {
-                    callback("." + errorCode.toString());  
+                    callback("." + errorCode.toString());
                  }
                } catch(err2) {
                  callServerError(500, undefined, generateErrorStack(err2));
@ -2327,7 +2331,7 @@ if (!cluster.isPrimary) {
            if(err) {
              getErrorFileName(list, callback, _i+1);
            } else {
-              medCallback(list[_i].path);  
+              medCallback(list[_i].path);
            }
          });
        }
@ -4283,11 +4287,15 @@ if (!cluster.isPrimary) {
        callServerError(403);
        serverconsole.errmessage("Access to configuration file/certificates is denied.");
        return;
-      } else if (isIndexOfForbiddenPath(decodedHref, "log") && !isProxy && (configJSON.enableLogging || configJSON.enableLogging == undefined) && !(configJSON.enableRemoteLogBrowsing || configJSON.enableRemoteLogBrowsing == undefined)) {
+      } else if (isIndexOfForbiddenPath(decodedHref, "temp") && !isProxy) {
        callServerError(403);
        serverconsole.errmessage("Access to temporary folder is denied.");
        return;
      } else if (isIndexOfForbiddenPath(decodedHref, "log") && !isProxy && (configJSON.enableLogging || configJSON.enableLogging == undefined) && !configJSON.enableRemoteLogBrowsing) {
        callServerError(403);
        serverconsole.errmessage("Access to log files is denied.");
        return;
-      } else if (isForbiddenPath(decodedHref, "svrjs") && !isProxy && !exposeServerVersion && process.cwd() == __dirname) {
+      } else if (isForbiddenPath(decodedHref, "svrjs") && !isProxy && !exposeServerVersion) {
        callServerError(403);
        serverconsole.errmessage("Access to SVR.JS script is denied.");
        return;
@ -4862,6 +4870,7 @@ function start(init) {
        if (brdIPs.indexOf(listenAddress) > -1) throw new Error("SVR.JS can't listen on broadcast address.");
        if (netIPs.indexOf(listenAddress) > -1) throw new Error("SVR.JS can't listen on subnet address.");
      }
      if(certificateError) throw new Error("There was a problem with SSL certificate/private key: " + certificateError.message);
    }
    // Information about starting the server
@ -5498,7 +5507,7 @@ function saveConfig() {
      if (configJSONobj.enableDirectoryListingWithDefaultHead === undefined) configJSONobj.enableDirectoryListingWithDefaultHead = false;
      if (configJSONobj.serverAdministratorEmail === undefined) configJSONobj.serverAdministratorEmail = "[no contact information]";
      if (configJSONobj.stackHidden === undefined) configJSONobj.stackHidden = false;
-      if (configJSONobj.enableRemoteLogBrowsing === undefined) configJSONobj.enableRemoteLogBrowsing = true;
+      if (configJSONobj.enableRemoteLogBrowsing === undefined) configJSONobj.enableRemoteLogBrowsing = false;
      if (configJSONobj.exposeServerVersion === undefined) configJSONobj.exposeServerVersion = true;
      if (configJSONobj.disableServerSideScriptExpose === undefined) configJSONobj.disableServerSideScriptExpose = true;
      if (configJSONobj.allowStatus === undefined) configJSONobj.allowStatus = true;
@ -5514,7 +5523,7 @@ function saveConfig() {
      if (configJSONobj.errorPages === undefined) configJSONobj.errorPages = [];
      if (configJSONobj.useWebRootServerSideScript === undefined) configJSONobj.useWebRootServerSideScript = true;
      if (configJSONobj.exposeModsInErrorPages === undefined) configJSONobj.exposeModsInErrorPages = true;
-      
+
      var configString = JSON.stringify(configJSONobj, null, 2);
      fs.writeFileSync(__dirname + "/config.json", configString);
      break;
@ -5625,7 +5634,9 @@ try {
  serverconsole.locerrmessage("There was a problem starting SVR.JS!!!");
  serverconsole.locerrmessage("Stack:");
  serverconsole.locerrmessage(generateErrorStack(err));
-  process.exit(err.errno ? err.errno : 1);
+  setTimeout(function() {
    process.exit(err.errno ? err.errno : 1);
  }, 10);
 }
 //////////////////////////////////
--- a/tests.html
+++ b/tests.html
@ -1,7 +1,7 @@
 <!DOCTYPE html>
 <html>
  <head>
-    <title>SVR.JS 3.9.4 Tests</title>
+    <title>SVR.JS 3.9.6 Tests</title>
    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
    <meta charset="UTF-8" />
    <style>
@ -12,7 +12,7 @@
    </style>
  </head>
  <body>
-    <h1>SVR.JS 3.9.4 Tests</h1>
+    <h1>SVR.JS 3.9.6 Tests</h1>
    <h2>Directory</h2>
    <iframe src="/testdir" width="50%" height="300px"></iframe>
    <h2>Directory (with query)</h2>