-
Notifications
You must be signed in to change notification settings - Fork 1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security vulnerability due to dicer 0.2.5 #1122
Comments
Any updates about this security issue? |
Looks like the vulnerability isn't going to be ever fix in dicer (mscdex/dicer#22), but busboy (direct multer's dependency) no longer depends on it. So all we need is to update busboy. However, it had quite a few breaking changes in 1.0.0 (multer requires ^0.2.11): mscdex/busboy#266 |
dicer has a sequirty issue and busboy is not using it in the newer version so we need to update this package
@wojtekmaj I just created this #1125 to fix it. Two tests are not passing: it('should handle unicode filenames', function (done) {
var form = new FormData()
var parser = upload.single('small0')
var filename = '\ud83d\udca9.dat'
form.append('small0', util.file('small0.dat'), { filename: filename })
util.submitForm(parser, form, function (err, req) {
assert.ifError(err)
assert.strictEqual(path.basename(req.file.path), filename)
assert.strictEqual(req.file.originalname, filename)
assert.strictEqual(req.file.fieldname, 'small0')
assert.strictEqual(req.file.size, 1778)
assert.strictEqual(util.fileSize(req.file.path), 1778)
done()
})
}) Also do you have any idea if this repo is maintained or not? lastest change was made 8 months ago Do you have any idea why this one fails? Is it related to Nodejs version or something? It just converts the unicode to the shape |
You can find more info about this in #1097. The change have already been published as We can only put this in a normal |
Dear Team
In our product the high security vulnerability has been reported due to the nested sub-package dicer 0.2.5 even in the latest version (1.4.4) of multer. Would you please help to check and share your mitigation plan if it's planned.
Best Regards,
Hank.
The text was updated successfully, but these errors were encountered: