3.17.3

closes #2359

History.md

@@ -1,3 +1,107 @@
+3.17.3 / 2014-09-18
+===================
+
+  * deps: proxy-addr@~1.0.2
+    - Fix a global leak when multiple subnets are trusted
+    - deps: ipaddr.js@0.1.3
+
+3.17.2 / 2014-09-15
+===================
+
+  * Use `crc` instead of `buffer-crc32` for speed
+  * deps: connect@2.26.1
+    - deps: body-parser@~1.8.2
+    - deps: depd@0.4.5
+    - deps: express-session@~1.8.2
+    - deps: morgan@~1.3.1
+    - deps: serve-favicon@~2.1.3
+    - deps: serve-static@~1.6.2
+  * deps: depd@0.4.5
+  * deps: send@0.9.2
+    - deps: depd@0.4.5
+    - deps: etag@~1.3.1
+    - deps: range-parser@~1.0.2
+
+3.17.1 / 2014-09-08
+===================
+
+  * Fix error in `req.subdomains` on empty host
+
+3.17.0 / 2014-09-08
+===================
+
+  * Support IP address host in `req.subdomains`
+  * deps: connect@2.26.0
+    - deps: body-parser@~1.8.1
+    - deps: compression@~1.1.0
+    - deps: connect-timeout@~1.3.0
+    - deps: cookie-parser@~1.3.3
+    - deps: cookie-signature@1.0.5
+    - deps: csurf@~1.6.1
+    - deps: debug@~2.0.0
+    - deps: errorhandler@~1.2.0
+    - deps: express-session@~1.8.1
+    - deps: finalhandler@0.2.0
+    - deps: fresh@0.2.4
+    - deps: media-typer@0.3.0
+    - deps: method-override@~2.2.0
+    - deps: morgan@~1.3.0
+    - deps: qs@2.2.3
+    - deps: serve-favicon@~2.1.3
+    - deps: serve-index@~1.2.1
+    - deps: serve-static@~1.6.1
+    - deps: type-is@~1.5.1
+    - deps: vhost@~3.0.0
+  * deps: cookie-signature@1.0.5
+  * deps: debug@~2.0.0
+  * deps: fresh@0.2.4
+  * deps: media-typer@0.3.0
+    - Throw error when parameter format invalid on parse
+  * deps: range-parser@~1.0.2
+  * deps: send@0.9.1
+    - Add `lastModified` option
+    - Use `etag` to generate `ETag` header
+    - deps: debug@~2.0.0
+    - deps: fresh@0.2.4
+  * deps: vary@~1.0.0
+    - Accept valid `Vary` header string as `field`
+
+3.16.10 / 2014-09-04
+====================
+
+  * deps: connect@2.25.10
+    - deps: serve-static@~1.5.4
+  * deps: send@0.8.5
+    - Fix a path traversal issue when using `root`
+    - Fix malicious path detection for empty string path
+
+3.16.9 / 2014-08-29
+===================
+
+  * deps: connect@2.25.9
+    - deps: body-parser@~1.6.7
+    - deps: qs@2.2.2
+
+3.16.8 / 2014-08-27
+===================
+
+  * deps: connect@2.25.8
+    - deps: body-parser@~1.6.6
+    - deps: csurf@~1.4.1
+    - deps: qs@2.2.0
+
+3.16.7 / 2014-08-18
+===================
+
+  * deps: connect@2.25.7
+    - deps: body-parser@~1.6.5
+    - deps: express-session@~1.7.6
+    - deps: morgan@~1.2.3
+    - deps: serve-static@~1.5.3
+  * deps: send@0.8.3
+    - deps: destroy@1.0.3
+    - deps: on-finished@2.1.0
+
 3.16.6 / 2014-08-14
 ===================
 

Readme.md

@@ -2,10 +2,10 @@
 
   Fast, unopinionated, minimalist web framework for [node](http://nodejs.org).
 
-  [![NPM version](https://badge.fury.io/js/express.svg)](http://badge.fury.io/js/express)
-  [![Build Status](https://travis-ci.org/visionmedia/express.svg?branch=master)](https://travis-ci.org/visionmedia/express)
-  [![Coverage Status](https://img.shields.io/coveralls/visionmedia/express.svg)](https://coveralls.io/r/visionmedia/express)
-  [![Gittip](http://img.shields.io/gittip/dougwilson.svg)](https://www.gittip.com/dougwilson/)
+  [![NPM version](https://img.shields.io/npm/v/express.svg?style=flat)](https://www.npmjs.org/package/express)
+  [![Build Status](https://img.shields.io/travis/strongloop/express.svg?style=flat)](https://travis-ci.org/strongloop/express)
+  [![Coverage Status](https://img.shields.io/coveralls/strongloop/express.svg?style=flat)](https://coveralls.io/r/strongloop/express)
+  [![Gittip](https://img.shields.io/gittip/dougwilson.svg?style=flat)](https://www.gittip.com/dougwilson/)
 
 ```js
 var express = require('express');
@@ -65,11 +65,11 @@ app.listen(3000);
 
 ## More Information
 
-  * [Website and Documentation](http://expressjs.com/) stored at [visionmedia/expressjs.com](https://github.com/visionmedia/expressjs.com)
+  * [Website and Documentation](http://expressjs.com/) stored at [strongloop/expressjs.com](https://github.com/strongloop/expressjs.com)
   * Join #express on freenode
   * [Google Group](http://groups.google.com/group/express-js) for discussion
   * Follow [tjholowaychuk](http://twitter.com/tjholowaychuk) on twitter for updates
-  * Visit the [Wiki](http://github.com/visionmedia/express/wiki)
+  * Visit the [Wiki](http://github.com/strongloop/express/wiki)
   * [Русскоязычная документация](http://jsman.ru/express/)
   * Run express examples [online](https://runnable.com/express)
 
@@ -77,7 +77,7 @@ app.listen(3000);
 
 Clone the Express repo, then install the dev dependencies to install all the example / test suite dependencies:
 
-    $ git clone git://github.com/visionmedia/express.git --depth 1
+    $ git clone git://github.com/strongloop/express.git --depth 1
     $ cd express
     $ npm install
 
@@ -103,7 +103,7 @@ $ npm test
 
 ## Contributors
 
-  https://github.com/visionmedia/express/graphs/contributors
+  https://github.com/strongloop/express/graphs/contributors
 
 ## License
 

examples/view-constructor/github-view.js

@@ -35,13 +35,13 @@ function GithubView(name, options){
 GithubView.prototype.render = function(options, fn){
   var self = this;
   var opts = {
-    host: 'rawgithub.com',
-    port: 80,
+    host: 'raw.githubusercontent.com',
+    port: 443,
     path: this.path,
     method: 'GET'
   };
 
-  http.request(opts, function(res) {
+  https.request(opts, function(res) {
     var buf = '';
     res.setEncoding('utf8');
     res.on('data', function(str){ buf += str });

examples/view-constructor/index.js

@@ -24,7 +24,7 @@ app.engine('md', function(str, options, fn){
 })
 
 // pointing to a particular github repo to load files from it
-app.set('views', 'visionmedia/express');
+app.set('views', 'strongloop/express');
 
 // register a new view constructor
 app.set('view', GithubView);
@@ -37,7 +37,7 @@ app.get('/', function(req, res){
 })
 
 app.get('/Readme.md', function(req, res){
-  // rendering a view from https://github.com/visionmedia/express/blob/master/Readme.md
+  // rendering a view from https://github.com/strongloop/express/blob/master/Readme.md
   res.render('Readme.md');
 })
 

examples/web-service/index.js

@@ -73,7 +73,7 @@ var apiKeys = ['foo', 'bar', 'baz'];
 // these two objects will serve as our faux database
 
 var repos = [
-    { name: 'express', url: 'http://github.com/visionmedia/express' }
+    { name: 'express', url: 'http://github.com/strongloop/express' }
   , { name: 'stylus', url: 'http://github.com/learnboost/stylus' }
   , { name: 'cluster', url: 'http://github.com/learnboost/cluster' }
 ];

lib/request.js

@@ -13,6 +13,7 @@ var http = require('http')
   , parse = require('parseurl')
   , proxyaddr = require('proxy-addr')
   , mime = connect.mime;
+var isIP = require('net').isIP;
 
 /**
  * Request prototype.
@@ -452,11 +453,16 @@ req.__defineGetter__('auth', function(){
  */
 
 req.__defineGetter__('subdomains', function(){
+  var host = this.host;
+
+  if (!host) return [];
+
   var offset = this.app.get('subdomain offset');
-  return (this.host || '')
-    .split('.')
-    .reverse()
-    .slice(offset);
+  var subdomains = !isIP(host)
+    ? host.split('.').reverse()
+    : [host];
+
+  return subdomains.slice(offset);
 });
 
 /**

lib/utils.js

@@ -3,9 +3,9 @@
  * Module dependencies.
  */
 
+var crc = require('crc').crc32;
 var mime = require('connect').mime
   , proxyaddr = require('proxy-addr')
-  , crc32 = require('buffer-crc32')
   , crypto = require('crypto');
 var typer = require('media-typer');
 
@@ -56,7 +56,7 @@ exports.wetag = function wetag(body, encoding){
     ? body
     : new Buffer(body, encoding)
   var len = buf.length
-  return 'W/"' + len.toString(16) + '-' + crc32.unsigned(buf) + '"'
+  return 'W/"' + len.toString(16) + '-' + crc(buf) + '"'
 };
 
 /**

package.json

@@ -1,7 +1,7 @@
 {
   "name": "express",
   "description": "Sinatra inspired web development framework",
-  "version": "3.16.6",
+  "version": "3.17.3",
   "author": "TJ Holowaychuk <tj@vision-media.ca>",
   "contributors": [
     "Aaron Heckmann <aaron.heckmann+github@gmail.com>",
@@ -22,36 +22,37 @@
     "app",
     "api"
   ],
-  "repository": "visionmedia/express",
+  "repository": "strongloop/express",
   "license": "MIT",
+  "homepage": "http://expressjs.com/",
   "dependencies": {
     "basic-auth": "1.0.0",
-    "buffer-crc32": "0.2.3",
-    "connect": "2.25.6",
+    "connect": "2.26.1",
     "commander": "1.3.2",
-    "debug": "1.0.4",
-    "depd": "0.4.4",
+    "cookie-signature": "1.0.5",
+    "crc": "3.0.0",
+    "debug": "~2.0.0",
+    "depd": "0.4.5",
     "escape-html": "1.0.1",
-    "media-typer": "0.2.0",
+    "fresh": "0.2.4",
+    "media-typer": "0.3.0",
     "methods": "1.1.0",
     "mkdirp": "0.5.0",
     "parseurl": "~1.3.0",
-    "proxy-addr": "1.0.1",
-    "range-parser": "1.0.0",
-    "send": "0.8.2",
-    "vary": "0.1.0",
+    "proxy-addr": "~1.0.2",
+    "range-parser": "~1.0.2",
+    "send": "0.9.2",
+    "vary": "~1.0.0",
     "cookie": "0.1.2",
-    "fresh": "0.2.2",
-    "cookie-signature": "1.0.4",
     "merge-descriptors": "0.0.2"
   },
   "devDependencies": {
     "connect-redis": "~1.5.0",
-    "istanbul": "0.3.0",
+    "istanbul": "0.3.2",
     "mocha": "~1.21.4",
     "should": "~4.0.0",
     "ejs": "~1.0.0",
-    "jade": "~1.5.0",
+    "jade": "~1.6.0",
     "hjs": "~0.0.6",
     "marked": "0.3.2",
     "supertest": "~0.13.0"
@@ -66,6 +67,7 @@
     "prepublish": "npm prune",
     "test": "mocha --require test/support/env --reporter dot --check-leaks test/ test/acceptance/",
     "test-cov": "istanbul cover node_modules/mocha/bin/_mocha -- --require test/support/env --reporter dot --check-leaks test/ test/acceptance/",
+    "test-tap": "mocha --require test/support/env --reporter tap --check-leaks test/ test/acceptance/",
     "test-travis": "istanbul cover node_modules/mocha/bin/_mocha --report lcovonly -- --require test/support/env --reporter spec --check-leaks test/ test/acceptance/"
   }
 }

test/acceptance/web-service.js

@@ -53,7 +53,7 @@ describe('web-service', function(){
         .get('/api/repos?api-key=foo')
         .expect('Content-Type', 'application/json; charset=utf-8')
         .expect(/"name":"express"/)
-        .expect(/"url":"http:\/\/github.com\/visionmedia\/express"/)
+        .expect(/"url":"http:\/\/github.com\/strongloop\/express"/)
         .expect(200, done)
       })
     })

test/req.ip.js

@@ -45,10 +45,9 @@ describe('req', function(){
             res.send(req.ip);
           });
 
-          request(app)
-          .get('/')
-          .set('X-Forwarded-For', 'client, p1, p2')
-          .expect('127.0.0.1', done);
+          var test = request(app).get('/')
+          test.set('X-Forwarded-For', 'client, p1, p2')
+          test.expect(200, getExpectedClientAddress(test._server), done);
         })
       })
     })
@@ -63,10 +62,19 @@ describe('req', function(){
           res.send(req.ip);
         });
 
-        request(app)
-        .get('/')
-        .expect('127.0.0.1', done);
+          var test = request(app).get('/')
+          test.expect(200, getExpectedClientAddress(test._server), done);
       })
     })
   })
 })
+
+/**
+ * Get the local client address depending on AF_NET of server
+ */
+
+function getExpectedClientAddress(server) {
+  return server.address().address === '::'
+    ? '::ffff:127.0.0.1'
+    : '127.0.0.1';
+}

test/req.subdomains.js

@@ -15,7 +15,33 @@ describe('req', function(){
         request(app)
         .get('/')
         .set('Host', 'tobi.ferrets.example.com')
-        .expect(["ferrets","tobi"], done);
+        .expect(200, ['ferrets', 'tobi'], done);
+      })
+
+      it('should work with IPv4 address', function(done){
+        var app = express();
+
+        app.use(function(req, res){
+          res.send(req.subdomains);
+        });
+
+        request(app)
+        .get('/')
+        .set('Host', '127.0.0.1')
+        .expect(200, [], done);
+      })
+
+      it('should work with IPv6 address', function(done){
+        var app = express();
+
+        app.use(function(req, res){
+          res.send(req.subdomains);
+        });
+
+        request(app)
+        .get('/')
+        .set('Host', '[::1]')
+        .expect(200, [], done);
       })
     })
 
@@ -30,7 +56,7 @@ describe('req', function(){
         request(app)
         .get('/')
         .set('Host', 'example.com')
-        .expect([], done);
+        .expect(200, [], done);
       })
     })
 
@@ -45,7 +71,23 @@ describe('req', function(){
 
         request(app)
         .get('/')
-        .expect([], done);
+        .expect(200, [], done);
+      })
+    })
+
+    describe('with trusted X-Forwarded-Host', function () {
+      it('should return an array', function (done) {
+        var app = express();
+
+        app.set('trust proxy', true);
+        app.use(function (req, res) {
+          res.send(req.subdomains);
+        });
+
+        request(app)
+        .get('/')
+        .set('X-Forwarded-Host', 'tobi.ferrets.example.com')
+        .expect(200, ['ferrets', 'tobi'], done);
       })
     })
 
@@ -62,7 +104,35 @@ describe('req', function(){
           request(app)
           .get('/')
           .set('Host', 'tobi.ferrets.sub.example.com')
-          .expect(["com","example","sub","ferrets","tobi"], done);
+          .expect(200, ['com', 'example', 'sub', 'ferrets', 'tobi'], done);
+        })
+
+        it('should return an array with the whole IPv4', function (done) {
+          var app = express();
+          app.set('subdomain offset', 0);
+
+          app.use(function(req, res){
+            res.send(req.subdomains);
+          });
+
+          request(app)
+          .get('/')
+          .set('Host', '127.0.0.1')
+          .expect(200, ['127.0.0.1'], done);
+        })
+
+        it('should return an array with the whole IPv6', function (done) {
+          var app = express();
+          app.set('subdomain offset', 0);
+
+          app.use(function(req, res){
+            res.send(req.subdomains);
+          });
+
+          request(app)
+          .get('/')
+          .set('Host', '[::1]')
+          .expect(200, ['[::1]'], done);
         })
       })
 
@@ -78,7 +148,7 @@ describe('req', function(){
           request(app)
           .get('/')
           .set('Host', 'tobi.ferrets.sub.example.com')
-          .expect(["ferrets","tobi"], done);
+          .expect(200, ['ferrets', 'tobi'], done);
         })
       })
 
@@ -94,7 +164,7 @@ describe('req', function(){
           request(app)
           .get('/')
           .set('Host', 'sub.example.com')
-          .expect([], done);
+          .expect(200, [], done);
         })
       })
     })