svrjs/svrjs-website
Archived
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
This repository has been archived on 2024-09-12. You can view files and clone it, but cannot push or open issues or pull requests.
svrjs-website/source/changelog.md

776 lines
30 KiB
Markdown
Raw Normal View History

Initial commit
2024-03-15 21:53:12 +01:00
---
title: SVR.JS change log
excerpt: Learn more about changes introduced in various SVR.JS versions.
date: 2023-12-21 17:10:14
---
Update SVR.JS to 3.14.7
2024-03-19 17:18:27 +01:00
## SVR.JS 3.14.7
* Fixed bug with request domain names not showing in server logs.
Update SVR.JS to 3.14.6
2024-03-17 21:56:29 +01:00
## SVR.JS 3.14.6
* Added CVE-2024-22019 Node.JS vulnerability warning.
* Improved protection against user enumeration in HTTP authentication.
* Replaced block list message with generic 403 Forbidden error.
* Replaced some instances of "blacklist" with "block list".
* Some terminal output is now bold.
* Updated SVR.JS log viewer (_logviewer.js_) and log highlighter (_loghighlight.js_)
* When "block localhost" CLI command is executed, SVR.JS now adds "localhost" to the block list instead of "::ffff:localhost".
Initial commit
2024-03-15 21:53:12 +01:00
## SVR.JS 3.14.5
* Fixed "www." URL redirect functionality.
* Improved HTTP/1.x API compatibility with HTTP/2.
## SVR.JS 3.14.4
* Updated _tar_ and _graceful-fs_ libraries.
* Added support for URLs with double slashes.
* Rewritten HTTP to HTTPS redirect functionality.
* Changed default directory listing icons.
## SVR.JS 3.14.3
* Fixed bug with URLs beginning with multiple slashes being rewritten incorrectly.
## SVR.JS 3.14.2
* Added new SVR.JS mod and server-side JavaScript property: _authUser_.
## SVR.JS 3.14.1
* Added support for IP-based virtual hosts.
* Fixed SVR.JS crashes with _X-SVR-JS-From-Main-Thread_ header and unknown client IPs.
## SVR.JS 3.4.42 LTS
* Custom head and foot inclusion is now returning 500 error in case of server error instead of crashing the server.
## SVR.JS 3.14.0
* Added new _config.json_ properties: _useClientCertificate_, _rejectUnauthorizedClientCertificates_, _cipherSuite_, _ecdhCurve_, _tlsMinVersion_, _tlsMaxVersion_, _signatureAlgorithms_ and _http2Settings_.
* Added support for web root postfixes (along with postfix prefixes).
* Custom head and foot inclusion is now returning 500 error in case of server error instead of crashing the server.
## SVR.JS 3.13.1
* Fixed error handling for invalid URL rewrite regexes.
* Fixed bug with non-working HTTP proxy handler (excluding CONNECT method).
## SVR.JS 3.4.41 LTS
* Removed all remnants of "DorianTech".
* Mitigated log file injection vulnerability for HTTP authentication.
* Mitigated log file injection vulnerability for SVR.JS mod file names.
* SVR.JS no longer crashes, when access to a log file is denied.
## SVR.JS 3.13.0
* Added support for skipping URL rewriting, when the URL refers to a file or a directory.
* Dropped support for svrmodpack.
* Added support for 307 and 308 redirects (both in config.json and in redirect() SVR.JS API method).
* Mitigated log file injection vulnerability for HTTP authentication.
* Mitigated log file injection vulnerability for SVR.JS mod file names.
* SVR.JS no longer crashes, when access to a log file is denied.
## SVR.JS 3.12.3
* Removed all remnants of "DorianTech".
* Fixed bug with wildcard in domain name selectors.
## SVR.JS 3.12.2
* SVR.JS now refuses to start with misconfigured SNI in order to prevent ReDoS vulnerabilities.
* Add _Host_ header pre-processing.
* Changed SNI regular expression generation function.
## SVR.JS 3.4.40 LTS
* SVR.JS now refuses to start with misconfigured SNI in order to prevent ReDoS vulnerabilities.
## SVR.JS 3.12.1
* Added client errors, server errors, and malformed HTTP request counts to SVR.JS status page.
* Fixed multiple XSS vulnerabilities.
## SVR.JS 3.4.39 LTS
* Invalid compression exclusion list regexes no longer crash SVR.JS.
* Fixed multiple XSS vulnerabilities.
## SVR.JS 3.12.0
* Added trailing slash redirect support.
* Added new _config.json_ property — _environmentVariables_.
* Replaces base 1000 size prefixes with base 1024 ones.
* Invalid compression exclusion list regexes no longer crash SVR.JS.
* Changed invalid regex error message.
* Corrected language errors — replaced _recieve_ with _receive_.
## SVR.JS 3.4.38 LTS
* SVR.JS now sends configuration file saving request to one random good worker instead of all workers to prevent configuration file corruption.
* Fixed crashes due to destroyed HTTP/2 stream (Node.JS bug: [https://github.com/nodejs/node/issues/24470](https://github.com/nodejs/node/issues/24470))
* Fixed crash while trying to report communication problem with workers.
## SVR.JS 3.11.0
* SVR.JS now sends configuration file saving request to one random good worker instead of all workers to prevent configuration file corruption.
* Fixed crashes due to destroyed HTTP/2 stream (Node.JS bug: [https://github.com/nodejs/node/issues/24470](https://github.com/nodejs/node/issues/24470))
* Fixed language errors in HTTP error code descriptions, error console messages and the index page.
* Updated the logo in the SVR.JS log viewer.
## SVR.JS 3.4.37 LTS
* Fixed bug with non-standard code regex replacements
## SVR.JS 3.10.3
* Fixed bug with non-standard code regex replacements
## SVR.JS 3.10.2
* Fixed bug with mods (and server-side JavaScript) executing in wrong order (bug was related with access control vulnerability fix; bug was not present in LTS versions)
## SVR.JS 3.4.36 LTS
* Removed undocumented and non-working code.
* Fixed bug: _.notindex_ files in directories now no longer cause server timeouts caused by non-working undocumented code.
## SVR.JS 3.10.1
* Dropped _pretty-bytes_ dependency.
* Removed undocumented and non-working code.
* Fixed bug: _.notindex_ files in directories now no longer cause server timeouts caused by non-working undocumented code.
* Replaced function converting byte count to human-readable representation with new one.
## SVR.JS 3.4.35 LTS
* Added warning about worker count being limited to one when using Bun 1.0 and newer with shimmed (not native) clustering module.
* Disabled server-side JavaScript bug workaround for Bun 1.0 and newer (it's not needed anymore for these Bun versions).
* Improved clustering shim for Bun.
## SVR.JS 3.10.0
* Added warning about worker count being limited to one when using Bun 1.0 and newer with shimmed (not native) clustering module.
* Disabled server-side JavaScript bug workaround for Bun 1.0 and newer (it's not needed anymore for these Bun versions).
* Improved clustering shim for Bun.
* Improved web root error handling.
## SVR.JS 3.4.34 LTS
* Changed _enableRemoteLogBrowsing_ property to be `false` by default.
* Mitigated security vulnerability: Sensitive data is no longer leaked from temp directory inside SVR.JS installation directory.
## SVR.JS 3.9.6
* Changed _enableRemoteLogBrowsing_ property to be `false` by default.
* Fixed log files only partially saving on failed master startup.
* Mitigated security vulnerability: Sensitive data is no longer leaked from temp directory inside SVR.JS installation directory.
* SVR.JS now logs certificate loading errors.
## <s>SVR.JS 3.4.33 LTS</s>
<s>
* Changed enableRemoteLogBrowsing property to be false by default.
* Mitigated security vulnerability: Sensitive data is no longer leaked from temp directory inside SVR.JS installation directory.
</s>
_This version is unpublished and no longer available for download, because of failed security vulnerability mitigation._
## <s>SVR.JS 3.9.5</s>
<s>
* Changed enableRemoteLogBrowsing property to be false by default.
* Mitigated security vulnerability: Sensitive data is no longer leaked from temp directory inside SVR.JS installation directory.
</s>
_This version is unpublished and no longer available for download, because of failed security vulnerability mitigation._
## SVR.JS 3.4.32 LTS
* Added "svrmodpack" deprecation warning.
* Removed unmaintained primitive analytics mod.
* Removed unmaintained and undocumented hexstrbase64 library.
* Added TypeError workaround for Bun 1.0.0
## SVR.JS 3.9.4
* Changed warning about no support for HTTP/2.
* Added "svrmodpack" deprecation warning.
* Removed unmaintained primitive analytics mod.
* Removed unmaintained and undocumented hexstrbase64 library.
* Added TypeError workaround for Bun 1.0.0
## SVR.JS 3.4.31 LTS
* Mitigated security vulnerability: SVR.JS mods and server-side JavaScript not using href or uobject.pathname in some path checks are no longer vulnerable to access control bypass (from SVR.JS configuration).
## SVR.JS 3.9.3
* Mitigated security vulnerability: SVR.JS mods and server-side JavaScript not using href or uobject.pathname in some path checks are no longer vulnerable to access control bypass (from SVR.JS configuration).
## SVR.JS 3.4.30 LTS
* Mitigated security vulnerability: SVR.JS mods and server-side JavaScript using req.url are no longer vulnerable to path traversal (not including query strings).
## SVR.JS 3.9.2
* Mitigated security vulnerability: SVR.JS mods and server-side JavaScript using req.url are no longer vulnerable to path traversal (not including query strings).
## SVR.JS 3.4.29 LTS
* Added new config.json property - exposeModsInErrorPages
## SVR.JS 3.9.1
* Added new config.json property - exposeModsInErrorPages
## SVR.JS 3.9.0
* Dropped support for undocumented unused non-standard SVR.JS-specific headers.
* Fixed bug with _wwwredirect_.
* Replaced HTTP => HTTPS redirect handler
* Added support for listening to specific IP address.
* Added new config.json property - useWebRootServerSideScript
* Added notice about logged user (HTTP authentication).
* Added validation of X-Forwarded-For header
## SVR.JS 3.4.28 LTS
* Added validation for X-Forwarded-For header.
## SVR.JS 3.4.27 LTS
* Dropped support for undocumented unused non-standard SVR.JS-specific headers.
* Fixed bug with _wwwredirect_.
## SVR.JS 3.4.26 LTS
* Changed default SVR.JS configuration.
* Disabled server-side script exposure by default.
## SVR.JS 3.8.1
* Changed default SVR.JS configuration.
* Disabled server-side script exposure by default.
## SVR.JS 3.8.0
* Added partial virtual hosting support
* Added _host_ field to _nonStandardCodes_ and _rewriteMap_ properties.
* Added _userList_ field to _nonStandardCodes_ properties (with _scode_ set to 401).
* Added new config.json properties: _errorPages_, _enableDirectoryListingVHost_ and _customHeadersVHost_.
* Improved HTTP authentication error handling.
## SVR.JS 3.4.25 LTS
* Improved HTTP authentication error handling.
* Updated SVR.JS license.
## SVR.JS 3.7.5
* Fixed non-working blacklist.
* Updated SVR.JS license.
## SVR.JS 3.4.24 LTS
* Added reverse DNS lookup support.
## SVR.JS 3.7.4
* Added reverse DNS lookup support.
## SVR.JS 3.4.23 LTS
* Fixed server crashes while one of two ports are in use
## SVR.JS 3.7.3
* Fixed server crashes while one of two ports are in use
## SVR.JS 3.4.22 LTS
* ENAMETOOLONG errors now correspond to 414 code.
* EMFILE errors now correspond to 503 code.
## SVR.JS 3.7.2
* ENAMETOOLONG errors now correspond to 414 code.
## SVR.JS 3.7.1
* Fixed bug with SVR.JS hang-up check requests logged in server logs (bug occurred on upstream Node.JS v12.22.12).
## SVR.JS 3.4.21 LTS
* Changed descriptions of 501 and 503 errors.
* Disabled open proxy in default server-side JavaScript.
* Fixed NotImplementedError in "cluster" module when running SVR.JS on newer versions of Bun.
* Fixed redirect loops related to URL sanitizer.
* Fixed SVR.JS proxy API (fixed bug, which relied of calling wrong callback [Mod.callback] instead of proper one [Mod.proxyCallback]).
* Improved Bun IPC shim connection error handling.
* Improved server error handling for Bun.
* Updated svrpasswd tool.
## SVR.JS 3.7.0
* Added new config.json property - disableUnusedWorkerTermination.
* Added option to rewrite "dirty" URLs - rewriteDirtyURLs.
* Added PBKDF2 and scrypt support for HTTP authentication.
* Added termination of unused workers.
* Changed descriptions of 501 and 503 errors.
* Disabled checking for hung up server processes, while SVR.JS is not yet listening.
* Disabled open proxy in default server-side JavaScript.
* Disabled X-SVR-JS-From-Main-Thread header for non-localhost clients.
* EMFILE errors now correspond to 503 Service Unavailable error code.
* Fixed NotImplementedError in "cluster" module when running SVR.JS on newer versions of Bun.
* Fixed redirect loops related to URL sanitizer.
* Fixed SVR.JS proxy API. (fixed bug, which relied of calling wrong callback [Mod.callback] instead of proper one [Mod.proxyCallback])
* Improved Bun IPC shim connection error handling.
* Improved extension checking function in directory listing generation.
* Improved server error handling for Bun.
* SVR.JS now exits gracefully on "stop" command.
* Updated svrpasswd tool.
## SVR.JS 3.4.20 LTS
* Improved reliability while loading server-side JavaScript.
## SVR.JS 3.6.4
* Improved reliability while loading server-side JavaScript.
## SVR.JS 3.4.19 LTS
* Fixed bug with directory listing generating invalid HTML with custom head containing _<html>_ tag with attributes.
## SVR.JS 3.6.3
* Fixed bug with directory listing generating invalid HTML with custom head containing _<html>_ tag with attributes.
## SVR.JS 3.4.18 LTS
* Fixed bug with ENOTDIR error (was 500, now it's 404).
* Fixed bug with forbidden path checker.
## SVR.JS 3.6.2
* Fixed bug with ENOTDIR error (was 500, now it's 404).
* Fixed bug with forbidden path checker.
* Optimized regular expression creating function.
## SVR.JS 3.4.17 LTS
* Improved URL sanitizer.
* Fixed bug with formidable wrapper.
## SVR.JS 3.6.1
* Added support for ETags.
* Added new config.json property: enableETag.
* Improved URL sanitizer.
* Fixed bug with formidable wrapper.
## SVR.JS 3.6.0
* Optimized sanitized URL comparison function.
* Expanded warning messages.
* Added support for Unix sockets and Windows named pipes.
* Cleaned up SVR.JS code.
## SVR.JS 3.4.16 LTS
* Improved URL sanitizer and mitigates security vulnerability: attacker could use "..." to traverse directories, while SVR.JS is run in Windows.
* Cleaned up code.
## SVR.JS 3.5.6
* Improved URL sanitizer and mitigates security vulnerability: attacker could use "..." to traverse directories, while SVR.JS is run in Windows.
* Cleaned up code.
## SVR.JS 3.4.15 LTS
* Fixed broken URL sanitation redirect.
* Improved URL sanitizer. ("%2F" now turns into "/" instead of "%252F")
## SVR.JS 3.5.5
* Fixed broken URL sanitation redirect.
* Improved URL sanitizer. ("%2F" now turns into "/" instead of "%252F")
## SVR.JS 3.4.14 LTS
* Fixed bug: SVR.JS mods now load reliably with multiple threads on startup.
## SVR.JS 3.5.4
* Fixed bug: SVR.JS mods now load reliably with multiple threads on startup.
## SVR.JS 3.4.13 LTS
* Improved compatibility with Bun 0.9.14.
* Replaced more blocking system calls with non-blocking ones.
## SVR.JS 3.5.3
* Improved compatibility with Bun 0.9.14.
## SVR.JS 3.5.2
* Replaced more blocking system calls with non-blocking ones.
## SVR.JS 3.5.1
* Added better HTTP error handler.
## SVR.JS 3.4.12 LTS
* Added better HTTP error handler.
## SVR.JS 3.5.0
* Dropped support for Node.JS 8.x and 9.x.
* Directory listing icons now show even, if ".dirimages" directory is missing from web root.
* Updated formidable module.
## SVR.JS 3.4.11 LTS
* Added support for Brotli compression.
## SVR.JS 3.4.10
* Added OCSP module loading failure warning.
* SVR.JS now displays error message, when it's run on JS runtime non-compatible with Node.JS.
## SVR.JS 3.4.9
* Added new config.json option: enableOCSPStapling.
* Added support for OCSP stapling.
* Added new dependency: ocsp
* Replaced some blocking system calls in directory listing function with non-blocking ones.
* Optimized HTTP basic authentication algorithm.
## SVR.JS 3.4.8
* Added HTTP authentication brute force protection.
## SVR.JS 3.4.7
* Fixed SVR.JS crashing on Node.JS 8.x and 9.x.
## SVR.JS 3.4.6
* Improved reliability in loading mods, server-side JavaScript and saving configuration file.
## SVR.JS 3.4.5
* Fixed bug with custom head and SVR.JS status page.
## SVR.JS 3.4.4
* req.socket.realRemoteAddress and res.socket.realRemotePort are now original users remote address and port respectively.
## SVR.JS 3.4.3
* Fixed bug related with saving config.json.
* Disabled gzip compression for .gz files.
## SVR.JS 3.4.2
* Fixed bug with regular expression non-standard HTTP status codes.
## SVR.JS 3.4.1
* SVR.JS now uses 2 public IP providers: SeeIP.org and ipify.
## SVR.JS 3.4.0
* autocannon is no longer included with SVR.JS.
* Fixed requirement on pretty-bytes library.
* Removed version field from config.json
* Fixed random worker crashes that occur, while config.json is saved.
* SVR.JS no longer overrides config.json values, that are set after SVR.JS has been started.
* SVR.JS no longer displays native Node.JS error message, while SVR.JS is run on read-only file system.
## SVR.JS 3.3.3
* Improved reliability of loading mods and server-side JavaScript.
## SVR.JS 3.3.2
* Calling callServerError or res.writeHead mutltiple times now invokes a warning instead of crashing SVR.JS.
## SVR.JS 3.3.1
* Fixed bug: Logs didn't save during crash report generation.
* Fixed bug: Worker crashes didn't display message about starting new workers.
* Fixed bug with SVR.JS status page.
* Added image icons for .ico and .icn files in directory listings.
* Added OpenSSL 1.x EOL warning message.
* SVR.JS now uses WHATWG URL parser instead of deprecated url.parse() function.
## SVR.JS 3.3.0
* SVR.JS now forks itself at startup as many times the CPU host has cores (max 16 cores).
* Fixed bug and potential security vulnerability: Non-standard codes didn't work, and thus attackers could bypass HTTP authentication.
## SVR.JS 3.2.1
* Optimized SVR.JS blacklist and path sanitation code.
* Mitigated security vulnerability: Attacker could access directory listing of directory above web root using "/.." path.
## SVR.JS 3.2.0
* Optimized SVR.JS code.
* Logs from single-threaded SVR.JS now begin with "singlethread".
* Cyclic links now causes server to return 508 error instead of 404 error.
## SVR.JS 3.1.2
* Improved forbidden paths access control.
## SVR.JS 3.1.1
* SVR.JS is now able to run on Node.JS versions without crypto.
* Changed IP provider to SeeIP (used, when crypto support is available).
* Added new server status metrics: CPU usage percentage, Average request rate.
* Added new command: restart.
## SVR.JS 3.1.0
* SVR.JS is now able to run on Node.JS versions without crypto.
* Added HTTP/2 no-support indication for Bun.
* Added more indication of request methods.
* Cleaned up SVR.JS code.
* Updated supplied tar and minipass modules.
## SVR.JS 3.0.3
* Changed public IP provider to ipify.
## SVR.JS 3.0.2
* Fixed server-side JavaScript handling.
## SVR.JS 3.0.1
* Improved error stack generation.
* SVR.JS now serves files from directory on which script resides, unless wwwroot is specified.
## SVR.JS 3.0.0
* 502 errors now logs their stacks.
* Added better exception handler.
* Added callServerError function for use in server-side JavaScript and mods.
* Added cluster+ipc shim used when SVR.JS is running on Bun (SVR.JS can now run multi-threaded on Bun).
* Added command-line parameter: -v/--version.
* Added Content-Range support for static files.
* Added custom Expect header handler.
* Added custom request parse error handler.
* Added date and time to logs.
* Added --disable-mods option. (disables all mods and server side JavaScript)
* Added displaying of contact information on 500 error.
* Added experimental support for Bun (no SVR.JS command line for now...).
* Added HTTP status code message to logs.
* Added new command-line option: --single-threaded
* Added new config.json properties: sni, serverAdministratorEmail, stackHidden, enableRemoteLogBrowsing, dontCompress, enableIPSpoofing, allowStatus, disableServerSideScriptExpose, exposeServerVersion, rewriteMap, secure, wwwroot, disableNonEncryptedServer and disableToHTTPSRedirect.
* Added new depedency - formidable.
* Added new method callable from mods: getCustomHeaders (gets headers from config.json file along with "Server" header).
* Added new mod methods - getCustomHeaders, origHref, parsePostData and redirect.
* Added new server-side JavaScript fields - customvar1, customvar2, customvar3, customvar4.
* Added new utility: log highlighter at loghighlighter.js
* Added new utility: log viewer at logviewer.js
* Added new utility: SVR.JS user utility at svrpasswd.js
* Added option to disable HTTP => HTTPS redirect server.
* Added option to listen only for HTTPS.
* Added {path} directive in custom error pages and headers.
* Added RegEx support for non-standard error codes.
* Added request ID to logs.
* Added server error descriptions.
* Added SNI support.
* Added status page at /svrjsstatus.svr.
* Added support for CIDR notation in non-standard codes.
* Added support for CONNECT method (along with mod callbacks).
* Added support for HTTP authentication.
* Added support for RegEx for nonStandardCodes property.
* Added support for X-Forwarded-For header.
* Added URL rewriting.
* Added warning, when SVR.JS is run as root.
* Addedd error message in case SVR.JS is attempted to be started without Node.JS.
* Allowed Node.JS versions without HTTP/2 support. (although HTTP/2 will not work)
* Allowed starting without Internet connection.
* Attackers can no longer bypass content blocking mechanism (non-standard codes set in config.json), when SVR.JS is run in Windows.
* Attackers can no longer bypass content blocking mechanism, when SVR.JS is run in Windows.
* Bare minimum now requires only "svr.js" script and node_modules directory.
* Broken server availability addresses are now invisible in the console.
* Change of working directory is now possible.
* Changed demo server-side JavaScript to use new callServerError function.
* Changed file type icons.
* Changed HTTP error descriptions.
* Changed log format.
* Changed logo to new one.
* Changed SVR.JS log descriptions.
* config.json options which are not used by SVR.JS are now kept.
* Configuration file now has diffrent placeholder content.
* Connection messages when using SVR.JS as proxy aren't longer broken.
* Connection with null req.socket are now dropped.
* Corrected handling of multi-line log messages.
* Custom headers are no longer set by default on proxy requests.
* DEBUG: /crash.svr crashes the server (only in Nightly).
* Default content type can be no longer set.
* Deprecated config.json property: defaultpage.
* Directory listing custom foots now are displayed even if foot.html file doesn't exist.
* Directory listing custom heads now are displayed even if head.html file doesn't exist.
* Directory listing no longer breaks with "<" and ">" characters (XSS mitigated).
* Directory listing now shows original URL, when URL is rewritten.
* Directory listing now shows whatever the file is block device, chacter device, FIFO or socket.
* Directory traversal through symbolic links is no longer possible (new URL sanitation function).
* Disabled HTTP compression for w3m and Netscape 4.x.
* Error pages can use new format: .<error_code> instead of <error_code>.html.
* Error stack can be now hidden using stackHidden property.
* Factory reset no longer replaces config.json with placeholder one.
* Files without extension are no longer presented as HTML content.
* Fixed bug: Blacklist didn't save into config.json file.
* Fixed bug: Downloading files above 2GB now works properly.
* Fixed bug: Next thread no longer starts after closing ports.
* Fixed bug related to broken access controls in SVR.JS when it's run in Windows.
* Fixed bug with server version exposure.
* Fixed crash on malformed public IP check response.
* Fixed crashes with TCP resets, when using default handler for CONNECT method.
* Fixed default config.json file.
* Fixed directory listing, when URL contains "@" or "?"
* Fixed filterHeaders method.
* Fixed handling of some proxy requests by default redirect server.
* Fixed HEAD method handling.
* Fixed HTTP compression.
* Fixed master process crash, when unable to fork process.
* Fixed process crash, when unable to save to a log file.
* Fixed proxy mod loader.
* Fixed public IP address identification on server console.
* Fixed security vulnerability: Attacker could append "%00" to URL to bypass access restrictions when SVR.JS is running on Bun.
* Fixed security vulnerability: Attacker could send specially constructed HTTP request to bypass content block mechanism.
* Fixed security vulnerability: Attacker could used encoded characters to bypass access restrictions.
* Fixed server endlessly spawning threads in Node.JS 20.x.
* Fixed SVR.JS not able to start in Android (d/node.js).
* Fixed SVR.JS not able to start in Node.JS 16.x in Haiku OS.
* Fixed URL mojibake.
* Fixed website block, when SVR.JS is running on Bun
* Fixed XSS bug in host name indication in default error pages.
* HTTP => HTTPS redirect server now returns 400 error when no host is specified.
* HTTP requests made to HTTPS server now return 497 error page.
* HTTP requests using CONNECT method now return 501 error, if SVR.JS is run on Bun.
* Icons on directory listings are no longer stretched, when padding is applies to the table.
* Improved bad request handler.
* Improved compatibility with Bun.
* Improved compatibility with Node.JS 20.x.
* Improved default error pages and directory listings for mobile devices.
* Improved directory listings.
* Improved file handling by URL.
* Improved handling of 405 error.
* Improved handling of OPTIONS method.
* Improved HTTP => HTTPS redirect handler.
* Improved HTTP/2 => HTTP/1.x translation API.
* Improved possible server access URLs.
* IPv6 URLs are now shown properly.
* Links now show sizes of referenced file in directory listing.
* Logs are no longer remotely accessible, when enableRemoteLogBrowsing is set to false.
* Made HTTP => HTTPS redirect server more compatible with Node.JS 20.x.
* Main script moved to "svr.js" file.
* Many request problem will now result in 500 error instead of crash.
* Mitigated path traversal at bad URL rewriting.
* Mod loader no longer uses eval.
* Node.JS version is now exposed in Server header (unless exposeServerVersion is false).
* Non-standard codes no longer works on proxy requests.
* Patched supplied fs-minipass module to work with Bun.
* Removed strict depedencies for: tar, svrmodpack, hexstrbase64 and formidable.
* Removed "Welcome to DorianTech Node.JS Server!" and "Goodbye." log, rendering welcomeMessage property useless.
* Replaced 403 error page specific to disabled directory listing with generic one.
* Replaced "domian" property with "domain" in config.json.
* Replaced URL sanitation algorithm with faster one.
* Server is now more protected against directory traversal attack.
* Server no longer crashes on some malformed URIs.
* Server now returns 403 error, when server software itself doesn't have permissions to access files.
* Size function now requires pretty-bytes library.
* Size function now uses custom fallback.
* Stack traces from 500 errors are now displayed in logs.
* SVR.JS doesn't use template config.json anymore, if config.json doesn't exist
* SVR.JS no longer crashes on mod loading problem.
* SVR.JS no longer crashes when displaying listing of directory containing invalid files.
* SVR.JS no longer drops connections having null response socket.
* SVR.JS now keeps unused properties of config.json file.
* SVR.JS used as HTTPS server works even without key and cert fields in config.json.
* SVR.JS version is no longer leaked via svr.js file, when exposeServerVersion property is set to false.
* Updated supplied mime-types and mime-db modules.
* Using SVR.JS as an proxy without proxy mod now returns no-proxy message.
## SVR.JS 2.1.4
* Fixed security vulnerability: Attacker could used encoded characters to bypass access restrictions. (fix backported from SVR.JS 3.0.0-beta19)
* Fixed access control bypass vulnerability, when server is run in Windows (fix backported from SVR.JS 3.0.0-beta19)
## SVR.JS 2.1.3
* Added new config.json properties: exposeServerVersion and stackHidden (backported from SVR.JS 3.0.0-beta1)
* Fixed path traversal vulnerability (fix backported from SVR.JS 3.0.0-beta1)
* Fixed access control bypass vulnerability, when server is run in Windows (fix backported from SVR.JS 3.0.0-beta1)
* Fixed server crash on malformed URL (fix backported from SVR.JS 3.0.0-beta1)
## SVR.JS 2.1.2
* Methods other than "POST", "GET", "OPTIONS" and "HEAD" are allowed.
## SVR.JS 2.1.1
* Fixed security vulnerability using directory listing to access secret files.
## SVR.JS 2.1.0
* Added new property of config.json "enableDirectoryListingWithDefaultHead".
* Added personalization of directory listing.
* Added compability with Node.JS v8.10.0
* Replaced MIME type table with one from mime-types module.
* Fixed bug: Directory listing shows wrong icons.
* Changed icons in directory listing.
* Changed size display in directory listing.
* Deleted analytics inside SVR.JS - those analytics are now in seperate mod, of which SVR.JS comes with it.
## SVR.JS 2.0.0
* Added support for .tar.gz mods and server side Javascript in .JS file.
* Moved directory listing icons to seperate directory.
* Replaced ASCII Art.
* Added support for HTTP/2.0, disabled by default.
* Changed default footer.
* Added unpacking SVR.JS in first run.
* Added checking, if head and foot exists.
* Optimized directory listing for Lynx text client
* Modified Server UI.
* Added new properties of config.json "enableLogging" and "enableDirectoryListing".
* Added "--clean" and "--reset" arguments.
* Fixed security vulnerability: The block is only covering part of SVR.JS
* Fixed bug: Not saving config.json on Linux.
* Added multi-threading.
* Deleted "getip" command.
## SVR.JS 1.2.2
* Fixed bug, which caused mojibake in Unicode files.
* Fixed bug, which caused SVR.JS to require SSL certificate, even if HTTPS mode is disabled.
* Fixed bug, which caused SVR.JS to crash, if no mods are loaded.
* Fixed bug, which caused SVR.JS to display blank directory, if URL is with query.
## SVR.JS 1.2.1
* Fixed bug, which caused SVR.JS in Ubuntu to not work
* Added platform showing
## SVR.JS 1.2.0
* First released version of SVR.JS
Reference in a new issue Copy permalink