Merge branch 'master' into master

Author: i3ene

.gitignore

@@ -3,3 +3,4 @@ npm-debug.log*
 .nyc_*/
 .dir-locals.el
 .DS_Store
+.tap

LICENSE

@@ -1,4 +1,4 @@
-Copyright (c) 2011-2022 Charlie Robbins, Marak Squires, Jade Michael Thornton and the Contributors.
+Copyright (c) 2011-2025 Charlie Robbins, Marak Squires, Jade Michael Thornton and the Contributors.
 
 Permission is hereby granted, free of charge, to any person obtaining
 a copy of this software and associated documentation files (the

README.md

@@ -69,15 +69,17 @@ with the provided Dockerfile.
 |`-b` or `--brotli`|When enabled it will serve `./public/some-file.js.br` in place of `./public/some-file.js` when a brotli compressed version of the file exists and the request accepts `br` encoding. If gzip is also enabled, it will try to serve brotli first. |`false`|
 |`-e` or `--ext`  |Default file extension if none supplied |`html` | 
 |`-s` or `--silent` |Suppress log messages from output  | |
-|`--cors` |Enable CORS via the `Access-Control-Allow-Origin` header  | |
+|`--cors` | Enable CORS via the `Access-Control-Allow-Origin: *` header. Optionally provide comma-separated values to add to `Access-Control-Allow-Headers`  | |
 |`-H` or `--header` |Add an extra response header (can be used several times)  | |
 |`-o [path]` |Open browser window after starting the server. Optionally provide a URL path to open. e.g.: -o /other/dir/ | |
 |`-c` |Set cache time (in seconds) for cache-control max-age header, e.g. `-c10` for 10 seconds. To disable caching, use `-c-1`.|`3600` |
 |`-U` or `--utc` |Use UTC time format in log messages.| |
 |`--log-ip` |Enable logging of the client's IP address |`false` |
 |`-P` or `--proxy` |Proxies all requests which can't be resolved locally to the given url. e.g.: -P http://someurl.com | |
 |`--proxy-options` |Pass proxy [options](https://github.com/http-party/node-http-proxy#options) using nested dotted objects. e.g.: --proxy-options.secure false | |
-|`--proxy-config` |Pass in `.json` configuration file. e.g.: `./path/to/config.json` | |
+|`--proxy-config` |Pass in `.json` configuration file or stringified JSON. e.g.: `./path/to/config.json` | |
+|`--proxy-all` |Forward every request to the proxy target instead of serving local files|`false`|
+|`--proxy-options` |Pass proxy [options](https://github.com/http-party/node-http-proxy#options) using nested dotted objects. e.g.: --proxy-options.secure false |
 |`--username` |Username for basic authentication | |
 |`--password` |Password for basic authentication | |
 |`-S`, `--tls` or `--ssl` |Enable secure request serving with TLS/SSL (HTTPS)|`false`|

bin/http-server

@@ -14,8 +14,10 @@ var argv = require('minimist')(process.argv.slice(2), {
   alias: {
     tls: 'ssl',
     header: 'H'
-  }
+  },
+  boolean: ['proxy-all']
 });
+
 var ifaces = os.networkInterfaces();
 
 process.title = 'http-server';
@@ -33,10 +35,19 @@ if (argv.h || argv.help) {
     '  -g --gzip    Serve gzip files when possible [false]',
     '  -b --brotli  Serve brotli files when possible [false]',
     '               If both brotli and gzip are enabled, brotli takes precedence',
+    '',
+    '  --force-content-encoding',
+    '               When using --gzip or --brotli, includes the content encoding',
+    '               header even when the extension for the compressed file is',
+    '               specified in the URL. "test.png.br" will be served the same',
+    '               way as "test.png".',
+    '',
     '  -e --ext     Default file extension if none supplied [none]',
     '  -s --silent  Suppress log messages from output',
+    '  --content-type     Default content type for unknown file types [application/octet-stream]',
     '  --cors[=headers]   Enable CORS via the "Access-Control-Allow-Origin" header',
-    '                     Optionally provide CORS headers list separated by commas',
+    '                     When enabled, sets Access-Control-Allow-Origin to "*"',
+    '                     Optional value adds to Access-Control-Allow-Headers',
     '  -H',
     '  --header',
     '               Add an extra response header (can be used several times)',
@@ -50,8 +61,10 @@ if (argv.h || argv.help) {
     '  --log-ip     Enable logging of the client\'s IP address',
     '',
     '  -P --proxy       Fallback proxy if the request cannot be resolved. e.g.: http://someurl.com',
+    '  --proxy-all      Send every request to the proxy target instead of serving local files',
     '  --proxy-options  Pass options to proxy using nested dotted objects. e.g.: --proxy-options.secure false',
     '  --proxy-config   Pass in .json configuration file. e.g.: ./path/to/config.json',
+    '  --websocket      Enable websocket proxy',
     '',
     '  --username   Username for basic authentication [none]',
     '               Can also be specified with the env variable NODE_HTTP_SERVER_USERNAME',
@@ -78,6 +91,8 @@ var port = argv.p || argv.port || parseInt(process.env.PORT, 10),
     proxy = argv.P || argv.proxy,
     proxyOptions = argv['proxy-options'],
     proxyConfig = argv['proxy-config'],
+    websocket = argv.websocket,
+    proxyAll = Boolean(argv['proxy-all']),
     utc = argv.U || argv.utc,
     version = argv.v || argv.version,
     baseDir = argv['base-dir'],
@@ -166,8 +181,10 @@ function listen(port) {
     proxy: proxy,
     proxyOptions: proxyOptions,
     proxyConfig: proxyConfig,
+    proxyAll: proxyAll,
     showDotfiles: argv.dotfiles,
     mimetypes: argv.mimetypes,
+    contentType: argv['content-type'],
     username: argv.username || process.env.NODE_HTTP_SERVER_USERNAME,
     password: argv.password || process.env.NODE_HTTP_SERVER_PASSWORD,
     headers: {}
@@ -182,12 +199,24 @@ function listen(port) {
     }
   }
 
+  if (websocket) {
+    if (!proxy) {
+      logger.warning(colors.yellow('WebSocket proxy will not be enabled because proxy is not enabled'));
+    } else {
+      options.websocket = true;
+    }
+  }
+
   if (argv.cors) {
     options.cors = true;
     if (typeof argv.cors === 'string') {
       options.corsHeaders = argv.cors;
     }
   }
+  
+  if ( argv['force-content-encoding'] ) {
+    options.forceContentEncoding = true;
+  }
 
   if (argv.header) {
     if (Array.isArray(argv.header)) {
@@ -229,6 +258,12 @@ function listen(port) {
     proxyOptions = undefined;
   }
 
+  // TODO: handle this in respect of proxyConfig
+  if (proxyAll && !proxy) {
+    logger.info(chalk.red('Error: --proxy-all requires --proxy to be set'));
+    process.exit(1);
+  }
+
   if (tls) {
     options.https = {
       cert: argv.C || argv.cert || 'cert.pem',
@@ -293,7 +328,7 @@ function listen(port) {
     } else {
       Object.keys(ifaces).forEach(function (dev) {
         ifaces[dev].forEach(function (details) {
-          if (details.family === 'IPv4') {
+          if (details.family === 'IPv4' || details.family === 4) {
             logger.info(('  ' + protocol + details.address + ':' + chalk.green(port.toString()) + path));
           }
           if (details.family === 'IPv6' && !details.address.startsWith("fe80") ) { // Ignoring Ipv6-Link Local addresses

doc/http-server.1

@@ -49,6 +49,13 @@ Serve brotli files when possible.
 If both brotli and gzip are enabled, brotli takes precedence.
 Default is false.
 
+.TP
+.BI \-\-force\-content\-encoding
+When using --gzip or --brotli, includes the content encoding
+header even when the extension for the compressed file is
+specified in the URL. "test.png.br" will be served the same
+way as "test.png".
+
 .TP
 .BI \-e ", " \-\-ext " " \fIEXTENSION\fR
 Default file extension is none is provided.
@@ -59,8 +66,9 @@ Suppress log messages from output.
 
 .TP
 .BI \-\-cors " " [\fIHEADERS\fR]
-Enable CORS via the "Access-Control-Allow-Origin" header.
-Optionally provide CORS headers list separated by commas.
+Enable CORS by setting "Access-Control-Allow-Origin" to "*".
+Optional comma-separated headers list adds to "Access-Control-Allow-Headers".
+Default Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept, Range.
 
 .TP
 .BI \-H ", " \-\-header " " \fIHEADER\fR
@@ -89,6 +97,11 @@ Enable logging of the client IP address.
 .BI \-P ", " \-\-proxy
 Fallback proxy if the request cannot be resolved.
 
+.TP
+.BI \-\-proxy\-all
+Forward every request to the proxy target and disable local file serving.
+Requires \-\-proxy.
+
 .TP
 .BI \-\-proxy\-options
 Pass proxy options using nested dotted objects.

lib/core/defaults.json

@@ -9,6 +9,7 @@
   "cors": false,
   "gzip": true,
   "brotli": false,
+  "forceContentEncoding": false,
   "defaultExt": ".html",
   "handleError": true,
   "contentType": "application/octet-stream",

lib/core/index.js

@@ -200,9 +200,14 @@ module.exports = function createMiddleware(_dir, _options) {
         path.relative(path.join('/', baseDir), pathname)
       )
     );
-    // determine compressed forms if they were to exist
+    // determine compressed forms if they were to exist, make sure to handle pre-compressed files, i.e. files with .br/.gz extension. we will serve them "as-is"
     gzippedFile = `${file}.gz`;
     brotliFile = `${file}.br`;
+    
+    if ( opts.forceContentEncoding ) {
+      if ( file.endsWith('.gz') ) gzippedFile = file;
+      if ( file.endsWith('.br') ) brotliFile = file;
+    }
 
     Object.keys(headers).forEach((key) => {
       res.setHeader(key, headers[key]);

lib/core/opts.js

@@ -15,6 +15,7 @@ module.exports = (opts) => {
   let cache = defaults.cache;
   let gzip = defaults.gzip;
   let brotli = defaults.brotli;
+  let forceContentEncoding = defaults.forceContentEncoding;
   let defaultExt = defaults.defaultExt;
   let handleError = defaults.handleError;
   const headers = {};
@@ -28,12 +29,26 @@ module.exports = (opts) => {
     return typeof opts[k] !== 'undefined' && opts[k] !== null;
   }
 
+  function validateNoCRLF(str) {
+    if (typeof str === 'string' && (str.includes('\r') || str.includes('\n'))) {
+      throw new Error('Header is not a string or contains CRLF');
+    }
+  }
+
+  function addHeader(key, value) {
+    validateNoCRLF(key);
+    validateNoCRLF(value);
+    headers[key] = value;
+  }
+
   function setHeader(str) {
+    validateNoCRLF(str);
+    
     const m = /^(.+?)\s*:\s*(.*)$/.exec(str);
     if (!m) {
-      headers[str] = true;
+      addHeader(str, true);  // Use addHeader instead of direct assignment
     } else {
-      headers[m[1]] = m[2];
+      addHeader(m[1], m[2]); // Use addHeader instead of direct assignment
     }
   }
 
@@ -108,6 +123,9 @@ module.exports = (opts) => {
     if (typeof opts.brotli !== 'undefined' && opts.brotli !== null) {
       brotli = opts.brotli;
     }
+    if (typeof opts.forceContentEncoding !== 'undefined' && opts.forceContentEncoding !== null) {
+      forceContentEncoding = opts.forceContentEncoding;
+    }
 
     aliases.handleError.some((k) => {
       if (isDeclared(k)) {
@@ -131,7 +149,7 @@ module.exports = (opts) => {
           opts[k].forEach(setHeader);
         } else if (opts[k] && typeof opts[k] === 'object') {
           Object.keys(opts[k]).forEach((key) => {
-            headers[key] = opts[k][key];
+            addHeader(key, opts[k][key]);  // Uses same validation path
           });
         } else {
           setHeader(opts[k]);
@@ -192,6 +210,7 @@ module.exports = (opts) => {
     baseDir: (opts && opts.baseDir) || '/',
     gzip,
     brotli,
+    forceContentEncoding,
     handleError,
     headers,
     contentType,

lib/core/show-dir/index.js

@@ -73,6 +73,50 @@ module.exports = (opts) => {
         res.setHeader('etag', etag(stat, weakEtags));
         res.setHeader('last-modified', (new Date(stat.mtime)).toUTCString());
         res.setHeader('cache-control', cache);
+        
+        // A step before render() is called to gives items additional
+        // information so that render() can deliver the best user experience
+        // possible.
+        function process(dirs, renderFiles, lolwuts) {
+          const filenamesThatExist = new Set();
+
+          // Putting filenames in a set first keeps us in O(n) time complexity
+          for (let i=0; i < renderFiles.length; i++) {
+            const [name, stat] = renderFiles[i];
+            filenamesThatExist.add(name);
+            const renderOptions = {};
+            renderFiles[i] = [name, stat, renderOptions];
+          }
+          
+          // Set render options for compressed files
+          for (const [name, _stat, renderOptions] of renderFiles) {
+            if (
+              opts.brotli &&
+              ! opts.forceContentEncoding &&
+              name.endsWith('.br')
+            ) {
+              const uncompressedName = name.slice(0, -'.br'.length);
+              if (filenamesThatExist.has(uncompressedName)) {
+                continue;
+              }
+              renderOptions.uncompressedName = uncompressedName;
+            }
+          }
+          for (const [name, _stat, renderOptions] of renderFiles) {
+            if (
+              opts.gzip &&
+              ! opts.forceContentEncoding &&
+              name.endsWith('.gz')
+            ) {
+              const uncompressedName = name.slice(0, -'.gz'.length);
+              if (filenamesThatExist.has(uncompressedName)) {
+                continue;
+              }
+              renderOptions.uncompressedName = uncompressedName;
+            }
+          }
+          render(dirs, renderFiles, lolwuts);
+        }
 
         function render(dirs, renderFiles, lolwuts) {
           // each entry in the array is a [name, stat] tuple
@@ -94,7 +138,7 @@ module.exports = (opts) => {
 
           const failed = false;
           const writeRow = (file) => {
-            // render a row given a [name, stat] tuple
+            // render a row given a [name, stat, renderOptions] tuple
             const isDir = file[1].isDirectory && file[1].isDirectory();
             let href = `./${encodeURIComponent(file[0])}`;
 
@@ -103,7 +147,24 @@ module.exports = (opts) => {
               href += `/${he.encode((parsed.search) ? parsed.search : '')}`;
             }
 
-            const displayName = he.encode(file[0]) + ((isDir) ? '/' : '');
+            // Handle compressed files with uncompressed names
+            let displayNameHTML;
+            let fileSize = sizeToString(file[1], humanReadable, si);
+            
+            if (file[2] && file[2].uncompressedName) {
+              // This is a compressed file, show both names with separate links
+              const uncompressedName = he.encode(file[2].uncompressedName);
+              const compressedName = he.encode(file[0]);
+              const uncompressedHref = `./${encodeURIComponent(file[2].uncompressedName)}`;
+              const asterisk = `<span title="served from compressed file">*</span>`;
+              displayNameHTML = `<a href="${uncompressedHref}">${uncompressedName}</a>` +
+                `${asterisk} (<a href="${href}">${compressedName}</a>)`;
+              fileSize += '*';
+            } else {
+              // Regular file or directory
+              displayNameHTML = `<a href="${href}">${he.encode(file[0]) + ((isDir) ? '/' : '')}</a>`;
+            }
+
             const ext = file[0].split('.').pop();
             const classForNonDir = supportedIcons[ext] ? ext : '_page';
             const iconClass = `icon-${isDir ? '_blank' : classForNonDir}`;
@@ -116,8 +177,8 @@ module.exports = (opts) => {
             }
             html +=
               `<td class="last-modified">${lastModifiedToString(file[1])}</td>` +
-              `<td class="file-size"><code>${sizeToString(file[1], humanReadable, si)}</code></td>` +
-              `<td class="display-name"><a href="${href}">${displayName}</a></td>` +
+              `<td class="file-size"><code>${fileSize}</code></td>` +
+              `<td class="display-name">${displayNameHTML}</td>` +
               '</tr>\n';
           };
 
@@ -161,10 +222,10 @@ module.exports = (opts) => {
                 return;
               }
               dirs.unshift(['..', s]);
-              render(dirs, sortedFiles, lolwuts);
+              process(dirs, sortedFiles, lolwuts);
             });
           } else {
-            render(dirs, sortedFiles, lolwuts);
+            process(dirs, sortedFiles, lolwuts);
           }
         });
       });

lib/core/show-dir/styles.js

@@ -9,6 +9,17 @@ css += 'table tr { white-space: nowrap; }\n';
 css += 'td.perms {}\n';
 css += 'td.file-size { text-align: right; padding-left: 1em; }\n';
 css += 'td.display-name { padding-left: 1em; }\n';
+css += `
+@media (prefers-color-scheme: dark) {
+  body {
+    background-color: #303030;
+    color: #efefef;
+  }
+  a {
+    color: #ffff11;
+  }
+}
+`;
 
 Object.keys(icons).forEach((key) => {
   css += `i.icon-${key} {\n`;