800 lines
31 KiB
Markdown
800 lines
31 KiB
Markdown
---
|
|
title: SVR.JS change log
|
|
excerpt: Learn more about changes introduced in various SVR.JS versions.
|
|
date: 2023-12-21 17:10:14
|
|
---
|
|
|
|
## SVR.JS 3.14.12
|
|
|
|
* Fix ".dirimages" directory returning an 500 error, if it is not present in the web root.
|
|
|
|
## SVR.JS 3.14.11
|
|
|
|
* Added CVE-2024-27982 Node.JS vulnerability warning.
|
|
* Fixed bug with Brotli compression not working, when SVR.JS is running on Bun.
|
|
* Improved the performance of the server.
|
|
|
|
## SVR.JS 3.14.10
|
|
|
|
* Disabled trailing slash removal for proxy requests.
|
|
|
|
## SVR.JS 3.14.9
|
|
|
|
* Changed default file extensions compression exclude list.
|
|
* Lifted _scrypt_ restrictions on Bun.
|
|
* Optimized server script size (268 KiB => 256 KiB).
|
|
* The compression exclude list is now in SVR.JS itself.
|
|
|
|
## SVR.JS 3.14.8
|
|
|
|
* Fixed bug with _res.writeHead_ method.
|
|
|
|
## SVR.JS 3.14.7
|
|
|
|
* Fixed bug with request domain names not showing in server logs.
|
|
|
|
## SVR.JS 3.14.6
|
|
|
|
* Added CVE-2024-22019 Node.JS vulnerability warning.
|
|
* Improved protection against user enumeration in HTTP authentication.
|
|
* Replaced block list message with generic 403 Forbidden error.
|
|
* Replaced some instances of "blacklist" with "block list".
|
|
* Some terminal output is now bold.
|
|
* Updated SVR.JS log viewer (_logviewer.js_) and log highlighter (_loghighlight.js_)
|
|
* When "block localhost" CLI command is executed, SVR.JS now adds "localhost" to the block list instead of "::ffff:localhost".
|
|
|
|
## SVR.JS 3.14.5
|
|
|
|
* Fixed "www." URL redirect functionality.
|
|
* Improved HTTP/1.x API compatibility with HTTP/2.
|
|
|
|
## SVR.JS 3.14.4
|
|
|
|
* Updated _tar_ and _graceful-fs_ libraries.
|
|
* Added support for URLs with double slashes.
|
|
* Rewritten HTTP to HTTPS redirect functionality.
|
|
* Changed default directory listing icons.
|
|
|
|
## SVR.JS 3.14.3
|
|
|
|
* Fixed bug with URLs beginning with multiple slashes being rewritten incorrectly.
|
|
|
|
## SVR.JS 3.14.2
|
|
|
|
* Added new SVR.JS mod and server-side JavaScript property: _authUser_.
|
|
|
|
## SVR.JS 3.14.1
|
|
|
|
* Added support for IP-based virtual hosts.
|
|
* Fixed SVR.JS crashes with _X-SVR-JS-From-Main-Thread_ header and unknown client IPs.
|
|
|
|
## SVR.JS 3.4.42 LTS
|
|
|
|
* Custom head and foot inclusion is now returning 500 error in case of server error instead of crashing the server.
|
|
|
|
## SVR.JS 3.14.0
|
|
|
|
* Added new _config.json_ properties: _useClientCertificate_, _rejectUnauthorizedClientCertificates_, _cipherSuite_, _ecdhCurve_, _tlsMinVersion_, _tlsMaxVersion_, _signatureAlgorithms_ and _http2Settings_.
|
|
* Added support for web root postfixes (along with postfix prefixes).
|
|
* Custom head and foot inclusion is now returning 500 error in case of server error instead of crashing the server.
|
|
|
|
## SVR.JS 3.13.1
|
|
|
|
* Fixed error handling for invalid URL rewrite regexes.
|
|
* Fixed bug with non-working HTTP proxy handler (excluding CONNECT method).
|
|
|
|
## SVR.JS 3.4.41 LTS
|
|
|
|
* Removed all remnants of "DorianTech".
|
|
* Mitigated log file injection vulnerability for HTTP authentication.
|
|
* Mitigated log file injection vulnerability for SVR.JS mod file names.
|
|
* SVR.JS no longer crashes, when access to a log file is denied.
|
|
|
|
## SVR.JS 3.13.0
|
|
|
|
* Added support for skipping URL rewriting, when the URL refers to a file or a directory.
|
|
* Dropped support for svrmodpack.
|
|
* Added support for 307 and 308 redirects (both in config.json and in redirect() SVR.JS API method).
|
|
* Mitigated log file injection vulnerability for HTTP authentication.
|
|
* Mitigated log file injection vulnerability for SVR.JS mod file names.
|
|
* SVR.JS no longer crashes, when access to a log file is denied.
|
|
|
|
## SVR.JS 3.12.3
|
|
|
|
* Removed all remnants of "DorianTech".
|
|
* Fixed bug with wildcard in domain name selectors.
|
|
|
|
## SVR.JS 3.12.2
|
|
|
|
* SVR.JS now refuses to start with misconfigured SNI in order to prevent ReDoS vulnerabilities.
|
|
* Add _Host_ header pre-processing.
|
|
* Changed SNI regular expression generation function.
|
|
|
|
## SVR.JS 3.4.40 LTS
|
|
|
|
* SVR.JS now refuses to start with misconfigured SNI in order to prevent ReDoS vulnerabilities.
|
|
|
|
## SVR.JS 3.12.1
|
|
|
|
* Added client errors, server errors, and malformed HTTP request counts to SVR.JS status page.
|
|
* Fixed multiple XSS vulnerabilities.
|
|
|
|
## SVR.JS 3.4.39 LTS
|
|
|
|
* Invalid compression exclusion list regexes no longer crash SVR.JS.
|
|
* Fixed multiple XSS vulnerabilities.
|
|
|
|
## SVR.JS 3.12.0
|
|
|
|
* Added trailing slash redirect support.
|
|
* Added new _config.json_ property — _environmentVariables_.
|
|
* Replaces base 1000 size prefixes with base 1024 ones.
|
|
* Invalid compression exclusion list regexes no longer crash SVR.JS.
|
|
* Changed invalid regex error message.
|
|
* Corrected language errors — replaced _recieve_ with _receive_.
|
|
|
|
## SVR.JS 3.4.38 LTS
|
|
|
|
* SVR.JS now sends configuration file saving request to one random good worker instead of all workers to prevent configuration file corruption.
|
|
* Fixed crashes due to destroyed HTTP/2 stream (Node.JS bug: [https://github.com/nodejs/node/issues/24470](https://github.com/nodejs/node/issues/24470))
|
|
* Fixed crash while trying to report communication problem with workers.
|
|
|
|
## SVR.JS 3.11.0
|
|
|
|
* SVR.JS now sends configuration file saving request to one random good worker instead of all workers to prevent configuration file corruption.
|
|
* Fixed crashes due to destroyed HTTP/2 stream (Node.JS bug: [https://github.com/nodejs/node/issues/24470](https://github.com/nodejs/node/issues/24470))
|
|
* Fixed language errors in HTTP error code descriptions, error console messages and the index page.
|
|
* Updated the logo in the SVR.JS log viewer.
|
|
|
|
## SVR.JS 3.4.37 LTS
|
|
|
|
* Fixed bug with non-standard code regex replacements
|
|
|
|
## SVR.JS 3.10.3
|
|
|
|
* Fixed bug with non-standard code regex replacements
|
|
|
|
## SVR.JS 3.10.2
|
|
|
|
* Fixed bug with mods (and server-side JavaScript) executing in wrong order (bug was related with access control vulnerability fix; bug was not present in LTS versions)
|
|
|
|
## SVR.JS 3.4.36 LTS
|
|
|
|
* Removed undocumented and non-working code.
|
|
* Fixed bug: _.notindex_ files in directories now no longer cause server timeouts caused by non-working undocumented code.
|
|
|
|
## SVR.JS 3.10.1
|
|
|
|
* Dropped _pretty-bytes_ dependency.
|
|
* Removed undocumented and non-working code.
|
|
* Fixed bug: _.notindex_ files in directories now no longer cause server timeouts caused by non-working undocumented code.
|
|
* Replaced function converting byte count to human-readable representation with new one.
|
|
|
|
## SVR.JS 3.4.35 LTS
|
|
|
|
* Added warning about worker count being limited to one when using Bun 1.0 and newer with shimmed (not native) clustering module.
|
|
* Disabled server-side JavaScript bug workaround for Bun 1.0 and newer (it's not needed anymore for these Bun versions).
|
|
* Improved clustering shim for Bun.
|
|
|
|
## SVR.JS 3.10.0
|
|
|
|
* Added warning about worker count being limited to one when using Bun 1.0 and newer with shimmed (not native) clustering module.
|
|
* Disabled server-side JavaScript bug workaround for Bun 1.0 and newer (it's not needed anymore for these Bun versions).
|
|
* Improved clustering shim for Bun.
|
|
* Improved web root error handling.
|
|
|
|
## SVR.JS 3.4.34 LTS
|
|
|
|
* Changed _enableRemoteLogBrowsing_ property to be `false` by default.
|
|
* Mitigated security vulnerability: Sensitive data is no longer leaked from temp directory inside SVR.JS installation directory.
|
|
|
|
## SVR.JS 3.9.6
|
|
|
|
* Changed _enableRemoteLogBrowsing_ property to be `false` by default.
|
|
* Fixed log files only partially saving on failed master startup.
|
|
* Mitigated security vulnerability: Sensitive data is no longer leaked from temp directory inside SVR.JS installation directory.
|
|
* SVR.JS now logs certificate loading errors.
|
|
|
|
## <s>SVR.JS 3.4.33 LTS</s>
|
|
|
|
<s>
|
|
|
|
* Changed enableRemoteLogBrowsing property to be false by default.
|
|
* Mitigated security vulnerability: Sensitive data is no longer leaked from temp directory inside SVR.JS installation directory.
|
|
|
|
</s>
|
|
|
|
_This version is unpublished and no longer available for download, because of failed security vulnerability mitigation._
|
|
|
|
## <s>SVR.JS 3.9.5</s>
|
|
|
|
<s>
|
|
|
|
* Changed enableRemoteLogBrowsing property to be false by default.
|
|
* Mitigated security vulnerability: Sensitive data is no longer leaked from temp directory inside SVR.JS installation directory.
|
|
|
|
</s>
|
|
|
|
_This version is unpublished and no longer available for download, because of failed security vulnerability mitigation._
|
|
|
|
## SVR.JS 3.4.32 LTS
|
|
|
|
* Added "svrmodpack" deprecation warning.
|
|
* Removed unmaintained primitive analytics mod.
|
|
* Removed unmaintained and undocumented hexstrbase64 library.
|
|
* Added TypeError workaround for Bun 1.0.0
|
|
|
|
## SVR.JS 3.9.4
|
|
|
|
* Changed warning about no support for HTTP/2.
|
|
* Added "svrmodpack" deprecation warning.
|
|
* Removed unmaintained primitive analytics mod.
|
|
* Removed unmaintained and undocumented hexstrbase64 library.
|
|
* Added TypeError workaround for Bun 1.0.0
|
|
|
|
## SVR.JS 3.4.31 LTS
|
|
|
|
* Mitigated security vulnerability: SVR.JS mods and server-side JavaScript not using href or uobject.pathname in some path checks are no longer vulnerable to access control bypass (from SVR.JS configuration).
|
|
|
|
## SVR.JS 3.9.3
|
|
|
|
* Mitigated security vulnerability: SVR.JS mods and server-side JavaScript not using href or uobject.pathname in some path checks are no longer vulnerable to access control bypass (from SVR.JS configuration).
|
|
|
|
## SVR.JS 3.4.30 LTS
|
|
|
|
* Mitigated security vulnerability: SVR.JS mods and server-side JavaScript using req.url are no longer vulnerable to path traversal (not including query strings).
|
|
|
|
## SVR.JS 3.9.2
|
|
|
|
* Mitigated security vulnerability: SVR.JS mods and server-side JavaScript using req.url are no longer vulnerable to path traversal (not including query strings).
|
|
|
|
## SVR.JS 3.4.29 LTS
|
|
|
|
* Added new config.json property - exposeModsInErrorPages
|
|
|
|
## SVR.JS 3.9.1
|
|
|
|
* Added new config.json property - exposeModsInErrorPages
|
|
|
|
## SVR.JS 3.9.0
|
|
|
|
* Dropped support for undocumented unused non-standard SVR.JS-specific headers.
|
|
* Fixed bug with _wwwredirect_.
|
|
* Replaced HTTP => HTTPS redirect handler
|
|
* Added support for listening to specific IP address.
|
|
* Added new config.json property - useWebRootServerSideScript
|
|
* Added notice about logged user (HTTP authentication).
|
|
* Added validation of X-Forwarded-For header
|
|
|
|
## SVR.JS 3.4.28 LTS
|
|
|
|
* Added validation for X-Forwarded-For header.
|
|
|
|
## SVR.JS 3.4.27 LTS
|
|
|
|
* Dropped support for undocumented unused non-standard SVR.JS-specific headers.
|
|
* Fixed bug with _wwwredirect_.
|
|
|
|
## SVR.JS 3.4.26 LTS
|
|
|
|
* Changed default SVR.JS configuration.
|
|
* Disabled server-side script exposure by default.
|
|
|
|
## SVR.JS 3.8.1
|
|
|
|
* Changed default SVR.JS configuration.
|
|
* Disabled server-side script exposure by default.
|
|
|
|
## SVR.JS 3.8.0
|
|
|
|
* Added partial virtual hosting support
|
|
* Added _host_ field to _nonStandardCodes_ and _rewriteMap_ properties.
|
|
* Added _userList_ field to _nonStandardCodes_ properties (with _scode_ set to 401).
|
|
* Added new config.json properties: _errorPages_, _enableDirectoryListingVHost_ and _customHeadersVHost_.
|
|
* Improved HTTP authentication error handling.
|
|
|
|
## SVR.JS 3.4.25 LTS
|
|
|
|
* Improved HTTP authentication error handling.
|
|
* Updated SVR.JS license.
|
|
|
|
## SVR.JS 3.7.5
|
|
|
|
* Fixed non-working blacklist.
|
|
* Updated SVR.JS license.
|
|
|
|
## SVR.JS 3.4.24 LTS
|
|
|
|
* Added reverse DNS lookup support.
|
|
|
|
## SVR.JS 3.7.4
|
|
|
|
* Added reverse DNS lookup support.
|
|
|
|
## SVR.JS 3.4.23 LTS
|
|
|
|
* Fixed server crashes while one of two ports are in use
|
|
|
|
## SVR.JS 3.7.3
|
|
|
|
* Fixed server crashes while one of two ports are in use
|
|
|
|
## SVR.JS 3.4.22 LTS
|
|
|
|
* ENAMETOOLONG errors now correspond to 414 code.
|
|
* EMFILE errors now correspond to 503 code.
|
|
|
|
## SVR.JS 3.7.2
|
|
|
|
* ENAMETOOLONG errors now correspond to 414 code.
|
|
|
|
## SVR.JS 3.7.1
|
|
|
|
* Fixed bug with SVR.JS hang-up check requests logged in server logs (bug occurred on upstream Node.JS v12.22.12).
|
|
|
|
## SVR.JS 3.4.21 LTS
|
|
|
|
* Changed descriptions of 501 and 503 errors.
|
|
* Disabled open proxy in default server-side JavaScript.
|
|
* Fixed NotImplementedError in "cluster" module when running SVR.JS on newer versions of Bun.
|
|
* Fixed redirect loops related to URL sanitizer.
|
|
* Fixed SVR.JS proxy API (fixed bug, which relied of calling wrong callback [Mod.callback] instead of proper one [Mod.proxyCallback]).
|
|
* Improved Bun IPC shim connection error handling.
|
|
* Improved server error handling for Bun.
|
|
* Updated svrpasswd tool.
|
|
|
|
## SVR.JS 3.7.0
|
|
|
|
* Added new config.json property - disableUnusedWorkerTermination.
|
|
* Added option to rewrite "dirty" URLs - rewriteDirtyURLs.
|
|
* Added PBKDF2 and scrypt support for HTTP authentication.
|
|
* Added termination of unused workers.
|
|
* Changed descriptions of 501 and 503 errors.
|
|
* Disabled checking for hung up server processes, while SVR.JS is not yet listening.
|
|
* Disabled open proxy in default server-side JavaScript.
|
|
* Disabled X-SVR-JS-From-Main-Thread header for non-localhost clients.
|
|
* EMFILE errors now correspond to 503 Service Unavailable error code.
|
|
* Fixed NotImplementedError in "cluster" module when running SVR.JS on newer versions of Bun.
|
|
* Fixed redirect loops related to URL sanitizer.
|
|
* Fixed SVR.JS proxy API. (fixed bug, which relied of calling wrong callback [Mod.callback] instead of proper one [Mod.proxyCallback])
|
|
* Improved Bun IPC shim connection error handling.
|
|
* Improved extension checking function in directory listing generation.
|
|
* Improved server error handling for Bun.
|
|
* SVR.JS now exits gracefully on "stop" command.
|
|
* Updated svrpasswd tool.
|
|
|
|
## SVR.JS 3.4.20 LTS
|
|
|
|
* Improved reliability while loading server-side JavaScript.
|
|
|
|
## SVR.JS 3.6.4
|
|
|
|
* Improved reliability while loading server-side JavaScript.
|
|
|
|
## SVR.JS 3.4.19 LTS
|
|
|
|
* Fixed bug with directory listing generating invalid HTML with custom head containing _<html>_ tag with attributes.
|
|
|
|
## SVR.JS 3.6.3
|
|
|
|
* Fixed bug with directory listing generating invalid HTML with custom head containing _<html>_ tag with attributes.
|
|
|
|
## SVR.JS 3.4.18 LTS
|
|
|
|
* Fixed bug with ENOTDIR error (was 500, now it's 404).
|
|
* Fixed bug with forbidden path checker.
|
|
|
|
## SVR.JS 3.6.2
|
|
|
|
* Fixed bug with ENOTDIR error (was 500, now it's 404).
|
|
* Fixed bug with forbidden path checker.
|
|
* Optimized regular expression creating function.
|
|
|
|
## SVR.JS 3.4.17 LTS
|
|
|
|
* Improved URL sanitizer.
|
|
* Fixed bug with formidable wrapper.
|
|
|
|
## SVR.JS 3.6.1
|
|
|
|
* Added support for ETags.
|
|
* Added new config.json property: enableETag.
|
|
* Improved URL sanitizer.
|
|
* Fixed bug with formidable wrapper.
|
|
|
|
## SVR.JS 3.6.0
|
|
|
|
* Optimized sanitized URL comparison function.
|
|
* Expanded warning messages.
|
|
* Added support for Unix sockets and Windows named pipes.
|
|
* Cleaned up SVR.JS code.
|
|
|
|
## SVR.JS 3.4.16 LTS
|
|
|
|
* Improved URL sanitizer and mitigates security vulnerability: attacker could use "..." to traverse directories, while SVR.JS is run in Windows.
|
|
* Cleaned up code.
|
|
|
|
## SVR.JS 3.5.6
|
|
|
|
* Improved URL sanitizer and mitigates security vulnerability: attacker could use "..." to traverse directories, while SVR.JS is run in Windows.
|
|
* Cleaned up code.
|
|
|
|
## SVR.JS 3.4.15 LTS
|
|
|
|
* Fixed broken URL sanitation redirect.
|
|
* Improved URL sanitizer. ("%2F" now turns into "/" instead of "%252F")
|
|
|
|
## SVR.JS 3.5.5
|
|
|
|
* Fixed broken URL sanitation redirect.
|
|
* Improved URL sanitizer. ("%2F" now turns into "/" instead of "%252F")
|
|
|
|
## SVR.JS 3.4.14 LTS
|
|
|
|
* Fixed bug: SVR.JS mods now load reliably with multiple threads on startup.
|
|
|
|
## SVR.JS 3.5.4
|
|
|
|
* Fixed bug: SVR.JS mods now load reliably with multiple threads on startup.
|
|
|
|
## SVR.JS 3.4.13 LTS
|
|
|
|
* Improved compatibility with Bun 0.9.14.
|
|
* Replaced more blocking system calls with non-blocking ones.
|
|
|
|
## SVR.JS 3.5.3
|
|
|
|
* Improved compatibility with Bun 0.9.14.
|
|
|
|
## SVR.JS 3.5.2
|
|
|
|
* Replaced more blocking system calls with non-blocking ones.
|
|
|
|
## SVR.JS 3.5.1
|
|
|
|
* Added better HTTP error handler.
|
|
|
|
## SVR.JS 3.4.12 LTS
|
|
|
|
* Added better HTTP error handler.
|
|
|
|
## SVR.JS 3.5.0
|
|
|
|
* Dropped support for Node.JS 8.x and 9.x.
|
|
* Directory listing icons now show even, if ".dirimages" directory is missing from web root.
|
|
* Updated formidable module.
|
|
|
|
## SVR.JS 3.4.11 LTS
|
|
|
|
* Added support for Brotli compression.
|
|
|
|
## SVR.JS 3.4.10
|
|
|
|
* Added OCSP module loading failure warning.
|
|
* SVR.JS now displays error message, when it's run on JS runtime non-compatible with Node.JS.
|
|
|
|
## SVR.JS 3.4.9
|
|
|
|
* Added new config.json option: enableOCSPStapling.
|
|
* Added support for OCSP stapling.
|
|
* Added new dependency: ocsp
|
|
* Replaced some blocking system calls in directory listing function with non-blocking ones.
|
|
* Optimized HTTP basic authentication algorithm.
|
|
|
|
## SVR.JS 3.4.8
|
|
|
|
* Added HTTP authentication brute force protection.
|
|
|
|
## SVR.JS 3.4.7
|
|
|
|
* Fixed SVR.JS crashing on Node.JS 8.x and 9.x.
|
|
|
|
## SVR.JS 3.4.6
|
|
|
|
* Improved reliability in loading mods, server-side JavaScript and saving configuration file.
|
|
|
|
## SVR.JS 3.4.5
|
|
|
|
* Fixed bug with custom head and SVR.JS status page.
|
|
|
|
## SVR.JS 3.4.4
|
|
|
|
* req.socket.realRemoteAddress and res.socket.realRemotePort are now original users remote address and port respectively.
|
|
|
|
## SVR.JS 3.4.3
|
|
|
|
* Fixed bug related with saving config.json.
|
|
* Disabled gzip compression for .gz files.
|
|
|
|
## SVR.JS 3.4.2
|
|
|
|
* Fixed bug with regular expression non-standard HTTP status codes.
|
|
|
|
## SVR.JS 3.4.1
|
|
|
|
* SVR.JS now uses 2 public IP providers: SeeIP.org and ipify.
|
|
|
|
## SVR.JS 3.4.0
|
|
|
|
* autocannon is no longer included with SVR.JS.
|
|
* Fixed requirement on pretty-bytes library.
|
|
* Removed version field from config.json
|
|
* Fixed random worker crashes that occur, while config.json is saved.
|
|
* SVR.JS no longer overrides config.json values, that are set after SVR.JS has been started.
|
|
* SVR.JS no longer displays native Node.JS error message, while SVR.JS is run on read-only file system.
|
|
|
|
## SVR.JS 3.3.3
|
|
|
|
* Improved reliability of loading mods and server-side JavaScript.
|
|
|
|
## SVR.JS 3.3.2
|
|
|
|
* Calling callServerError or res.writeHead mutltiple times now invokes a warning instead of crashing SVR.JS.
|
|
|
|
## SVR.JS 3.3.1
|
|
|
|
* Fixed bug: Logs didn't save during crash report generation.
|
|
* Fixed bug: Worker crashes didn't display message about starting new workers.
|
|
* Fixed bug with SVR.JS status page.
|
|
* Added image icons for .ico and .icn files in directory listings.
|
|
* Added OpenSSL 1.x EOL warning message.
|
|
* SVR.JS now uses WHATWG URL parser instead of deprecated url.parse() function.
|
|
|
|
## SVR.JS 3.3.0
|
|
|
|
* SVR.JS now forks itself at startup as many times the CPU host has cores (max 16 cores).
|
|
* Fixed bug and potential security vulnerability: Non-standard codes didn't work, and thus attackers could bypass HTTP authentication.
|
|
|
|
## SVR.JS 3.2.1
|
|
|
|
* Optimized SVR.JS blacklist and path sanitation code.
|
|
* Mitigated security vulnerability: Attacker could access directory listing of directory above web root using "/.." path.
|
|
|
|
## SVR.JS 3.2.0
|
|
|
|
* Optimized SVR.JS code.
|
|
* Logs from single-threaded SVR.JS now begin with "singlethread".
|
|
* Cyclic links now causes server to return 508 error instead of 404 error.
|
|
|
|
## SVR.JS 3.1.2
|
|
|
|
* Improved forbidden paths access control.
|
|
|
|
## SVR.JS 3.1.1
|
|
|
|
* SVR.JS is now able to run on Node.JS versions without crypto.
|
|
* Changed IP provider to SeeIP (used, when crypto support is available).
|
|
* Added new server status metrics: CPU usage percentage, Average request rate.
|
|
* Added new command: restart.
|
|
|
|
## SVR.JS 3.1.0
|
|
|
|
* SVR.JS is now able to run on Node.JS versions without crypto.
|
|
* Added HTTP/2 no-support indication for Bun.
|
|
* Added more indication of request methods.
|
|
* Cleaned up SVR.JS code.
|
|
* Updated supplied tar and minipass modules.
|
|
|
|
## SVR.JS 3.0.3
|
|
|
|
* Changed public IP provider to ipify.
|
|
|
|
## SVR.JS 3.0.2
|
|
|
|
* Fixed server-side JavaScript handling.
|
|
|
|
## SVR.JS 3.0.1
|
|
|
|
* Improved error stack generation.
|
|
* SVR.JS now serves files from directory on which script resides, unless wwwroot is specified.
|
|
|
|
## SVR.JS 3.0.0
|
|
|
|
* 502 errors now logs their stacks.
|
|
* Added better exception handler.
|
|
* Added callServerError function for use in server-side JavaScript and mods.
|
|
* Added cluster+ipc shim used when SVR.JS is running on Bun (SVR.JS can now run multi-threaded on Bun).
|
|
* Added command-line parameter: -v/--version.
|
|
* Added Content-Range support for static files.
|
|
* Added custom Expect header handler.
|
|
* Added custom request parse error handler.
|
|
* Added date and time to logs.
|
|
* Added --disable-mods option. (disables all mods and server side JavaScript)
|
|
* Added displaying of contact information on 500 error.
|
|
* Added experimental support for Bun (no SVR.JS command line for now...).
|
|
* Added HTTP status code message to logs.
|
|
* Added new command-line option: --single-threaded
|
|
* Added new config.json properties: sni, serverAdministratorEmail, stackHidden, enableRemoteLogBrowsing, dontCompress, enableIPSpoofing, allowStatus, disableServerSideScriptExpose, exposeServerVersion, rewriteMap, secure, wwwroot, disableNonEncryptedServer and disableToHTTPSRedirect.
|
|
* Added new depedency - formidable.
|
|
* Added new method callable from mods: getCustomHeaders (gets headers from config.json file along with "Server" header).
|
|
* Added new mod methods - getCustomHeaders, origHref, parsePostData and redirect.
|
|
* Added new server-side JavaScript fields - customvar1, customvar2, customvar3, customvar4.
|
|
* Added new utility: log highlighter at loghighlighter.js
|
|
* Added new utility: log viewer at logviewer.js
|
|
* Added new utility: SVR.JS user utility at svrpasswd.js
|
|
* Added option to disable HTTP => HTTPS redirect server.
|
|
* Added option to listen only for HTTPS.
|
|
* Added {path} directive in custom error pages and headers.
|
|
* Added RegEx support for non-standard error codes.
|
|
* Added request ID to logs.
|
|
* Added server error descriptions.
|
|
* Added SNI support.
|
|
* Added status page at /svrjsstatus.svr.
|
|
* Added support for CIDR notation in non-standard codes.
|
|
* Added support for CONNECT method (along with mod callbacks).
|
|
* Added support for HTTP authentication.
|
|
* Added support for RegEx for nonStandardCodes property.
|
|
* Added support for X-Forwarded-For header.
|
|
* Added URL rewriting.
|
|
* Added warning, when SVR.JS is run as root.
|
|
* Addedd error message in case SVR.JS is attempted to be started without Node.JS.
|
|
* Allowed Node.JS versions without HTTP/2 support. (although HTTP/2 will not work)
|
|
* Allowed starting without Internet connection.
|
|
* Attackers can no longer bypass content blocking mechanism (non-standard codes set in config.json), when SVR.JS is run in Windows.
|
|
* Attackers can no longer bypass content blocking mechanism, when SVR.JS is run in Windows.
|
|
* Bare minimum now requires only "svr.js" script and node_modules directory.
|
|
* Broken server availability addresses are now invisible in the console.
|
|
* Change of working directory is now possible.
|
|
* Changed demo server-side JavaScript to use new callServerError function.
|
|
* Changed file type icons.
|
|
* Changed HTTP error descriptions.
|
|
* Changed log format.
|
|
* Changed logo to new one.
|
|
* Changed SVR.JS log descriptions.
|
|
* config.json options which are not used by SVR.JS are now kept.
|
|
* Configuration file now has diffrent placeholder content.
|
|
* Connection messages when using SVR.JS as proxy aren't longer broken.
|
|
* Connection with null req.socket are now dropped.
|
|
* Corrected handling of multi-line log messages.
|
|
* Custom headers are no longer set by default on proxy requests.
|
|
* DEBUG: /crash.svr crashes the server (only in Nightly).
|
|
* Default content type can be no longer set.
|
|
* Deprecated config.json property: defaultpage.
|
|
* Directory listing custom foots now are displayed even if foot.html file doesn't exist.
|
|
* Directory listing custom heads now are displayed even if head.html file doesn't exist.
|
|
* Directory listing no longer breaks with "<" and ">" characters (XSS mitigated).
|
|
* Directory listing now shows original URL, when URL is rewritten.
|
|
* Directory listing now shows whatever the file is block device, chacter device, FIFO or socket.
|
|
* Directory traversal through symbolic links is no longer possible (new URL sanitation function).
|
|
* Disabled HTTP compression for w3m and Netscape 4.x.
|
|
* Error pages can use new format: .<error_code> instead of <error_code>.html.
|
|
* Error stack can be now hidden using stackHidden property.
|
|
* Factory reset no longer replaces config.json with placeholder one.
|
|
* Files without extension are no longer presented as HTML content.
|
|
* Fixed bug: Blacklist didn't save into config.json file.
|
|
* Fixed bug: Downloading files above 2GB now works properly.
|
|
* Fixed bug: Next thread no longer starts after closing ports.
|
|
* Fixed bug related to broken access controls in SVR.JS when it's run in Windows.
|
|
* Fixed bug with server version exposure.
|
|
* Fixed crash on malformed public IP check response.
|
|
* Fixed crashes with TCP resets, when using default handler for CONNECT method.
|
|
* Fixed default config.json file.
|
|
* Fixed directory listing, when URL contains "@" or "?"
|
|
* Fixed filterHeaders method.
|
|
* Fixed handling of some proxy requests by default redirect server.
|
|
* Fixed HEAD method handling.
|
|
* Fixed HTTP compression.
|
|
* Fixed master process crash, when unable to fork process.
|
|
* Fixed process crash, when unable to save to a log file.
|
|
* Fixed proxy mod loader.
|
|
* Fixed public IP address identification on server console.
|
|
* Fixed security vulnerability: Attacker could append "%00" to URL to bypass access restrictions when SVR.JS is running on Bun.
|
|
* Fixed security vulnerability: Attacker could send specially constructed HTTP request to bypass content block mechanism.
|
|
* Fixed security vulnerability: Attacker could used encoded characters to bypass access restrictions.
|
|
* Fixed server endlessly spawning threads in Node.JS 20.x.
|
|
* Fixed SVR.JS not able to start in Android (d/node.js).
|
|
* Fixed SVR.JS not able to start in Node.JS 16.x in Haiku OS.
|
|
* Fixed URL mojibake.
|
|
* Fixed website block, when SVR.JS is running on Bun
|
|
* Fixed XSS bug in host name indication in default error pages.
|
|
* HTTP => HTTPS redirect server now returns 400 error when no host is specified.
|
|
* HTTP requests made to HTTPS server now return 497 error page.
|
|
* HTTP requests using CONNECT method now return 501 error, if SVR.JS is run on Bun.
|
|
* Icons on directory listings are no longer stretched, when padding is applies to the table.
|
|
* Improved bad request handler.
|
|
* Improved compatibility with Bun.
|
|
* Improved compatibility with Node.JS 20.x.
|
|
* Improved default error pages and directory listings for mobile devices.
|
|
* Improved directory listings.
|
|
* Improved file handling by URL.
|
|
* Improved handling of 405 error.
|
|
* Improved handling of OPTIONS method.
|
|
* Improved HTTP => HTTPS redirect handler.
|
|
* Improved HTTP/2 => HTTP/1.x translation API.
|
|
* Improved possible server access URLs.
|
|
* IPv6 URLs are now shown properly.
|
|
* Links now show sizes of referenced file in directory listing.
|
|
* Logs are no longer remotely accessible, when enableRemoteLogBrowsing is set to false.
|
|
* Made HTTP => HTTPS redirect server more compatible with Node.JS 20.x.
|
|
* Main script moved to "svr.js" file.
|
|
* Many request problem will now result in 500 error instead of crash.
|
|
* Mitigated path traversal at bad URL rewriting.
|
|
* Mod loader no longer uses eval.
|
|
* Node.JS version is now exposed in Server header (unless exposeServerVersion is false).
|
|
* Non-standard codes no longer works on proxy requests.
|
|
* Patched supplied fs-minipass module to work with Bun.
|
|
* Removed strict depedencies for: tar, svrmodpack, hexstrbase64 and formidable.
|
|
* Removed "Welcome to DorianTech Node.JS Server!" and "Goodbye." log, rendering welcomeMessage property useless.
|
|
* Replaced 403 error page specific to disabled directory listing with generic one.
|
|
* Replaced "domian" property with "domain" in config.json.
|
|
* Replaced URL sanitation algorithm with faster one.
|
|
* Server is now more protected against directory traversal attack.
|
|
* Server no longer crashes on some malformed URIs.
|
|
* Server now returns 403 error, when server software itself doesn't have permissions to access files.
|
|
* Size function now requires pretty-bytes library.
|
|
* Size function now uses custom fallback.
|
|
* Stack traces from 500 errors are now displayed in logs.
|
|
* SVR.JS doesn't use template config.json anymore, if config.json doesn't exist
|
|
* SVR.JS no longer crashes on mod loading problem.
|
|
* SVR.JS no longer crashes when displaying listing of directory containing invalid files.
|
|
* SVR.JS no longer drops connections having null response socket.
|
|
* SVR.JS now keeps unused properties of config.json file.
|
|
* SVR.JS used as HTTPS server works even without key and cert fields in config.json.
|
|
* SVR.JS version is no longer leaked via svr.js file, when exposeServerVersion property is set to false.
|
|
* Updated supplied mime-types and mime-db modules.
|
|
* Using SVR.JS as an proxy without proxy mod now returns no-proxy message.
|
|
|
|
## SVR.JS 2.1.4
|
|
|
|
* Fixed security vulnerability: Attacker could used encoded characters to bypass access restrictions. (fix backported from SVR.JS 3.0.0-beta19)
|
|
* Fixed access control bypass vulnerability, when server is run in Windows (fix backported from SVR.JS 3.0.0-beta19)
|
|
|
|
## SVR.JS 2.1.3
|
|
|
|
* Added new config.json properties: exposeServerVersion and stackHidden (backported from SVR.JS 3.0.0-beta1)
|
|
* Fixed path traversal vulnerability (fix backported from SVR.JS 3.0.0-beta1)
|
|
* Fixed access control bypass vulnerability, when server is run in Windows (fix backported from SVR.JS 3.0.0-beta1)
|
|
* Fixed server crash on malformed URL (fix backported from SVR.JS 3.0.0-beta1)
|
|
|
|
## SVR.JS 2.1.2
|
|
|
|
* Methods other than "POST", "GET", "OPTIONS" and "HEAD" are allowed.
|
|
|
|
## SVR.JS 2.1.1
|
|
|
|
* Fixed security vulnerability using directory listing to access secret files.
|
|
|
|
## SVR.JS 2.1.0
|
|
|
|
* Added new property of config.json "enableDirectoryListingWithDefaultHead".
|
|
* Added personalization of directory listing.
|
|
* Added compability with Node.JS v8.10.0
|
|
* Replaced MIME type table with one from mime-types module.
|
|
* Fixed bug: Directory listing shows wrong icons.
|
|
* Changed icons in directory listing.
|
|
* Changed size display in directory listing.
|
|
* Deleted analytics inside SVR.JS - those analytics are now in seperate mod, of which SVR.JS comes with it.
|
|
|
|
## SVR.JS 2.0.0
|
|
|
|
* Added support for .tar.gz mods and server side Javascript in .JS file.
|
|
* Moved directory listing icons to seperate directory.
|
|
* Replaced ASCII Art.
|
|
* Added support for HTTP/2.0, disabled by default.
|
|
* Changed default footer.
|
|
* Added unpacking SVR.JS in first run.
|
|
* Added checking, if head and foot exists.
|
|
* Optimized directory listing for Lynx text client
|
|
* Modified Server UI.
|
|
* Added new properties of config.json "enableLogging" and "enableDirectoryListing".
|
|
* Added "--clean" and "--reset" arguments.
|
|
* Fixed security vulnerability: The block is only covering part of SVR.JS
|
|
* Fixed bug: Not saving config.json on Linux.
|
|
* Added multi-threading.
|
|
* Deleted "getip" command.
|
|
|
|
## SVR.JS 1.2.2
|
|
|
|
* Fixed bug, which caused mojibake in Unicode files.
|
|
* Fixed bug, which caused SVR.JS to require SSL certificate, even if HTTPS mode is disabled.
|
|
* Fixed bug, which caused SVR.JS to crash, if no mods are loaded.
|
|
* Fixed bug, which caused SVR.JS to display blank directory, if URL is with query.
|
|
|
|
## SVR.JS 1.2.1
|
|
|
|
* Fixed bug, which caused SVR.JS in Ubuntu to not work
|
|
* Added platform showing
|
|
|
|
## SVR.JS 1.2.0
|
|
|
|
* First released version of SVR.JS
|