pixl-server-web 1.3.2 → 1.3.3

package/README.md

@@ -222,7 +222,13 @@ This param allows you to send back any additional custom HTTP headers with each
 
 ## http_timeout
 
-This sets the idle socket timeout for all incoming HTTP requests.  If omitted, the Node.js default is 2 minutes.  Please specify your value in seconds.
+This sets the idle socket timeout for all incoming HTTP requests, in seconds.  If omitted, the Node.js default is 120 seconds.  Example:
+
+```js
+{
+	"http_timeout": 120
+}
+```
 
 This only applies to reading from sockets when data is expected.  It is an *idle read timeout* on the socket itself, and doesn't apply to request handlers.
 
@@ -274,19 +280,17 @@ This completely disables Keep-Alives for all connections.  All requests result i
 
 ## http_keep_alive_timeout
 
-This sets the HTTP Keep-Alive idle timeout for all sockets.  If omitted, the Node.js default is 5 seconds.  See [server.keepAliveTimeout](https://nodejs.org/api/http.html#http_server_keepalivetimeout) for details.  Example:
+This sets the HTTP Keep-Alive idle timeout for all sockets, measured in seconds.  If omitted, the Node.js default is 5 seconds.  See [server.keepAliveTimeout](https://nodejs.org/api/http.html#http_server_keepalivetimeout) for details.  Example:
 
 ```js
 {
-	"http_keep_alive_timeout": 5000
+	"http_keep_alive_timeout": 5
 }
 ```
 
-This feature was introduced in Node.js version 8.  Prior to that, the [http_timeout](#http_timeout) was used as the Keep-Alive timeout.
-
 ## http_socket_prelim_timeout
 
-This sets a special preliminary timeout for brand new sockets when they are first connected.  If an HTTP request doesn't come over the socket within this timeout (specified in seconds), then the socket is hard closed.  This timeout should always be set lower than the [http_timeout](#http_timeout) if used.  This defaults to `0` (disabled).  Example use:
+This sets a special preliminary timeout for brand new sockets when they are first connected, measured in seconds.  If an HTTP request doesn't come over the socket within this timeout (specified in seconds), then the socket is hard closed.  This timeout should always be set lower than the [http_timeout](#http_timeout) if used.  This defaults to `0` (disabled).  Example use:
 
 ```js
 {

package/lib/request.js

@@ -219,12 +219,12 @@ module.exports = class Request {
 			
 			if (content_type.match(/(multipart|urlencoded)/i) && !content_encoding) {
 				// use formidable for the heavy lifting
-				var form = new Formidable.IncomingForm({
+				var form = Formidable({
 					keepExtensions: true,
 					maxFieldsSize: self.config.get('http_max_upload_size'),
 					maxFileSize: self.config.get('http_max_upload_size'),
-					hash: false,
-					uploadDir: self.config.get('http_temp_dir')
+					uploadDir: self.config.get('http_temp_dir'),
+					allowEmptyFiles: self.config.get('http_allow_empty_files') || false
 				});
 				
 				form.on('progress', function(bytesReceived, bytesExpected) {
@@ -237,7 +237,7 @@ module.exports = class Request {
 				form.parse(request, function(err, _fields, _files) {
 					args.perf.end('read');
 					if (err) {
-						self.logError(400, "Error processing data from: " + ip + ": " + request.url + ": " + err, 
+						self.logError(400, "Error processing data from: " + ip + ": " + request.url + ": " + (err.message || err), 
 							{ id: args.id, ips: ips, uri: request.url, headers: request.headers }
 						);
 						self.sendHTTPResponse( args, "400 Bad Request", {}, "400 Bad Request" );
@@ -245,7 +245,22 @@ module.exports = class Request {
 					}
 					else {
 						args.params = _fields || {};
-						args.files = _files || {};
+						
+						// restore original formidable v1 API for our files
+						args.files = {};
+						if (_files) {
+							for (var key in _files) {
+								var file = _files[key];
+								args.files[key] = {
+									path: file.filepath,
+									type: file.mimetype,
+									name: file.originalFilename,
+									size: file.size,
+									mtime: file.mtime || file.lastModifiedDate
+								};
+							}
+						}
+						
 						self.filterHTTPRequest(args);
 					}
 				} );

package/lib/static.js

@@ -164,13 +164,13 @@ module.exports = class Static {
 	parseByteRange(req, stat) {
 		// parse byte range header from request
 		// Example header: Range: bytes=31-49
-        const byteRange = {
-            from: 0,
-            to: 0
-        }
+		const byteRange = {
+			from: 0,
+			to: 0
+		}
 		
-        let rangeHeader = req.headers['range'];
-        const flavor = 'bytes=';
+		let rangeHeader = req.headers['range'];
+		const flavor = 'bytes=';
 		
 		if (rangeHeader && rangeHeader.startsWith(flavor) && !rangeHeader.includes(',')) {
 			// Parse
@@ -193,7 +193,7 @@ module.exports = class Static {
 			}
 		}
 		
-        return null;
-    }
+		return null;
+	}
 	
 };

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "pixl-server-web",
-	"version": "1.3.2",
+	"version": "1.3.3",
 	"description": "A web server component for the pixl-server framework.",
 	"author": "Joseph Huckaby <jhuckaby@gmail.com>",
 	"homepage": "https://github.com/jhuckaby/pixl-server-web",
@@ -24,7 +24,7 @@
 		"pixl-perf": "^1.0.0",
 		"pixl-acl": "^1.0.1",
 		"class-plus": "^1.0.0",
-		"formidable": "1.2.1",
+		"formidable": "2.0.1",
 		"errno": "0.1.7",
 		"stream-meter": "1.0.4",
 		"async": "3.2.0",

package/test/test.js

@@ -186,6 +186,20 @@ module.exports = {
 			);
 		},
 		
+		function testBadRequest(test) {
+			// test bad HTTP GET request to webserver backend
+			// this still resolves to the root dir index due to the ../
+			request.get( 'http://127.0.0.1:3020/%0ASet-Cookie%3Acrlfinjection/../',
+				function(err, resp, data, perf) {
+					test.ok( !err, "No error from PixlRequest: " + err );
+					test.ok( !!resp, "Got resp from PixlRequest" );
+					test.ok( resp.statusCode == 200, "Got 200 response: " + resp.statusCode );
+					test.ok( resp.headers['via'] == "WebServerTest 1.0", "Correct Via header: " + resp.headers['via'] );
+					test.done();
+				} 
+			);
+		},
+		
 		// query string
 		function testQueryString(test) {
 			// test simple HTTP GET request with query string