3.15.0

fixes #2252

History.md

@@ -1,3 +1,61 @@
+3.15.0 / 2014-07-22
+===================
+
+  * Fix `req.protocol` for proxy-direct connections
+  * Pass options from `res.sendfile` to `send`
+  * deps: connect@2.24.0
+    - deps: body-parser@~1.5.0
+    - deps: compression@~1.0.9
+    - deps: connect-timeout@~1.2.1
+    - deps: debug@1.0.4
+    - deps: depd@0.4.2
+    - deps: express-session@~1.7.0
+    - deps: finalhandler@0.1.0
+    - deps: method-override@~2.1.2
+    - deps: morgan@~1.2.0
+    - deps: multiparty@3.3.1
+    - deps: parseurl@~1.2.0
+    - deps: serve-static@~1.4.0
+  * deps: debug@1.0.4
+  * deps: depd@0.4.2
+    - Add `TRACE_DEPRECATION` environment variable
+    - Remove non-standard grey color from color output
+    - Support `--no-deprecation` argument
+    - Support `--trace-deprecation` argument
+  * deps: parseurl@~1.2.0
+    - Cache URLs based on original value
+    - Remove no-longer-needed URL mis-parse work-around
+    - Simplify the "fast-path" `RegExp`
+  * deps: send@0.7.0
+    - Add `dotfiles` option
+    - Cap `maxAge` value to 1 year
+    - deps: debug@1.0.4
+    - deps: depd@0.4.2
+
+3.14.0 / 2014-07-11
+===================
+
+ * add explicit "Rosetta Flash JSONP abuse" protection
+   - previous versions are not vulnerable; this is just explicit protection
+ * deprecate `res.redirect(url, status)` -- use `res.redirect(status, url)` instead
+ * fix `res.send(status, num)` to send `num` as json (not error)
+ * remove unnecessary escaping when `res.jsonp` returns JSON response
+ * deps: basic-auth@1.0.0
+   - support empty password
+   - support empty username
+ * deps: connect@2.23.0
+   - deps: debug@1.0.3
+   - deps: express-session@~1.6.4
+   - deps: method-override@~2.1.0
+   - deps: parseurl@~1.1.3
+   - deps: serve-static@~1.3.1
+  * deps: debug@1.0.3
+    - Add support for multiple wildcards in namespaces
+  * deps: methods@1.1.0
+    - add `CONNECT`
+  * deps: parseurl@~1.1.3
+    - faster parsing of href-only URLs
+
 3.13.0 / 2014-07-03
 ===================
 

Readme.md

@@ -2,7 +2,10 @@
 
   Fast, unopinionated, minimalist web framework for [node](http://nodejs.org).
 
-  [![NPM version](https://badge.fury.io/js/express.svg)](http://badge.fury.io/js/express) [![Build Status](https://travis-ci.org/visionmedia/express.svg?branch=master)](https://travis-ci.org/visionmedia/express) [![Coverage Status](https://img.shields.io/coveralls/visionmedia/express.svg)](https://coveralls.io/r/visionmedia/express) [![Gittip](http://img.shields.io/gittip/visionmedia.svg)](https://www.gittip.com/visionmedia/)
+  [![NPM version](https://badge.fury.io/js/express.svg)](http://badge.fury.io/js/express)
+  [![Build Status](https://travis-ci.org/visionmedia/express.svg?branch=master)](https://travis-ci.org/visionmedia/express)
+  [![Coverage Status](https://img.shields.io/coveralls/visionmedia/express.svg)](https://coveralls.io/r/visionmedia/express)
+  [![Gittip](http://img.shields.io/gittip/dougwilson.svg)](https://www.gittip.com/dougwilson/)
 
 ```js
 var express = require('express');

lib/request.js

@@ -341,7 +341,9 @@ req.is = function(type){
  * Return the protocol string "http" or "https"
  * when requested with TLS. When the "trust proxy"
  * setting trusts the socket address, the
- * "X-Forwarded-Proto" header field will be trusted.
+ * "X-Forwarded-Proto" header field will be trusted
+ * and used if present.
+ *
  * If you're running behind a reverse proxy that
  * supplies https for you this may be enabled.
  *
@@ -350,17 +352,18 @@ req.is = function(type){
  */
 
 req.__defineGetter__('protocol', function(){
+  var proto = this.connection.encrypted
+    ? 'https'
+    : 'http';
   var trust = this.app.get('trust proxy fn');
 
   if (!trust(this.connection.remoteAddress)) {
-    return this.connection.encrypted
-      ? 'https'
-      : 'http';
+    return proto;
   }
 
   // Note: X-Forwarded-Proto is normally only ever a
   //       single value, but this is to be safe.
-  var proto = this.get('X-Forwarded-Proto') || 'http';
+  proto = this.get('X-Forwarded-Proto') || proto;
   return proto.split(/\s*,\s*/)[0];
 });
 

lib/response.js

@@ -103,13 +103,15 @@ res.send = function(body){
     }
   }
 
+  // disambiguate res.send(status) and res.send(status, num)
+  if (typeof body === 'number' && arguments.length === 1) {
+    // res.send(status) will set status message as text string
+    this.get('Content-Type') || this.type('txt');
+    this.statusCode = body;
+    body = http.STATUS_CODES[body];
+  }
+
   switch (typeof body) {
-    // response status
-    case 'number':
-      this.get('Content-Type') || this.type('txt');
-      this.statusCode = body;
-      body = http.STATUS_CODES[body];
-      break;
     // string defaulting to html
     case 'string':
       if (!this.get('Content-Type')) {
@@ -118,6 +120,7 @@ res.send = function(body){
       }
       break;
     case 'boolean':
+    case 'number':
     case 'object':
       if (null == body) {
         body = '';
@@ -257,14 +260,15 @@ res.jsonp = function(obj){
   var app = this.app;
   var replacer = app.get('json replacer');
   var spaces = app.get('json spaces');
-  var body = JSON.stringify(obj, replacer, spaces)
-    .replace(/\u2028/g, '\\u2028')
-    .replace(/\u2029/g, '\\u2029');
+  var body = JSON.stringify(obj, replacer, spaces);
   var callback = this.req.query[app.get('jsonp callback name')];
 
   // content-type
-  this.charset = this.charset || 'utf-8';
-  this.get('Content-Type') || this.set('Content-Type', 'application/json');
+  if (!this.get('Content-Type')) {
+    this.charset = 'utf-8';
+    this.set('X-Content-Type-Options', 'nosniff');
+    this.set('Content-Type', 'application/json');
+  }
 
   // fixup callback
   if (Array.isArray(callback)) {
@@ -272,10 +276,22 @@ res.jsonp = function(obj){
   }
 
   // jsonp
-  if (callback && 'string' === typeof callback) {
+  if (typeof callback === 'string' && callback.length !== 0) {
+    this.charset = 'utf-8';
+    this.set('X-Content-Type-Options', 'nosniff');
     this.set('Content-Type', 'text/javascript');
-    var cb = callback.replace(/[^\[\]\w$.]/g, '');
-    body = 'typeof ' + cb + ' === \'function\' && ' + cb + '(' + body + ');';
+
+    // restrict callback charset
+    callback = callback.replace(/[^\[\]\w$.]/g, '');
+
+    // replace chars not allowed in JavaScript that are in JSON
+    body = body
+      .replace(/\u2028/g, '\\u2028')
+      .replace(/\u2029/g, '\\u2029');
+
+    // the /**/ is a specific security mitigation for "Rosetta Flash JSONP abuse"
+    // the typeof check is just to reduce client error noise
+    body = '/**/ typeof ' + callback + ' === \'function\' && ' + callback + '(' + body + ');';
   }
 
   return this.send(body);
@@ -292,8 +308,11 @@ res.jsonp = function(obj){
  *
  * Options:
  *
- *   - `maxAge` defaulting to 0
- *   - `root`   root directory for relative filenames
+ *   - `maxAge`   defaulting to 0
+ *   - `root`     root directory for relative filenames
+ *   - `dotfiles` serve dotfiles, defaulting to false; can be `"allow"` to send them
+ *
+ * Other options are passed along to `send`.
  *
  * Examples:
  *
@@ -369,9 +388,7 @@ res.sendfile = function(path, options, fn){
   }
 
   // transfer
-  var file = send(req, path);
-  if (options.root) file.root(options.root);
-  file.maxage(options.maxAge || 0);
+  var file = send(req, path, options);
   file.on('error', error);
   file.on('directory', next);
   file.on('stream', stream);
@@ -704,11 +721,8 @@ res.location = function(url){
  *    res.redirect('/foo/bar');
  *    res.redirect('http://example.com');
  *    res.redirect(301, 'http://example.com');
- *    res.redirect('http://example.com', 301);
  *    res.redirect('../login'); // /blog/post/1 -> /blog/login
  *
- * @param {String} url
- * @param {Number} code
  * @api public
  */
 
@@ -723,6 +737,7 @@ res.redirect = function(url){
       status = url;
       url = arguments[1];
     } else {
+      deprecate('res.redirect(ur, status): Use res.redirect(status, url) instead');
       status = arguments[1];
     }
   }

package.json

@@ -1,7 +1,7 @@
 {
   "name": "express",
   "description": "Sinatra inspired web development framework",
-  "version": "3.13.0",
+  "version": "3.15.0",
   "author": "TJ Holowaychuk <tj@vision-media.ca>",
   "contributors": [
     "Aaron Heckmann <aaron.heckmann+github@gmail.com>",
@@ -25,20 +25,20 @@
   "repository": "visionmedia/express",
   "license": "MIT",
   "dependencies": {
-    "basic-auth": "0.0.1",
+    "basic-auth": "1.0.0",
     "buffer-crc32": "0.2.3",
-    "connect": "2.22.0",
+    "connect": "2.24.0",
     "commander": "1.3.2",
-    "debug": "1.0.2",
-    "depd": "0.3.0",
+    "debug": "1.0.4",
+    "depd": "0.4.2",
     "escape-html": "1.0.1",
     "media-typer": "0.2.0",
-    "methods": "1.0.1",
+    "methods": "1.1.0",
     "mkdirp": "0.5.0",
-    "parseurl": "1.0.1",
+    "parseurl": "~1.2.0",
     "proxy-addr": "1.0.1",
     "range-parser": "1.0.0",
-    "send": "0.5.0",
+    "send": "0.7.0",
     "vary": "0.1.0",
     "cookie": "0.1.2",
     "fresh": "0.2.2",
@@ -46,7 +46,7 @@
     "merge-descriptors": "0.0.2"
   },
   "devDependencies": {
-    "istanbul": "0.2.12",
+    "istanbul": "0.3.0",
     "mocha": "~1.20.0",
     "should": "~4.0.0",
     "ejs": "~1.0.0",

test/fixtures/.name

@@ -0,0 +1 @@
+tobi

test/req.protocol.js

@@ -32,6 +32,21 @@ describe('req', function(){
         .expect('https', done);
       })
 
+      it('should default to the socket addr if X-Forwarded-Proto not present', function(done){
+        var app = express();
+
+        app.enable('trust proxy');
+
+        app.use(function(req, res){
+          req.connection.encrypted = true;
+          res.end(req.protocol);
+        });
+
+        request(app)
+        .get('/')
+        .expect('https', done);
+      })
+
       it('should ignore X-Forwarded-Proto if socket addr not trusted', function(done){
         var app = express();
 

test/res.jsonp.js

@@ -14,11 +14,8 @@ describe('res', function(){
 
       request(app)
       .get('/?callback=something')
-      .end(function(err, res){
-        res.headers.should.have.property('content-type', 'text/javascript; charset=utf-8');
-        res.text.should.equal('typeof something === \'function\' && something({"count":1});');
-        done();
-      })
+      .expect('Content-Type', 'text/javascript; charset=utf-8')
+      .expect(200, /something\(\{"count":1\}\);/, done);
     })
 
     it('should use first callback parameter with jsonp', function(done){
@@ -29,12 +26,9 @@ describe('res', function(){
       });
 
       request(app)
-          .get('/?callback=something&callback=somethingelse')
-          .end(function(err, res){
-            res.headers.should.have.property('content-type', 'text/javascript; charset=utf-8');
-            res.text.should.equal('typeof something === \'function\' && something({"count":1});');
-            done();
-          })
+      .get('/?callback=something&callback=somethingelse')
+      .expect('Content-Type', 'text/javascript; charset=utf-8')
+      .expect(200, /something\(\{"count":1\}\);/, done);
     })
 
     it('should ignore object callback parameter with jsonp', function(done){
@@ -61,11 +55,8 @@ describe('res', function(){
 
       request(app)
       .get('/?clb=something')
-      .end(function(err, res){
-        res.headers.should.have.property('content-type', 'text/javascript; charset=utf-8');
-        res.text.should.equal('typeof something === \'function\' && something({"count":1});');
-        done();
-      })
+      .expect('Content-Type', 'text/javascript; charset=utf-8')
+      .expect(200, /something\(\{"count":1\}\);/, done);
     })
 
     it('should allow []', function(done){
@@ -77,11 +68,8 @@ describe('res', function(){
 
       request(app)
       .get('/?callback=callbacks[123]')
-      .end(function(err, res){
-        res.headers.should.have.property('content-type', 'text/javascript; charset=utf-8');
-        res.text.should.equal('typeof callbacks[123] === \'function\' && callbacks[123]({"count":1});');
-        done();
-      })
+      .expect('Content-Type', 'text/javascript; charset=utf-8')
+      .expect(200, /callbacks\[123\]\(\{"count":1\}\);/, done);
     })
 
     it('should disallow arbitrary js', function(done){
@@ -93,11 +81,8 @@ describe('res', function(){
 
       request(app)
       .get('/?callback=foo;bar()')
-      .end(function(err, res){
-        res.headers.should.have.property('content-type', 'text/javascript; charset=utf-8');
-        res.text.should.equal('typeof foobar === \'function\' && foobar({});');
-        done();
-      })
+      .expect('Content-Type', 'text/javascript; charset=utf-8')
+      .expect(200, /foobar\(\{\}\);/, done);
     })
 
     it('should escape utf whitespace', function(done){
@@ -109,13 +94,37 @@ describe('res', function(){
 
       request(app)
       .get('/?callback=foo')
-      .end(function(err, res){
-        res.headers.should.have.property('content-type', 'text/javascript; charset=utf-8');
-        res.text.should.equal('typeof foo === \'function\' && foo({"str":"\\u2028 \\u2029 woot"});');
-        done();
-      });
+      .expect('Content-Type', 'text/javascript; charset=utf-8')
+      .expect(200, /foo\(\{"str":"\\u2028 \\u2029 woot"\}\);/, done);
     });
 
+    it('should not escape utf whitespace for json fallback', function(done){
+      var app = express();
+
+      app.use(function(req, res){
+        res.jsonp({ str: '\u2028 \u2029 woot' });
+      });
+
+      request(app)
+      .get('/')
+      .expect('Content-Type', 'application/json; charset=utf-8')
+      .expect(200, '{"str":"\u2028 \u2029 woot"}', done);
+    });
+
+    it('should include security header and prologue', function (done) {
+      var app = express();
+
+      app.use(function(req, res){
+        res.jsonp({ count: 1 });
+      });
+
+      request(app)
+      .get('/?callback=something')
+      .expect('Content-Type', 'text/javascript; charset=utf-8')
+      .expect('X-Content-Type-Options', 'nosniff')
+      .expect(200, /^\/\*\*\//, done);
+    })
+
     it('should not override previous Content-Types with no callback', function(done){
       var app = express();
 
@@ -127,7 +136,11 @@ describe('res', function(){
       request(app)
       .get('/')
       .expect('Content-Type', 'application/vnd.example+json; charset=utf-8')
-      .expect(200, '{"hello":"world"}', done);
+      .expect(200, '{"hello":"world"}', function (err, res) {
+        if (err) return done(err);
+        res.headers.should.not.have.property('x-content-type-options');
+        done();
+      });
     })
 
     it('should override previous Content-Types with callback', function(done){
@@ -141,6 +154,7 @@ describe('res', function(){
       request(app)
       .get('/?callback=cb')
       .expect('Content-Type', 'text/javascript; charset=utf-8')
+      .expect('X-Content-Type-Options', 'nosniff')
       .expect(200, /cb\(\{"hello":"world"\}\);$/, done);
     })
 

test/res.send.js

@@ -77,6 +77,21 @@ describe('res', function(){
     })
   })
 
+  describe('.send(code, number)', function(){
+    it('should send number as json', function(done){
+      var app = express();
+
+      app.use(function(req, res){
+        res.send(200, 0.123);
+      });
+
+      request(app)
+      .get('/')
+      .expect('Content-Type', 'application/json; charset=utf-8')
+      .expect(200, '0.123', done);
+    })
+  })
+
   describe('.send(String)', function(){
     it('should send as html', function(done){
       var app = express();

test/res.sendfile.js

@@ -106,6 +106,30 @@ describe('res', function(){
   })
 
   describe('.sendfile(path)', function(){
+    it('should not serve dotfiles', function(done){
+      var app = express();
+
+      app.use(function(req, res){
+        res.sendfile('test/fixtures/.name');
+      });
+
+      request(app)
+      .get('/')
+      .expect(404, done);
+    })
+
+    it('should accept dotfiles option', function(done){
+      var app = express();
+
+      app.use(function(req, res){
+        res.sendfile('test/fixtures/.name', { dotfiles: 'allow' });
+      });
+
+      request(app)
+      .get('/')
+      .expect(200, 'tobi', done);
+    })
+
     describe('with an absolute path', function(){
       it('should transfer the file', function(done){
         var app = express();