Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Uncaught exception on malformed multipart data #224

Closed
hhp21 opened this issue Sep 15, 2015 · 5 comments
Closed

Uncaught exception on malformed multipart data #224

hhp21 opened this issue Sep 15, 2015 · 5 comments

Comments

@hhp21
Copy link

hhp21 commented Sep 15, 2015

In the simplest use case of using multer middleware (1.0.3) e.g.:

var upload = multer();
router.post('/foo', upload.single('myfile'), function (req, res, next) {
    console.log('foo');
});

If I create badly formed multipart data e.g. test.txt:
(note the additional space in the end boundary that makes it malformed)

------------------------------4ebf00fbcf09
Content-Disposition: form-data; name="myfile"; filename="test.txt"
Content-Type: text/plain

test
---------------------- --------4ebf00fbcf09--

And I send it:

curl -X POST -H "Content-Type: multipart/form-data; boundary=----------------------------4ebf00fbcf09" --data-binary @test.txt http://localhost:3000/foo

I will crash my server:

events.js:72
        throw er; // Unhandled 'error' event
              ^
Error: Unexpected end of multipart data
    at /Users/hhp21/Documents/sandbox/node/express_sandbox/node_modules/multer/node_modules/busboy/node_modules/dicer/lib/Dicer.js:62:28
    at process._tickCallback (node.js:419:13)

npm ERR! Darwin 14.4.0
npm ERR! argv "node" "/usr/local/bin/npm" "start"
npm ERR! node v0.10.28
npm ERR! npm  v2.7.5
npm ERR! code ELIFECYCLE
npm ERR! application-name@0.0.1 start: `node ./bin/www`
npm ERR! Exit status 8

It's a pretty serious security flaw. It looks like it is because there is no event handler for Busboy.on('error',fn). I can use process.on('uncaughtException', fn) to catch this, but it's considered a rather bad idea to try to recover from uncaught exceptions. Can this be fixed please?

@LinusU
Copy link
Member

LinusU commented Sep 19, 2015

This is very strange but I'm getting another error 😖

For me, busboy emits a file that never fire end, even thought busboy fires a finished event...

@LinusU
Copy link
Member

LinusU commented Sep 19, 2015

Okay, that was fixed in a later version of Busboy, the fix will have to include a bumped dependency.

@LinusU
Copy link
Member

LinusU commented Sep 19, 2015

Fixed in 1.0.4

@LinusU LinusU closed this as completed Sep 19, 2015
@hhp21
Copy link
Author

hhp21 commented Sep 20, 2015

Thank you!!

@softmarshmallow
Copy link

Still getting this on nestjs

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants