From 5f7adc98ba2f7e615a315cf9a6d1c352437eb1b9 Mon Sep 17 00:00:00 2001 From: calzoneman Date: Tue, 19 Aug 2014 00:07:24 -0500 Subject: [PATCH 1/8] Update express dependency --- lib/web/webserver.js | 11 ++++++----- package.json | 20 +++++++++++--------- 2 files changed, 17 insertions(+), 14 deletions(-) diff --git a/lib/web/webserver.js b/lib/web/webserver.js index 61d1332d..3f533f67 100644 --- a/lib/web/webserver.js +++ b/lib/web/webserver.js @@ -9,6 +9,8 @@ var $util = require("../utilities"); var Logger = require("../logger"); var Config = require("../config"); var db = require("../database"); +var bodyParser = require("body-parser"); +var cookieParser = require("cookie-parser"); var httplog = new Logger.Logger(path.join(__dirname, "..", "..", "http.log")); @@ -257,13 +259,13 @@ function static(dir) { return; } - res.sendfile(req.path.replace(/^\//, ""), { + res.sendFile(req.path.replace(/^\//, ""), { maxAge: Config.get("http.cache-ttl") * 1000, root: dir }, function (err) { logRequest(req); if (err) { - res.send(err.status); + res.status(err.status).end(); } }); } catch (e) { @@ -278,9 +280,8 @@ module.exports = { * Initializes webserver callbacks */ init: function (app) { - app.use(express.json()); - app.use(express.urlencoded()); - app.use(express.cookieParser()); + app.use(bodyParser.urlencoded({ extended: false })); + app.use(cookieParser()); if (Config.get("http.minify")) { var cache = path.join(__dirname, "..", "..", "www", "cache") diff --git a/package.json b/package.json index c3aefe54..8223a7f3 100644 --- a/package.json +++ b/package.json @@ -7,17 +7,19 @@ "url": "http://github.com/calzoneman/sync" }, "dependencies": { - "express": "~3.4.8", "bcrypt": "~0.7.7", - "mysql": "~2.0.1", - "jade": "~1.1.5", - "socket.io": "~0.9.16", - "nodemailer": "~0.6.0", + "body-parser": "^1.6.5", "cookie": "~0.1.0", - "yamljs": "~0.1.4", - "express-minify": "0.0.7", - "q": "^1.0.0", + "cookie-parser": "^1.3.2", + "express": "^4.8.5", + "express-minify": "0.0.11", + "jade": "~1.1.5", "json-typecheck": "^0.1.0", - "oauth": "^0.9.11" + "mysql": "~2.0.1", + "nodemailer": "~0.6.0", + "oauth": "^0.9.11", + "q": "^1.0.0", + "socket.io": "~0.9.16", + "yamljs": "~0.1.4" } } From 020e2326b56083c262c368fde21a1d0d21f22c49 Mon Sep 17 00:00:00 2001 From: calzoneman Date: Tue, 19 Aug 2014 00:21:32 -0500 Subject: [PATCH 2/8] Replace own static and log functions with serve-static and morgan --- lib/web/account.js | 18 -------- lib/web/acp.js | 1 - lib/web/webserver.js | 101 +++++-------------------------------------- package.json | 2 + 4 files changed, 13 insertions(+), 109 deletions(-) diff --git a/lib/web/account.js b/lib/web/account.js index 1b2e0860..1d502dca 100644 --- a/lib/web/account.js +++ b/lib/web/account.js @@ -5,7 +5,6 @@ */ var webserver = require("./webserver"); -var logRequest = webserver.logRequest; var sendJade = require("./jade").sendJade; var Logger = require("../logger"); var db = require("../database"); @@ -21,7 +20,6 @@ function handleAccountEditPage(req, res) { return; } - logRequest(req); var loginName = false; if (req.cookies.auth) { loginName = req.cookies.auth.split(":")[0]; @@ -45,7 +43,6 @@ function handleAccountEditPage(req, res) { * Handles a POST request to edit a user"s account */ function handleAccountEdit(req, res) { - logRequest(req); var action = req.body.action; switch(action) { case "change_password": @@ -187,7 +184,6 @@ function handleAccountChannelPage(req, res) { return; } - logRequest(req); var loginName = false; if (req.cookies.auth) { loginName = req.cookies.auth.split(":")[0]; @@ -221,7 +217,6 @@ function handleAccountChannelPage(req, res) { * Handles a POST request to modify a user"s channels */ function handleAccountChannel(req, res) { - logRequest(req); var action = req.body.action; switch(action) { case "new_channel": @@ -240,7 +235,6 @@ function handleAccountChannel(req, res) { * Handles a request to register a new channel */ function handleNewChannel(req, res) { - logRequest(req); var name = req.body.name; if (typeof name !== "string") { @@ -338,8 +332,6 @@ function handleNewChannel(req, res) { * Handles a request to delete a new channel */ function handleDeleteChannel(req, res) { - logRequest(req); - var name = req.body.name; if (typeof name !== "string") { res.send(400); @@ -429,8 +421,6 @@ function handleAccountProfilePage(req, res) { return; } - logRequest(req); - var loginName = false; if (!req.cookies.auth) { return sendJade(res, "account-profile", { @@ -475,8 +465,6 @@ function handleAccountProfilePage(req, res) { * Handles a POST request to edit a profile */ function handleAccountProfile(req, res) { - logRequest(req); - var loginName = false; if (req.cookies.auth) { loginName = req.cookies.auth.split(":")[0]; @@ -535,8 +523,6 @@ function handlePasswordResetPage(req, res) { return; } - logRequest(req); - sendJade(res, "account-passwordreset", { reset: false, resetEmail: "", @@ -548,8 +534,6 @@ function handlePasswordResetPage(req, res) { * Handles a POST request to reset a user's password */ function handlePasswordReset(req, res) { - logRequest(req); - var name = req.body.name, email = req.body.email; @@ -668,8 +652,6 @@ function handlePasswordReset(req, res) { * Handles a request for /account/passwordrecover/ */ function handlePasswordRecover(req, res) { - logRequest(req); - var hash = req.params.hash; if (typeof hash !== "string") { res.send(400); diff --git a/lib/web/acp.js b/lib/web/acp.js index b9dbea9e..9a6ba158 100644 --- a/lib/web/acp.js +++ b/lib/web/acp.js @@ -8,7 +8,6 @@ var Config = require("../config"); function checkAdmin(cb) { return function (req, res) { - webserver.logRequest(req); var auth = req.cookies.auth; if (!auth) { res.send(403); diff --git a/lib/web/webserver.js b/lib/web/webserver.js index 3f533f67..43df732e 100644 --- a/lib/web/webserver.js +++ b/lib/web/webserver.js @@ -11,26 +11,8 @@ var Config = require("../config"); var db = require("../database"); var bodyParser = require("body-parser"); var cookieParser = require("cookie-parser"); - -var httplog = new Logger.Logger(path.join(__dirname, "..", "..", "http.log")); - -var suspiciousPath = (/admin|adm|\.\.|\/etc\/passwd|\\x5c|%5c|0x5c|setup|install|php|pma|blog|sql|scripts|aspx?|database/ig); -/** - * Determines whether a request is suspected of being illegitimate - */ -function isSuspicious(req) { - // ZmEu is a penetration script - if (req.header("user-agent") && - req.header("user-agent").toLowerCase() === "zmeu") { - return true; - } - - if (req.path.match(suspiciousPath)) { - return true; - } - - return false; -} +var static = require("serve-static"); +var morgan = require("morgan"); /** * Extracts an IP address from a request. Uses X-Forwarded-For if the IP is localhost @@ -55,22 +37,6 @@ function ipForRequest(req) { return ip; } -/** - * Logs an HTTP request - */ -function logRequest(req, status) { - if (status === undefined) { - status = 200; - } - - httplog.log([ - ipForRequest(req), - req.method, - req.path, - req.header("user-agent") - ].join(" ")); -} - /** * Redirects a request to HTTPS if the server supports it */ @@ -104,14 +70,11 @@ function handleChannel(req, res) { } if (!$util.isValidChannelName(req.params.channel)) { - logRequest(req, 404); res.status(404); res.send("Invalid channel name '" + req.params.channel + "'"); return; } - logRequest(req); - var loginName = false; if (req.cookies.auth) { loginName = req.cookies.auth.split(":")[0]; @@ -140,8 +103,6 @@ function handleChannel(req, res) { * Handles a request for the index page */ function handleIndex(req, res) { - logRequest(req); - var loginName = false; if (req.cookies.auth) { loginName = req.cookies.auth.split(":")[0]; @@ -167,8 +128,6 @@ function handleIndex(req, res) { * Handles a request for the socket.io information */ function handleSocketConfig(req, res) { - logRequest(req); - res.type("application/javascript"); var sioconfig = Config.get("sioconfig"); @@ -190,8 +149,6 @@ function handleSocketConfig(req, res) { } function handleUserAgreement(req, res) { - logRequest(req); - var loginName = false; if (req.cookies.auth) { loginName = req.cookies.auth.split(":")[0]; @@ -205,8 +162,6 @@ function handleUserAgreement(req, res) { } function handleContactPage(req, res) { - logRequest(req); - var loginName = false; if (req.cookies.auth) { loginName = req.cookies.auth.split(":")[0]; @@ -241,40 +196,6 @@ function handleContactPage(req, res) { }); } -function static(dir) { - dir = path.join(__dirname, dir); - return function (req, res) { - try { - if (isSuspicious(req)) { - logRequest(req, 403); - res.status(403); - if (typeof req.header("user-agent") === "string" && - req.header("user-agent").toLowerCase() === "zmeu") { - res.send("This server disallows requests from ZmEu."); - } else { - res.send("The request " + req.method.toUpperCase() + " " + - req.path + " looks pretty fishy to me. Double check that " + - "you typed it correctly."); - } - return; - } - - res.sendFile(req.path.replace(/^\//, ""), { - maxAge: Config.get("http.cache-ttl") * 1000, - root: dir - }, function (err) { - logRequest(req); - if (err) { - res.status(err.status).end(); - } - }); - } catch (e) { - Logger.errlog.log(e); - Logger.errlog.log(e.trace); - } - }; -} - module.exports = { /** * Initializes webserver callbacks @@ -282,6 +203,13 @@ module.exports = { init: function (app) { app.use(bodyParser.urlencoded({ extended: false })); app.use(cookieParser()); + app.use(morgan("combined", { + stream: require("fs").createWriteStream(path.join(__dirname, "..", "..", + "http.log"), { + flags: "a", + encoding: "utf-8" + }) + })); if (Config.get("http.minify")) { var cache = path.join(__dirname, "..", "..", "www", "cache") @@ -293,12 +221,7 @@ module.exports = { })); Logger.syslog.log("Enabled express-minify for CSS and JS"); } - /* Order here is important - * Since I placed /r/:channel above *, the function will - * not apply to the /r/:channel route. This prevents - * duplicate logging, since /r/:channel"s callback does - * its own logging - */ + app.get("/r/:channel", handleChannel); app.get("/", handleIndex); app.get("/sioconfig", handleSocketConfig); @@ -307,7 +230,7 @@ module.exports = { require("./auth").init(app); require("./account").init(app); require("./acp").init(app); - app.use(static(path.join("..", "..", "www"))); + app.use(static(path.join(__dirname, "..", "..", "www"))); app.use(function (err, req, res, next) { if (err) { if (err.message && err.message.match(/failed to decode param/i)) { @@ -321,8 +244,6 @@ module.exports = { }); }, - logRequest: logRequest, - ipForRequest: ipForRequest, redirectHttps: redirectHttps, diff --git a/package.json b/package.json index 8223a7f3..b1333a2c 100644 --- a/package.json +++ b/package.json @@ -15,10 +15,12 @@ "express-minify": "0.0.11", "jade": "~1.1.5", "json-typecheck": "^0.1.0", + "morgan": "^1.2.3", "mysql": "~2.0.1", "nodemailer": "~0.6.0", "oauth": "^0.9.11", "q": "^1.0.0", + "serve-static": "^1.5.3", "socket.io": "~0.9.16", "yamljs": "~0.1.4" } From 3d6aaf0e1fc68d17211a82d0f8a2daeba42cae2a Mon Sep 17 00:00:00 2001 From: calzoneman Date: Tue, 19 Aug 2014 00:23:05 -0500 Subject: [PATCH 3/8] Fix a bug with theme.js --- www/js/theme.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/www/js/theme.js b/www/js/theme.js index e5588b0e..0d1e38be 100644 --- a/www/js/theme.js +++ b/www/js/theme.js @@ -11,7 +11,7 @@ } } - if (theme == null || !theme.match(/^\/css\/themes\/\w+.css$/)) { + if (theme == null || !theme.match(/^\/css\/themes\/.+?.css$/)) { return; } From c693e84a46cae6a5c9daa1f45d09a5a0061a80cb Mon Sep 17 00:00:00 2001 From: calzoneman Date: Tue, 19 Aug 2014 00:25:36 -0500 Subject: [PATCH 4/8] Update bcrypt and fix a deprecated reference in auth --- lib/web/auth.js | 2 +- package.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/web/auth.js b/lib/web/auth.js index 210efde2..939badd1 100644 --- a/lib/web/auth.js +++ b/lib/web/auth.js @@ -201,7 +201,7 @@ function handleLogout(req, res) { ref = ""; } - var host = req.host; + var host = req.hostname; if (host.indexOf(Config.get("http.root-domain")) !== -1) { res.clearCookie("auth", { domain: Config.get("http.root-domain-dotted") }); res.clearCookie("rank", { domain: Config.get("http.root-domain-dotted") }); diff --git a/package.json b/package.json index b1333a2c..385a9520 100644 --- a/package.json +++ b/package.json @@ -7,7 +7,7 @@ "url": "http://github.com/calzoneman/sync" }, "dependencies": { - "bcrypt": "~0.7.7", + "bcrypt": "^0.8.0", "body-parser": "^1.6.5", "cookie": "~0.1.0", "cookie-parser": "^1.3.2", From 4eb81a84d9103d6b0fed3158a1f02666fb1918a1 Mon Sep 17 00:00:00 2001 From: calzoneman Date: Tue, 19 Aug 2014 00:36:31 -0500 Subject: [PATCH 5/8] Update nodemailer, yamljs, q --- config.template.yaml | 1 - lib/config.js | 2 -- package.json | 8 ++++---- 3 files changed, 4 insertions(+), 7 deletions(-) diff --git a/config.template.yaml b/config.template.yaml index f148a5ca..64afd7a3 100644 --- a/config.template.yaml +++ b/config.template.yaml @@ -97,7 +97,6 @@ io: # see https://github.com/andris9/Nodemailer mail: enabled: false - transport: 'SMTP' config: service: 'Gmail' auth: diff --git a/lib/config.js b/lib/config.js index 24fe7888..d489c302 100644 --- a/lib/config.js +++ b/lib/config.js @@ -59,7 +59,6 @@ var defaults = { }, mail: { enabled: false, - transport: "SMTP", /* the key "config" is omitted because the format depends on the service the owner is configuring for nodemailer */ "from-address": "some.user@gmail.com" @@ -215,7 +214,6 @@ function preprocessConfig(cfg) { // Setup nodemailer cfg.mail.nodemailer = nodemailer.createTransport( - cfg.mail.transport, cfg.mail.config ); diff --git a/package.json b/package.json index 385a9520..86a8d62c 100644 --- a/package.json +++ b/package.json @@ -16,12 +16,12 @@ "jade": "~1.1.5", "json-typecheck": "^0.1.0", "morgan": "^1.2.3", - "mysql": "~2.0.1", - "nodemailer": "~0.6.0", + "mysql": "^2.4.2", + "nodemailer": "^1.2.0", "oauth": "^0.9.11", - "q": "^1.0.0", + "q": "^1.0.1", "serve-static": "^1.5.3", "socket.io": "~0.9.16", - "yamljs": "~0.1.4" + "yamljs": "^0.1.5" } } From 6dfeab9657aa05e91f3c7c71e04dd26d892652b2 Mon Sep 17 00:00:00 2001 From: calzoneman Date: Tue, 19 Aug 2014 00:46:30 -0500 Subject: [PATCH 6/8] Update rest of dependencies --- lib/io/ioserver.js | 23 ++++++++++++----------- package.json | 5 ++--- 2 files changed, 14 insertions(+), 14 deletions(-) diff --git a/lib/io/ioserver.js b/lib/io/ioserver.js index 8c8b2b94..09cb12b4 100644 --- a/lib/io/ioserver.js +++ b/lib/io/ioserver.js @@ -1,5 +1,5 @@ var sio = require("socket.io"); -var parseCookie = require("cookie").parse; +var cookieParser = require("cookie-parser")(); var Logger = require("../logger"); var db = require("../database"); var User = require("../user"); @@ -29,16 +29,17 @@ var ipCount = {}; function handleAuth(data, accept) { data.user = false; if (data.headers.cookie) { - data.cookie = parseCookie(data.headers.cookie); - var auth = data.cookie.auth; - db.users.verifyAuth(auth, function (err, user) { - if (!err) { - data.user = { - name: user.name, - global_rank: user.global_rank - }; - } - accept(null, true); + cookieParser(data, null, function () { + var auth = data.cookies.auth; + db.users.verifyAuth(auth, function (err, user) { + if (!err) { + data.user = { + name: user.name, + global_rank: user.global_rank + }; + } + accept(null, true); + }); }); } else { accept(null, true); diff --git a/package.json b/package.json index 86a8d62c..00acf4fa 100644 --- a/package.json +++ b/package.json @@ -9,16 +9,15 @@ "dependencies": { "bcrypt": "^0.8.0", "body-parser": "^1.6.5", - "cookie": "~0.1.0", "cookie-parser": "^1.3.2", "express": "^4.8.5", "express-minify": "0.0.11", - "jade": "~1.1.5", + "jade": "^1.5.0", "json-typecheck": "^0.1.0", "morgan": "^1.2.3", "mysql": "^2.4.2", "nodemailer": "^1.2.0", - "oauth": "^0.9.11", + "oauth": "^0.9.12", "q": "^1.0.1", "serve-static": "^1.5.3", "socket.io": "~0.9.16", From ae42ac9c568218b3a93bba50c58aad3318e93b7e Mon Sep 17 00:00:00 2001 From: calzoneman Date: Tue, 19 Aug 2014 00:52:50 -0500 Subject: [PATCH 7/8] Remove ghost httpaccess.log file --- lib/server.js | 3 --- 1 file changed, 3 deletions(-) diff --git a/lib/server.js b/lib/server.js index 1282145b..9f5800e0 100644 --- a/lib/server.js +++ b/lib/server.js @@ -53,7 +53,6 @@ var Server = function () { self.db = null; self.api = null; self.announcement = null; - self.httplog = null; self.infogetter = null; self.servers = {}; self.ioServers = {}; @@ -64,8 +63,6 @@ var Server = function () { self.db.init(); // webserver init ----------------------------------------------------- - self.httplog = new Logger.Logger(path.join(__dirname, - "../httpaccess.log")); self.express = express(); require("./web/webserver").init(self.express); From 088c547522635914d32dbc8a044ca77a31e8cf99 Mon Sep 17 00:00:00 2001 From: calzoneman Date: Tue, 19 Aug 2014 22:27:59 -0500 Subject: [PATCH 8/8] Update dependencies - execute npm update && npm rebuild after pulling --- lib/server.js | 2 +- package.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/server.js b/lib/server.js index 9f5800e0..86a44dcb 100644 --- a/lib/server.js +++ b/lib/server.js @@ -9,7 +9,7 @@ The above copyright notice and this permission notice shall be included in all c THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. */ -const VERSION = "3.4.0"; +const VERSION = "3.5.0"; var singleton = null; var Config = require("./config"); diff --git a/package.json b/package.json index 00acf4fa..2ede3b54 100644 --- a/package.json +++ b/package.json @@ -2,7 +2,7 @@ "author": "Calvin Montgomery", "name": "CyTube", "description": "Online media synchronizer and chat", - "version": "3.4.0", + "version": "3.5.0", "repository": { "url": "http://github.com/calzoneman/sync" },