Security vulnerability due to dicer 0.2.5 #1122
Comments
|
Any updates about this security issue? |
|
Looks like the vulnerability isn't going to be ever fix in dicer (mscdex/dicer#22), but busboy (direct multer's dependency) no longer depends on it. So all we need is to update busboy. However, it had quite a few breaking changes in 1.0.0 (multer requires ^0.2.11): mscdex/busboy#266 |
dicer has a sequirty issue and busboy is not using it in the newer version so we need to update this package
|
@wojtekmaj I just created this #1125 to fix it. Two tests are not passing: it('should handle unicode filenames', function (done) {
var form = new FormData()
var parser = upload.single('small0')
var filename = '\ud83d\udca9.dat'
form.append('small0', util.file('small0.dat'), { filename: filename })
util.submitForm(parser, form, function (err, req) {
assert.ifError(err)
assert.strictEqual(path.basename(req.file.path), filename)
assert.strictEqual(req.file.originalname, filename)
assert.strictEqual(req.file.fieldname, 'small0')
assert.strictEqual(req.file.size, 1778)
assert.strictEqual(util.fileSize(req.file.path), 1778)
done()
})
})
Also do you have any idea if this repo is maintained or not? lastest change was made 8 months ago Do you have any idea why this one fails? Is it related to Nodejs version or something? It just converts the unicode to the shape |
|
You can find more info about this in #1097. The change have already been published as We can only put this in a normal |
Dear Team
In our product the high security vulnerability has been reported due to the nested sub-package dicer 0.2.5 even in the latest version (1.4.4) of multer. Would you please help to check and share your mitigation plan if it's planned.
Best Regards,
Hank.
The text was updated successfully, but these errors were encountered: