Security vulnerability due to dicer 0.2.5

[Hank1986]

Dear Team

In our product the high security vulnerability has been reported due to the nested sub-package dicer 0.2.5 even in the latest version (1.4.4) of multer. Would you please help to check and share your mitigation plan if it's planned.

Best Regards, Hank.

[pshaddel]

Any updates about this security issue?

[wojtekmaj]

Looks like the vulnerability isn't going to be ever fix in dicer (https://github.com/mscdex/dicer/pull/22), but busboy (direct multer's dependency) no longer depends on it. So all we need is to update busboy. However, it had quite a few breaking changes in 1.0.0 (multer requires ^0.2.11): https://github.com/mscdex/busboy/issues/266

[pshaddel]

@wojtekmaj I just created this #1125 to fix it. Two tests are not passing:

  it('should handle unicode filenames', function (done) {
    var form = new FormData()
    var parser = upload.single('small0')
    var filename = '\ud83d\udca9.dat'

    form.append('small0', util.file('small0.dat'), { filename: filename })

    util.submitForm(parser, form, function (err, req) {
      assert.ifError(err)

      assert.strictEqual(path.basename(req.file.path), filename)
      assert.strictEqual(req.file.originalname, filename)

      assert.strictEqual(req.file.fieldname, 'small0')
      assert.strictEqual(req.file.size, 1778)
      assert.strictEqual(util.fileSize(req.file.path), 1778)

      done()
    })
  })

Also do you have any idea if this repo is maintained or not? lastest change was made 8 months ago

Do you have any idea why this one fails? Is it related to Nodejs version or something? It just converts the unicode to the shape

[LinusU]

You can find more info about this in #1097.

The change have already been published as 1.4.5-lts.1 which drops support for older versions of Node.js.

We can only put this in a normal 1.x release if someone can upgrade whilst keeping compatibility with Node.js 0.10.