|
|
|
|
@ -5,11 +5,11 @@ date: 2023-12-21 17:10:14
|
|
|
|
|
---
|
|
|
|
|
|
|
|
|
|
## SVR.JS 3.14.16 LTS
|
|
|
|
|
|
|
|
|
|
_Released in May 6, 2024_
|
|
|
|
|
* Prevented DoS attacks performed with forward proxy HTTP requests with malformed URLs.
|
|
|
|
|
|
|
|
|
|
## SVR.JS 3.15.0
|
|
|
|
|
|
|
|
|
|
_Released in May 6, 2024_
|
|
|
|
|
* Changed URL parser from wrapper over WHATWG URL parser to custom regex-based URL parser.
|
|
|
|
|
* Optimized server code.
|
|
|
|
|
* Redesigned default error pages.
|
|
|
|
|
@ -17,51 +17,51 @@ date: 2023-12-21 17:10:14
|
|
|
|
|
* Replaced _path.extname()_ function with regex-based function.
|
|
|
|
|
|
|
|
|
|
## SVR.JS 3.14.15
|
|
|
|
|
|
|
|
|
|
_Released in April 29, 2024_
|
|
|
|
|
* Fixed crashes related to the request ID generation.
|
|
|
|
|
* Optimized HTTP compression functionality.
|
|
|
|
|
|
|
|
|
|
## SVR.JS 3.14.14
|
|
|
|
|
|
|
|
|
|
_Released in April 27, 2024_
|
|
|
|
|
* _console.log_ and _stdout_ are now disabled, when _stdout_ is not a TTY (for example in situation when SVR.JS is running as a daemon), in order to improve performance.
|
|
|
|
|
* Errors that occurred, while adding SNI context to a server are now ignored.
|
|
|
|
|
|
|
|
|
|
## SVR.JS 3.14.13
|
|
|
|
|
|
|
|
|
|
_Released in April 24, 2024_
|
|
|
|
|
* Optimized code.
|
|
|
|
|
* SVR.JS now uses _os.availableParallelism()_ function for determining amount of processes to fork, when it is available.
|
|
|
|
|
|
|
|
|
|
## SVR.JS 3.14.12
|
|
|
|
|
|
|
|
|
|
_Released in April 13, 2024_
|
|
|
|
|
* Fix ".dirimages" directory returning an 500 error, if it is not present in the web root.
|
|
|
|
|
|
|
|
|
|
## SVR.JS 3.14.11
|
|
|
|
|
|
|
|
|
|
_Released in April 7, 2024_
|
|
|
|
|
* Added CVE-2024-27982 Node.JS vulnerability warning.
|
|
|
|
|
* Fixed bug with Brotli compression not working, when SVR.JS is running on Bun.
|
|
|
|
|
* Improved the performance of the server.
|
|
|
|
|
|
|
|
|
|
## SVR.JS 3.14.10
|
|
|
|
|
|
|
|
|
|
_Released in April 2, 2024_
|
|
|
|
|
* Disabled trailing slash removal for proxy requests.
|
|
|
|
|
|
|
|
|
|
## SVR.JS 3.14.9
|
|
|
|
|
|
|
|
|
|
_Released in April 2, 2024_
|
|
|
|
|
* Changed default file extensions compression exclude list.
|
|
|
|
|
* Lifted _scrypt_ restrictions on Bun.
|
|
|
|
|
* Optimized server script size (268 KiB => 256 KiB).
|
|
|
|
|
* The compression exclude list is now in SVR.JS itself.
|
|
|
|
|
|
|
|
|
|
## SVR.JS 3.14.8
|
|
|
|
|
|
|
|
|
|
_Released in March 29, 2024_
|
|
|
|
|
* Fixed bug with _res.writeHead_ method.
|
|
|
|
|
|
|
|
|
|
## SVR.JS 3.14.7
|
|
|
|
|
|
|
|
|
|
_Released in March 19, 2024_
|
|
|
|
|
* Fixed bug with request domain names not showing in server logs.
|
|
|
|
|
|
|
|
|
|
## SVR.JS 3.14.6
|
|
|
|
|
|
|
|
|
|
_Released in March 17, 2024_
|
|
|
|
|
* Added CVE-2024-22019 Node.JS vulnerability warning.
|
|
|
|
|
* Improved protection against user enumeration in HTTP authentication.
|
|
|
|
|
* Replaced block list message with generic 403 Forbidden error.
|
|
|
|
|
@ -71,54 +71,54 @@ date: 2023-12-21 17:10:14
|
|
|
|
|
* When "block localhost" CLI command is executed, SVR.JS now adds "localhost" to the block list instead of "::ffff:localhost".
|
|
|
|
|
|
|
|
|
|
## SVR.JS 3.14.5
|
|
|
|
|
|
|
|
|
|
_Released in March 9, 2024_
|
|
|
|
|
* Fixed "www." URL redirect functionality.
|
|
|
|
|
* Improved HTTP/1.x API compatibility with HTTP/2.
|
|
|
|
|
|
|
|
|
|
## SVR.JS 3.14.4
|
|
|
|
|
|
|
|
|
|
_Released in March 3, 2024_
|
|
|
|
|
* Updated _tar_ and _graceful-fs_ libraries.
|
|
|
|
|
* Added support for URLs with double slashes.
|
|
|
|
|
* Rewritten HTTP to HTTPS redirect functionality.
|
|
|
|
|
* Changed default directory listing icons.
|
|
|
|
|
|
|
|
|
|
## SVR.JS 3.14.3
|
|
|
|
|
|
|
|
|
|
_Released in February 11, 2024_
|
|
|
|
|
* Fixed bug with URLs beginning with multiple slashes being rewritten incorrectly.
|
|
|
|
|
|
|
|
|
|
## SVR.JS 3.14.2
|
|
|
|
|
|
|
|
|
|
_Released in February 7, 2024_
|
|
|
|
|
* Added new SVR.JS mod and server-side JavaScript property: _authUser_.
|
|
|
|
|
|
|
|
|
|
## SVR.JS 3.14.1
|
|
|
|
|
|
|
|
|
|
_Released in February 2, 2024_
|
|
|
|
|
* Added support for IP-based virtual hosts.
|
|
|
|
|
* Fixed SVR.JS crashes with _X-SVR-JS-From-Main-Thread_ header and unknown client IPs.
|
|
|
|
|
|
|
|
|
|
## SVR.JS 3.4.42 LTS
|
|
|
|
|
|
|
|
|
|
_Released in February 2, 2024_
|
|
|
|
|
* Custom head and foot inclusion is now returning 500 error in case of server error instead of crashing the server.
|
|
|
|
|
|
|
|
|
|
## SVR.JS 3.14.0
|
|
|
|
|
|
|
|
|
|
_Released in January 24, 2024_
|
|
|
|
|
* Added new _config.json_ properties: _useClientCertificate_, _rejectUnauthorizedClientCertificates_, _cipherSuite_, _ecdhCurve_, _tlsMinVersion_, _tlsMaxVersion_, _signatureAlgorithms_ and _http2Settings_.
|
|
|
|
|
* Added support for web root postfixes (along with postfix prefixes).
|
|
|
|
|
* Custom head and foot inclusion is now returning 500 error in case of server error instead of crashing the server.
|
|
|
|
|
|
|
|
|
|
## SVR.JS 3.13.1
|
|
|
|
|
|
|
|
|
|
_Released in January 18, 2024_
|
|
|
|
|
* Fixed error handling for invalid URL rewrite regexes.
|
|
|
|
|
* Fixed bug with non-working HTTP proxy handler (excluding CONNECT method).
|
|
|
|
|
|
|
|
|
|
## SVR.JS 3.4.41 LTS
|
|
|
|
|
|
|
|
|
|
_Released in January 14, 2024_
|
|
|
|
|
* Removed all remnants of "DorianTech".
|
|
|
|
|
* Mitigated log file injection vulnerability for HTTP authentication.
|
|
|
|
|
* Mitigated log file injection vulnerability for SVR.JS mod file names.
|
|
|
|
|
* SVR.JS no longer crashes, when access to a log file is denied.
|
|
|
|
|
|
|
|
|
|
## SVR.JS 3.13.0
|
|
|
|
|
|
|
|
|
|
_Released in January 14, 2024_
|
|
|
|
|
* Added support for skipping URL rewriting, when the URL refers to a file or a directory.
|
|
|
|
|
* Dropped support for svrmodpack.
|
|
|
|
|
* Added support for 307 and 308 redirects (both in config.json and in redirect() SVR.JS API method).
|
|
|
|
|
@ -127,32 +127,32 @@ date: 2023-12-21 17:10:14
|
|
|
|
|
* SVR.JS no longer crashes, when access to a log file is denied.
|
|
|
|
|
|
|
|
|
|
## SVR.JS 3.12.3
|
|
|
|
|
|
|
|
|
|
_Released in December 30, 2023_
|
|
|
|
|
* Removed all remnants of "DorianTech".
|
|
|
|
|
* Fixed bug with wildcard in domain name selectors.
|
|
|
|
|
|
|
|
|
|
## SVR.JS 3.12.2
|
|
|
|
|
|
|
|
|
|
_Released in December 16, 2023_
|
|
|
|
|
* SVR.JS now refuses to start with misconfigured SNI in order to prevent ReDoS vulnerabilities.
|
|
|
|
|
* Add _Host_ header pre-processing.
|
|
|
|
|
* Changed SNI regular expression generation function.
|
|
|
|
|
|
|
|
|
|
## SVR.JS 3.4.40 LTS
|
|
|
|
|
|
|
|
|
|
_Released in December 16, 2023_
|
|
|
|
|
* SVR.JS now refuses to start with misconfigured SNI in order to prevent ReDoS vulnerabilities.
|
|
|
|
|
|
|
|
|
|
## SVR.JS 3.12.1
|
|
|
|
|
|
|
|
|
|
_Released in December 12, 2023_
|
|
|
|
|
* Added client errors, server errors, and malformed HTTP request counts to SVR.JS status page.
|
|
|
|
|
* Fixed multiple XSS vulnerabilities.
|
|
|
|
|
|
|
|
|
|
## SVR.JS 3.4.39 LTS
|
|
|
|
|
|
|
|
|
|
_Released in December 12, 2023_
|
|
|
|
|
* Invalid compression exclusion list regexes no longer crash SVR.JS.
|
|
|
|
|
* Fixed multiple XSS vulnerabilities.
|
|
|
|
|
|
|
|
|
|
## SVR.JS 3.12.0
|
|
|
|
|
|
|
|
|
|
_Released in December 3, 2023_
|
|
|
|
|
* Added trailing slash redirect support.
|
|
|
|
|
* Added new _config.json_ property — _environmentVariables_.
|
|
|
|
|
* Replaces base 1000 size prefixes with base 1024 ones.
|
|
|
|
|
@ -161,62 +161,62 @@ date: 2023-12-21 17:10:14
|
|
|
|
|
* Corrected language errors — replaced _recieve_ with _receive_.
|
|
|
|
|
|
|
|
|
|
## SVR.JS 3.4.38 LTS
|
|
|
|
|
|
|
|
|
|
_Released in November 12, 2023_
|
|
|
|
|
* SVR.JS now sends configuration file saving request to one random good worker instead of all workers to prevent configuration file corruption.
|
|
|
|
|
* Fixed crashes due to destroyed HTTP/2 stream (Node.JS bug: [https://github.com/nodejs/node/issues/24470](https://github.com/nodejs/node/issues/24470))
|
|
|
|
|
* Fixed crash while trying to report communication problem with workers.
|
|
|
|
|
|
|
|
|
|
## SVR.JS 3.11.0
|
|
|
|
|
|
|
|
|
|
_Released in November 12, 2023_
|
|
|
|
|
* SVR.JS now sends configuration file saving request to one random good worker instead of all workers to prevent configuration file corruption.
|
|
|
|
|
* Fixed crashes due to destroyed HTTP/2 stream (Node.JS bug: [https://github.com/nodejs/node/issues/24470](https://github.com/nodejs/node/issues/24470))
|
|
|
|
|
* Fixed language errors in HTTP error code descriptions, error console messages and the index page.
|
|
|
|
|
* Updated the logo in the SVR.JS log viewer.
|
|
|
|
|
|
|
|
|
|
## SVR.JS 3.4.37 LTS
|
|
|
|
|
|
|
|
|
|
_Released in September 17, 2023_
|
|
|
|
|
* Fixed bug with non-standard code regex replacements
|
|
|
|
|
|
|
|
|
|
## SVR.JS 3.10.3
|
|
|
|
|
|
|
|
|
|
_Released in September 17, 2023_
|
|
|
|
|
* Fixed bug with non-standard code regex replacements
|
|
|
|
|
|
|
|
|
|
## SVR.JS 3.10.2
|
|
|
|
|
|
|
|
|
|
_Released in September 12, 2023_
|
|
|
|
|
* Fixed bug with mods (and server-side JavaScript) executing in wrong order (bug was related with access control vulnerability fix; bug was not present in LTS versions)
|
|
|
|
|
|
|
|
|
|
## SVR.JS 3.4.36 LTS
|
|
|
|
|
|
|
|
|
|
_Released in September 12, 2023_
|
|
|
|
|
* Removed undocumented and non-working code.
|
|
|
|
|
* Fixed bug: _.notindex_ files in directories now no longer cause server timeouts caused by non-working undocumented code.
|
|
|
|
|
|
|
|
|
|
## SVR.JS 3.10.1
|
|
|
|
|
|
|
|
|
|
_Released in September 12, 2023_
|
|
|
|
|
* Dropped _pretty-bytes_ dependency.
|
|
|
|
|
* Removed undocumented and non-working code.
|
|
|
|
|
* Fixed bug: _.notindex_ files in directories now no longer cause server timeouts caused by non-working undocumented code.
|
|
|
|
|
* Replaced function converting byte count to human-readable representation with new one.
|
|
|
|
|
|
|
|
|
|
## SVR.JS 3.4.35 LTS
|
|
|
|
|
|
|
|
|
|
_Released in September 11, 2023_
|
|
|
|
|
* Added warning about worker count being limited to one when using Bun 1.0 and newer with shimmed (not native) clustering module.
|
|
|
|
|
* Disabled server-side JavaScript bug workaround for Bun 1.0 and newer (it's not needed anymore for these Bun versions).
|
|
|
|
|
* Improved clustering shim for Bun.
|
|
|
|
|
|
|
|
|
|
## SVR.JS 3.10.0
|
|
|
|
|
|
|
|
|
|
_Released in September 11, 2023_
|
|
|
|
|
* Added warning about worker count being limited to one when using Bun 1.0 and newer with shimmed (not native) clustering module.
|
|
|
|
|
* Disabled server-side JavaScript bug workaround for Bun 1.0 and newer (it's not needed anymore for these Bun versions).
|
|
|
|
|
* Improved clustering shim for Bun.
|
|
|
|
|
* Improved web root error handling.
|
|
|
|
|
|
|
|
|
|
## SVR.JS 3.4.34 LTS
|
|
|
|
|
|
|
|
|
|
_Released in September 10, 2023_
|
|
|
|
|
* Changed _enableRemoteLogBrowsing_ property to be `false` by default.
|
|
|
|
|
* Mitigated security vulnerability: Sensitive data is no longer leaked from temp directory inside SVR.JS installation directory.
|
|
|
|
|
|
|
|
|
|
## SVR.JS 3.9.6
|
|
|
|
|
|
|
|
|
|
_Released in September 10, 2023_
|
|
|
|
|
* Changed _enableRemoteLogBrowsing_ property to be `false` by default.
|
|
|
|
|
* Fixed log files only partially saving on failed master startup.
|
|
|
|
|
* Mitigated security vulnerability: Sensitive data is no longer leaked from temp directory inside SVR.JS installation directory.
|
|
|
|
|
@ -245,14 +245,14 @@ _This version is unpublished and no longer available for download, because of fa
|
|
|
|
|
_This version is unpublished and no longer available for download, because of failed security vulnerability mitigation._
|
|
|
|
|
|
|
|
|
|
## SVR.JS 3.4.32 LTS
|
|
|
|
|
|
|
|
|
|
_Released in September 8, 2023_
|
|
|
|
|
* Added "svrmodpack" deprecation warning.
|
|
|
|
|
* Removed unmaintained primitive analytics mod.
|
|
|
|
|
* Removed unmaintained and undocumented hexstrbase64 library.
|
|
|
|
|
* Added TypeError workaround for Bun 1.0.0
|
|
|
|
|
|
|
|
|
|
## SVR.JS 3.9.4
|
|
|
|
|
|
|
|
|
|
_Released in September 8, 2023_
|
|
|
|
|
* Changed warning about no support for HTTP/2.
|
|
|
|
|
* Added "svrmodpack" deprecation warning.
|
|
|
|
|
* Removed unmaintained primitive analytics mod.
|
|
|
|
|
@ -260,31 +260,31 @@ _This version is unpublished and no longer available for download, because of fa
|
|
|
|
|
* Added TypeError workaround for Bun 1.0.0
|
|
|
|
|
|
|
|
|
|
## SVR.JS 3.4.31 LTS
|
|
|
|
|
|
|
|
|
|
_Released in September 7, 2023_
|
|
|
|
|
* Mitigated security vulnerability: SVR.JS mods and server-side JavaScript not using href or uobject.pathname in some path checks are no longer vulnerable to access control bypass (from SVR.JS configuration).
|
|
|
|
|
|
|
|
|
|
## SVR.JS 3.9.3
|
|
|
|
|
|
|
|
|
|
_Released in September 7, 2023_
|
|
|
|
|
* Mitigated security vulnerability: SVR.JS mods and server-side JavaScript not using href or uobject.pathname in some path checks are no longer vulnerable to access control bypass (from SVR.JS configuration).
|
|
|
|
|
|
|
|
|
|
## SVR.JS 3.4.30 LTS
|
|
|
|
|
|
|
|
|
|
_Released in September 6, 2023_
|
|
|
|
|
* Mitigated security vulnerability: SVR.JS mods and server-side JavaScript using req.url are no longer vulnerable to path traversal (not including query strings).
|
|
|
|
|
|
|
|
|
|
## SVR.JS 3.9.2
|
|
|
|
|
|
|
|
|
|
_Released in September 6, 2023_
|
|
|
|
|
* Mitigated security vulnerability: SVR.JS mods and server-side JavaScript using req.url are no longer vulnerable to path traversal (not including query strings).
|
|
|
|
|
|
|
|
|
|
## SVR.JS 3.4.29 LTS
|
|
|
|
|
|
|
|
|
|
_Released in September 5, 2023_
|
|
|
|
|
* Added new config.json property - exposeModsInErrorPages
|
|
|
|
|
|
|
|
|
|
## SVR.JS 3.9.1
|
|
|
|
|
|
|
|
|
|
_Released in September 5, 2023_
|
|
|
|
|
* Added new config.json property - exposeModsInErrorPages
|
|
|
|
|
|
|
|
|
|
## SVR.JS 3.9.0
|
|
|
|
|
|
|
|
|
|
_Released in September 3, 2023_
|
|
|
|
|
* Dropped support for undocumented unused non-standard SVR.JS-specific headers.
|
|
|
|
|
* Fixed bug with _wwwredirect_.
|
|
|
|
|
* Replaced HTTP => HTTPS redirect handler
|
|
|
|
|
@ -294,26 +294,26 @@ _This version is unpublished and no longer available for download, because of fa
|
|
|
|
|
* Added validation of X-Forwarded-For header
|
|
|
|
|
|
|
|
|
|
## SVR.JS 3.4.28 LTS
|
|
|
|
|
|
|
|
|
|
_Released in September 3, 2023_
|
|
|
|
|
* Added validation for X-Forwarded-For header.
|
|
|
|
|
|
|
|
|
|
## SVR.JS 3.4.27 LTS
|
|
|
|
|
|
|
|
|
|
_Released in September 2, 2023_
|
|
|
|
|
* Dropped support for undocumented unused non-standard SVR.JS-specific headers.
|
|
|
|
|
* Fixed bug with _wwwredirect_.
|
|
|
|
|
|
|
|
|
|
## SVR.JS 3.4.26 LTS
|
|
|
|
|
|
|
|
|
|
_Released in September 2, 2023_
|
|
|
|
|
* Changed default SVR.JS configuration.
|
|
|
|
|
* Disabled server-side script exposure by default.
|
|
|
|
|
|
|
|
|
|
## SVR.JS 3.8.1
|
|
|
|
|
|
|
|
|
|
_Released in September 2, 2023_
|
|
|
|
|
* Changed default SVR.JS configuration.
|
|
|
|
|
* Disabled server-side script exposure by default.
|
|
|
|
|
|
|
|
|
|
## SVR.JS 3.8.0
|
|
|
|
|
|
|
|
|
|
_Released in September 1, 2023_
|
|
|
|
|
* Added partial virtual hosting support
|
|
|
|
|
* Added _host_ field to _nonStandardCodes_ and _rewriteMap_ properties.
|
|
|
|
|
* Added _userList_ field to _nonStandardCodes_ properties (with _scode_ set to 401).
|
|
|
|
|
@ -321,46 +321,46 @@ _This version is unpublished and no longer available for download, because of fa
|
|
|
|
|
* Improved HTTP authentication error handling.
|
|
|
|
|
|
|
|
|
|
## SVR.JS 3.4.25 LTS
|
|
|
|
|
|
|
|
|
|
_Released in August 31, 2023_
|
|
|
|
|
* Improved HTTP authentication error handling.
|
|
|
|
|
* Updated SVR.JS license.
|
|
|
|
|
|
|
|
|
|
## SVR.JS 3.7.5
|
|
|
|
|
|
|
|
|
|
_Released in August 29, 2023_
|
|
|
|
|
* Fixed non-working blacklist.
|
|
|
|
|
* Updated SVR.JS license.
|
|
|
|
|
|
|
|
|
|
## SVR.JS 3.4.24 LTS
|
|
|
|
|
|
|
|
|
|
_Released in August 28, 2023_
|
|
|
|
|
* Added reverse DNS lookup support.
|
|
|
|
|
|
|
|
|
|
## SVR.JS 3.7.4
|
|
|
|
|
|
|
|
|
|
_Released in August 28, 2023_
|
|
|
|
|
* Added reverse DNS lookup support.
|
|
|
|
|
|
|
|
|
|
## SVR.JS 3.4.23 LTS
|
|
|
|
|
|
|
|
|
|
_Released in August 25, 2023_
|
|
|
|
|
* Fixed server crashes while one of two ports are in use
|
|
|
|
|
|
|
|
|
|
## SVR.JS 3.7.3
|
|
|
|
|
|
|
|
|
|
_Released in August 25, 2023_
|
|
|
|
|
* Fixed server crashes while one of two ports are in use
|
|
|
|
|
|
|
|
|
|
## SVR.JS 3.4.22 LTS
|
|
|
|
|
|
|
|
|
|
_Released in August 21, 2023_
|
|
|
|
|
* ENAMETOOLONG errors now correspond to 414 code.
|
|
|
|
|
* EMFILE errors now correspond to 503 code.
|
|
|
|
|
|
|
|
|
|
## SVR.JS 3.7.2
|
|
|
|
|
|
|
|
|
|
_Released in August 21, 2023_
|
|
|
|
|
* ENAMETOOLONG errors now correspond to 414 code.
|
|
|
|
|
|
|
|
|
|
## SVR.JS 3.7.1
|
|
|
|
|
|
|
|
|
|
_Released in August 21, 2023_
|
|
|
|
|
* Fixed bug with SVR.JS hang-up check requests logged in server logs (bug occurred on upstream Node.JS v12.22.12).
|
|
|
|
|
|
|
|
|
|
## SVR.JS 3.4.21 LTS
|
|
|
|
|
|
|
|
|
|
_Released in August 20, 2023_
|
|
|
|
|
* Changed descriptions of 501 and 503 errors.
|
|
|
|
|
* Disabled open proxy in default server-side JavaScript.
|
|
|
|
|
* Fixed NotImplementedError in "cluster" module when running SVR.JS on newer versions of Bun.
|
|
|
|
|
@ -371,7 +371,7 @@ _This version is unpublished and no longer available for download, because of fa
|
|
|
|
|
* Updated svrpasswd tool.
|
|
|
|
|
|
|
|
|
|
## SVR.JS 3.7.0
|
|
|
|
|
|
|
|
|
|
_Released in August 20, 2023_
|
|
|
|
|
* Added new config.json property - disableUnusedWorkerTermination.
|
|
|
|
|
* Added option to rewrite "dirty" URLs - rewriteDirtyURLs.
|
|
|
|
|
* Added PBKDF2 and scrypt support for HTTP authentication.
|
|
|
|
|
@ -391,117 +391,117 @@ _This version is unpublished and no longer available for download, because of fa
|
|
|
|
|
* Updated svrpasswd tool.
|
|
|
|
|
|
|
|
|
|
## SVR.JS 3.4.20 LTS
|
|
|
|
|
|
|
|
|
|
_Released in August 4, 2023_
|
|
|
|
|
* Improved reliability while loading server-side JavaScript.
|
|
|
|
|
|
|
|
|
|
## SVR.JS 3.6.4
|
|
|
|
|
|
|
|
|
|
_Released in August 4, 2023_
|
|
|
|
|
* Improved reliability while loading server-side JavaScript.
|
|
|
|
|
|
|
|
|
|
## SVR.JS 3.4.19 LTS
|
|
|
|
|
|
|
|
|
|
_Released in August 3, 2023_
|
|
|
|
|
* Fixed bug with directory listing generating invalid HTML with custom head containing _<html>_ tag with attributes.
|
|
|
|
|
|
|
|
|
|
## SVR.JS 3.6.3
|
|
|
|
|
|
|
|
|
|
_Released in August 3, 2023_
|
|
|
|
|
* Fixed bug with directory listing generating invalid HTML with custom head containing _<html>_ tag with attributes.
|
|
|
|
|
|
|
|
|
|
## SVR.JS 3.4.18 LTS
|
|
|
|
|
|
|
|
|
|
_Released in August 2, 2023_
|
|
|
|
|
* Fixed bug with ENOTDIR error (was 500, now it's 404).
|
|
|
|
|
* Fixed bug with forbidden path checker.
|
|
|
|
|
|
|
|
|
|
## SVR.JS 3.6.2
|
|
|
|
|
|
|
|
|
|
_Released in August 2, 2023_
|
|
|
|
|
* Fixed bug with ENOTDIR error (was 500, now it's 404).
|
|
|
|
|
* Fixed bug with forbidden path checker.
|
|
|
|
|
* Optimized regular expression creating function.
|
|
|
|
|
|
|
|
|
|
## SVR.JS 3.4.17 LTS
|
|
|
|
|
|
|
|
|
|
_Released in July 28, 2023_
|
|
|
|
|
* Improved URL sanitizer.
|
|
|
|
|
* Fixed bug with formidable wrapper.
|
|
|
|
|
|
|
|
|
|
## SVR.JS 3.6.1
|
|
|
|
|
|
|
|
|
|
_Released in July 28, 2023_
|
|
|
|
|
* Added support for ETags.
|
|
|
|
|
* Added new config.json property: enableETag.
|
|
|
|
|
* Improved URL sanitizer.
|
|
|
|
|
* Fixed bug with formidable wrapper.
|
|
|
|
|
|
|
|
|
|
## SVR.JS 3.6.0
|
|
|
|
|
|
|
|
|
|
_Released in July 28, 2023_
|
|
|
|
|
* Optimized sanitized URL comparison function.
|
|
|
|
|
* Expanded warning messages.
|
|
|
|
|
* Added support for Unix sockets and Windows named pipes.
|
|
|
|
|
* Cleaned up SVR.JS code.
|
|
|
|
|
|
|
|
|
|
## SVR.JS 3.4.16 LTS
|
|
|
|
|
|
|
|
|
|
_Released in July 26, 2023_
|
|
|
|
|
* Improved URL sanitizer and mitigates security vulnerability: attacker could use "..." to traverse directories, while SVR.JS is run in Windows.
|
|
|
|
|
* Cleaned up code.
|
|
|
|
|
|
|
|
|
|
## SVR.JS 3.5.6
|
|
|
|
|
|
|
|
|
|
_Released in July 26, 2023_
|
|
|
|
|
* Improved URL sanitizer and mitigates security vulnerability: attacker could use "..." to traverse directories, while SVR.JS is run in Windows.
|
|
|
|
|
* Cleaned up code.
|
|
|
|
|
|
|
|
|
|
## SVR.JS 3.4.15 LTS
|
|
|
|
|
|
|
|
|
|
_Released in July 18, 2023_
|
|
|
|
|
* Fixed broken URL sanitation redirect.
|
|
|
|
|
* Improved URL sanitizer. ("%2F" now turns into "/" instead of "%252F")
|
|
|
|
|
|
|
|
|
|
## SVR.JS 3.5.5
|
|
|
|
|
|
|
|
|
|
_Released in July 18, 2023_
|
|
|
|
|
* Fixed broken URL sanitation redirect.
|
|
|
|
|
* Improved URL sanitizer. ("%2F" now turns into "/" instead of "%252F")
|
|
|
|
|
|
|
|
|
|
## SVR.JS 3.4.14 LTS
|
|
|
|
|
|
|
|
|
|
_Released in July 18, 2023_
|
|
|
|
|
* Fixed bug: SVR.JS mods now load reliably with multiple threads on startup.
|
|
|
|
|
|
|
|
|
|
## SVR.JS 3.5.4
|
|
|
|
|
|
|
|
|
|
_Released in July 18, 2023_
|
|
|
|
|
* Fixed bug: SVR.JS mods now load reliably with multiple threads on startup.
|
|
|
|
|
|
|
|
|
|
## SVR.JS 3.4.13 LTS
|
|
|
|
|
|
|
|
|
|
_Released in July 17, 2023_
|
|
|
|
|
* Improved compatibility with Bun 0.9.14.
|
|
|
|
|
* Replaced more blocking system calls with non-blocking ones.
|
|
|
|
|
|
|
|
|
|
## SVR.JS 3.5.3
|
|
|
|
|
|
|
|
|
|
_Released in July 17, 2023_
|
|
|
|
|
* Improved compatibility with Bun 0.9.14.
|
|
|
|
|
|
|
|
|
|
## SVR.JS 3.5.2
|
|
|
|
|
|
|
|
|
|
_Released in July 17, 2023_
|
|
|
|
|
* Replaced more blocking system calls with non-blocking ones.
|
|
|
|
|
|
|
|
|
|
## SVR.JS 3.5.1
|
|
|
|
|
|
|
|
|
|
_Released in July 16, 2023_
|
|
|
|
|
* Added better HTTP error handler.
|
|
|
|
|
|
|
|
|
|
## SVR.JS 3.4.12 LTS
|
|
|
|
|
|
|
|
|
|
_Released in July 16, 2023_
|
|
|
|
|
* Added better HTTP error handler.
|
|
|
|
|
|
|
|
|
|
## SVR.JS 3.5.0
|
|
|
|
|
|
|
|
|
|
_Released in July 16, 2023_
|
|
|
|
|
* Dropped support for Node.JS 8.x and 9.x.
|
|
|
|
|
* Directory listing icons now show even, if ".dirimages" directory is missing from web root.
|
|
|
|
|
* Updated formidable module.
|
|
|
|
|
|
|
|
|
|
## SVR.JS 3.4.11 LTS
|
|
|
|
|
|
|
|
|
|
_Released in July 16, 2023_
|
|
|
|
|
* Added support for Brotli compression.
|
|
|
|
|
|
|
|
|
|
## SVR.JS 3.4.10
|
|
|
|
|
|
|
|
|
|
_Released in July 15, 2023_
|
|
|
|
|
* Added OCSP module loading failure warning.
|
|
|
|
|
* SVR.JS now displays error message, when it's run on JS runtime non-compatible with Node.JS.
|
|
|
|
|
|
|
|
|
|
## SVR.JS 3.4.9
|
|
|
|
|
|
|
|
|
|
_Released in July 14, 2023_
|
|
|
|
|
* Added new config.json option: enableOCSPStapling.
|
|
|
|
|
* Added support for OCSP stapling.
|
|
|
|
|
* Added new dependency: ocsp
|
|
|
|
|
@ -509,40 +509,40 @@ _This version is unpublished and no longer available for download, because of fa
|
|
|
|
|
* Optimized HTTP basic authentication algorithm.
|
|
|
|
|
|
|
|
|
|
## SVR.JS 3.4.8
|
|
|
|
|
|
|
|
|
|
_Released in July 13, 2023_
|
|
|
|
|
* Added HTTP authentication brute force protection.
|
|
|
|
|
|
|
|
|
|
## SVR.JS 3.4.7
|
|
|
|
|
|
|
|
|
|
_Released in July 11, 2023_
|
|
|
|
|
* Fixed SVR.JS crashing on Node.JS 8.x and 9.x.
|
|
|
|
|
|
|
|
|
|
## SVR.JS 3.4.6
|
|
|
|
|
|
|
|
|
|
_Released in July 10, 2023_
|
|
|
|
|
* Improved reliability in loading mods, server-side JavaScript and saving configuration file.
|
|
|
|
|
|
|
|
|
|
## SVR.JS 3.4.5
|
|
|
|
|
|
|
|
|
|
_Released in July 9, 2023_
|
|
|
|
|
* Fixed bug with custom head and SVR.JS status page.
|
|
|
|
|
|
|
|
|
|
## SVR.JS 3.4.4
|
|
|
|
|
|
|
|
|
|
_Released in July 7, 2023_
|
|
|
|
|
* req.socket.realRemoteAddress and res.socket.realRemotePort are now original users remote address and port respectively.
|
|
|
|
|
|
|
|
|
|
## SVR.JS 3.4.3
|
|
|
|
|
|
|
|
|
|
_Released in July 7, 2023_
|
|
|
|
|
* Fixed bug related with saving config.json.
|
|
|
|
|
* Disabled gzip compression for .gz files.
|
|
|
|
|
|
|
|
|
|
## SVR.JS 3.4.2
|
|
|
|
|
|
|
|
|
|
_Released in July 7, 2023_
|
|
|
|
|
* Fixed bug with regular expression non-standard HTTP status codes.
|
|
|
|
|
|
|
|
|
|
## SVR.JS 3.4.1
|
|
|
|
|
|
|
|
|
|
_Released in July 5, 2023_
|
|
|
|
|
* SVR.JS now uses 2 public IP providers: SeeIP.org and ipify.
|
|
|
|
|
|
|
|
|
|
## SVR.JS 3.4.0
|
|
|
|
|
|
|
|
|
|
_Released in July 4, 2023_
|
|
|
|
|
* autocannon is no longer included with SVR.JS.
|
|
|
|
|
* Fixed requirement on pretty-bytes library.
|
|
|
|
|
* Removed version field from config.json
|
|
|
|
|
@ -551,15 +551,15 @@ _This version is unpublished and no longer available for download, because of fa
|
|
|
|
|
* SVR.JS no longer displays native Node.JS error message, while SVR.JS is run on read-only file system.
|
|
|
|
|
|
|
|
|
|
## SVR.JS 3.3.3
|
|
|
|
|
|
|
|
|
|
_Released in July 3, 2023_
|
|
|
|
|
* Improved reliability of loading mods and server-side JavaScript.
|
|
|
|
|
|
|
|
|
|
## SVR.JS 3.3.2
|
|
|
|
|
|
|
|
|
|
_Released in July 2, 2023_
|
|
|
|
|
* Calling callServerError or res.writeHead mutltiple times now invokes a warning instead of crashing SVR.JS.
|
|
|
|
|
|
|
|
|
|
## SVR.JS 3.3.1
|
|
|
|
|
|
|
|
|
|
_Released in July 1, 2023_
|
|
|
|
|
* Fixed bug: Logs didn't save during crash report generation.
|
|
|
|
|
* Fixed bug: Worker crashes didn't display message about starting new workers.
|
|
|
|
|
* Fixed bug with SVR.JS status page.
|
|
|
|
|
@ -568,34 +568,34 @@ _This version is unpublished and no longer available for download, because of fa
|
|
|
|
|
* SVR.JS now uses WHATWG URL parser instead of deprecated url.parse() function.
|
|
|
|
|
|
|
|
|
|
## SVR.JS 3.3.0
|
|
|
|
|
|
|
|
|
|
_Released in June 29, 2023_
|
|
|
|
|
* SVR.JS now forks itself at startup as many times the CPU host has cores (max 16 cores).
|
|
|
|
|
* Fixed bug and potential security vulnerability: Non-standard codes didn't work, and thus attackers could bypass HTTP authentication.
|
|
|
|
|
|
|
|
|
|
## SVR.JS 3.2.1
|
|
|
|
|
|
|
|
|
|
_Released in June 28, 2023_
|
|
|
|
|
* Optimized SVR.JS blacklist and path sanitation code.
|
|
|
|
|
* Mitigated security vulnerability: Attacker could access directory listing of directory above web root using "/.." path.
|
|
|
|
|
|
|
|
|
|
## SVR.JS 3.2.0
|
|
|
|
|
|
|
|
|
|
_Released in June 28, 2023_
|
|
|
|
|
* Optimized SVR.JS code.
|
|
|
|
|
* Logs from single-threaded SVR.JS now begin with "singlethread".
|
|
|
|
|
* Cyclic links now causes server to return 508 error instead of 404 error.
|
|
|
|
|
|
|
|
|
|
## SVR.JS 3.1.2
|
|
|
|
|
|
|
|
|
|
_Released in June 27, 2023_
|
|
|
|
|
* Improved forbidden paths access control.
|
|
|
|
|
|
|
|
|
|
## SVR.JS 3.1.1
|
|
|
|
|
|
|
|
|
|
_Released in June 26, 2023_
|
|
|
|
|
* SVR.JS is now able to run on Node.JS versions without crypto.
|
|
|
|
|
* Changed IP provider to SeeIP (used, when crypto support is available).
|
|
|
|
|
* Added new server status metrics: CPU usage percentage, Average request rate.
|
|
|
|
|
* Added new command: restart.
|
|
|
|
|
|
|
|
|
|
## SVR.JS 3.1.0
|
|
|
|
|
|
|
|
|
|
_Released in June 26, 2023_
|
|
|
|
|
* SVR.JS is now able to run on Node.JS versions without crypto.
|
|
|
|
|
* Added HTTP/2 no-support indication for Bun.
|
|
|
|
|
* Added more indication of request methods.
|
|
|
|
|
@ -603,20 +603,20 @@ _This version is unpublished and no longer available for download, because of fa
|
|
|
|
|
* Updated supplied tar and minipass modules.
|
|
|
|
|
|
|
|
|
|
## SVR.JS 3.0.3
|
|
|
|
|
|
|
|
|
|
_Released in June 26, 2023_
|
|
|
|
|
* Changed public IP provider to ipify.
|
|
|
|
|
|
|
|
|
|
## SVR.JS 3.0.2
|
|
|
|
|
|
|
|
|
|
_Released in June 25, 2023_
|
|
|
|
|
* Fixed server-side JavaScript handling.
|
|
|
|
|
|
|
|
|
|
## SVR.JS 3.0.1
|
|
|
|
|
|
|
|
|
|
_Released in June 25, 2023_
|
|
|
|
|
* Improved error stack generation.
|
|
|
|
|
* SVR.JS now serves files from directory on which script resides, unless wwwroot is specified.
|
|
|
|
|
|
|
|
|
|
## SVR.JS 3.0.0
|
|
|
|
|
|
|
|
|
|
_Released in June 25, 2023_
|
|
|
|
|
* 502 errors now logs their stacks.
|
|
|
|
|
* Added better exception handler.
|
|
|
|
|
* Added callServerError function for use in server-side JavaScript and mods.
|
|
|
|
|
@ -762,27 +762,27 @@ _This version is unpublished and no longer available for download, because of fa
|
|
|
|
|
* Using SVR.JS as an proxy without proxy mod now returns no-proxy message.
|
|
|
|
|
|
|
|
|
|
## SVR.JS 2.1.4
|
|
|
|
|
|
|
|
|
|
_Released in June 18, 2023_
|
|
|
|
|
* Fixed security vulnerability: Attacker could used encoded characters to bypass access restrictions. (fix backported from SVR.JS 3.0.0-beta19)
|
|
|
|
|
* Fixed access control bypass vulnerability, when server is run in Windows (fix backported from SVR.JS 3.0.0-beta19)
|
|
|
|
|
|
|
|
|
|
## SVR.JS 2.1.3
|
|
|
|
|
|
|
|
|
|
_Released in May 13, 2023_
|
|
|
|
|
* Added new config.json properties: exposeServerVersion and stackHidden (backported from SVR.JS 3.0.0-beta1)
|
|
|
|
|
* Fixed path traversal vulnerability (fix backported from SVR.JS 3.0.0-beta1)
|
|
|
|
|
* Fixed access control bypass vulnerability, when server is run in Windows (fix backported from SVR.JS 3.0.0-beta1)
|
|
|
|
|
* Fixed server crash on malformed URL (fix backported from SVR.JS 3.0.0-beta1)
|
|
|
|
|
|
|
|
|
|
## SVR.JS 2.1.2
|
|
|
|
|
|
|
|
|
|
_Released in August 23, 2020_
|
|
|
|
|
* Methods other than "POST", "GET", "OPTIONS" and "HEAD" are allowed.
|
|
|
|
|
|
|
|
|
|
## SVR.JS 2.1.1
|
|
|
|
|
|
|
|
|
|
_Released in August 23, 2020_
|
|
|
|
|
* Fixed security vulnerability using directory listing to access secret files.
|
|
|
|
|
|
|
|
|
|
## SVR.JS 2.1.0
|
|
|
|
|
|
|
|
|
|
_Released in August 22, 2020_
|
|
|
|
|
* Added new property of config.json "enableDirectoryListingWithDefaultHead".
|
|
|
|
|
* Added personalization of directory listing.
|
|
|
|
|
* Added compability with Node.JS v8.10.0
|
|
|
|
|
@ -793,7 +793,7 @@ _This version is unpublished and no longer available for download, because of fa
|
|
|
|
|
* Deleted analytics inside SVR.JS - those analytics are now in seperate mod, of which SVR.JS comes with it.
|
|
|
|
|
|
|
|
|
|
## SVR.JS 2.0.0
|
|
|
|
|
|
|
|
|
|
_Released in August 21, 2020_
|
|
|
|
|
* Added support for .tar.gz mods and server side Javascript in .JS file.
|
|
|
|
|
* Moved directory listing icons to seperate directory.
|
|
|
|
|
* Replaced ASCII Art.
|
|
|
|
|
@ -811,17 +811,17 @@ _This version is unpublished and no longer available for download, because of fa
|
|
|
|
|
* Deleted "getip" command.
|
|
|
|
|
|
|
|
|
|
## SVR.JS 1.2.2
|
|
|
|
|
|
|
|
|
|
_Released in August 16, 2020_
|
|
|
|
|
* Fixed bug, which caused mojibake in Unicode files.
|
|
|
|
|
* Fixed bug, which caused SVR.JS to require SSL certificate, even if HTTPS mode is disabled.
|
|
|
|
|
* Fixed bug, which caused SVR.JS to crash, if no mods are loaded.
|
|
|
|
|
* Fixed bug, which caused SVR.JS to display blank directory, if URL is with query.
|
|
|
|
|
|
|
|
|
|
## SVR.JS 1.2.1
|
|
|
|
|
|
|
|
|
|
_Released in August 14, 2020_
|
|
|
|
|
* Fixed bug, which caused SVR.JS in Ubuntu to not work
|
|
|
|
|
* Added platform showing
|
|
|
|
|
|
|
|
|
|
## SVR.JS 1.2.0
|
|
|
|
|
|
|
|
|
|
_Released in August 5, 2020_
|
|
|
|
|
* First released version of SVR.JS
|
|
|
|
|
|
