Open elledienne opened 1 year ago
Ran into the same issue (I actually created that issue over there). @web3-storage
's header handling is pretty basic. I haven't had time to open a proper PR on this repo to use a different lib, but for now this diff with patch-package
is working around it.
patches/@web3-storage+multipart-parser+1.0.0.patch
:
diff --git a/node_modules/@web3-storage/multipart-parser/cjs/src/index.js b/node_modules/@web3-storage/multipart-parser/cjs/src/index.js
index 8be5ee9..311b48a 100644
--- a/node_modules/@web3-storage/multipart-parser/cjs/src/index.js
+++ b/node_modules/@web3-storage/multipart-parser/cjs/src/index.js
@@ -9,17 +9,24 @@ const mergeArrays2 = Function.prototype.apply.bind(utils.mergeArrays, undefined)
const dash = utils.stringToArray('--');
const CRLF = utils.stringToArray('\r\n');
function parseContentDisposition(header) {
- const parts = header.split(';').map(part => part.trim());
+ const parts = header.split(/;(?=(?:[^"]*"[^"]*")*[^"]*$)/).map(part => part.trim());
if (parts.shift() !== 'form-data') {
throw new Error('malformed content-disposition header: missing "form-data" in `' + JSON.stringify(parts) + '`');
}
const out = {};
for (const part of parts) {
- const kv = part.split('=', 2);
- if (kv.length !== 2) {
- throw new Error('malformed content-disposition header: key-value pair not found - ' + part + ' in `' + header + '`');
+ const equals = part.indexOf('=');
+ if (equals < 0) {
+ throw new Error('malformed key-value string: missing value in `' + part + '`');
}
- const [name, value] = kv;
+
+ const name = part.slice(0, equals);
+ const value = part.slice(equals + 1);
+ //const kv = part.split('=', 2);
+ //if (kv.length !== 2) {
+ // throw new Error('malformed content-disposition header: key-value pair not found - ' + part + ' in `' + header + '`');
+ // }
+ // const [name, value] = kv;
if (value[0] === '"' && value[value.length - 1] === '"') {
out[name] = value.slice(1, -1).replace(/\\"/g, '"');
} else if (value[0] !== '"' && value[value.length - 1] !== '"') {
We caught the same error https://github.com/webstudio-is/webstudio-designer/pull/483
I confirmed this is an issue when the filename uses characters that are used as delimiters in the Content-Disposition header
, such as ;
, =
, and "
// Parses fine
Content-Disposition: form-data; name="file"; filename="something.txt"
// Fails to parse
Content-Disposition: form-data; name="file"; filename="something;else.txt"
Content-Disposition: form-data; name="file"; filename="something=else.txt"
Content-Disposition: form-data; name="file"; filename="something"else.txt"
Going to mark this as external
for now during this v2 bug sweep - but I agree it looks like that package may be abandoned so we may need to fork or inline that code prior to stabilizing unstable_parseMultipartFormData
This issue is still present in version 2.2
The @web3-storage/multipart-parser
package is archived now so definitely abandoned.
Just ran into this on remix-run@2.9.1
with @web3-storage@1.0.0
What version of Remix are you using?
1.7.2
Steps to Reproduce
something ' something.png
orsomething ; something.png
(file extension doesn't really matteruploadHandler
leveragingunstable_parseMultipartFormData
Expected Behavior
The file is successfully uploaded
Actual Behavior
The server crashes with the following error
As you can see, the error comes from a dependency of Remix,
@web3-storage
but the repo seems quite dead, and existing issues are not being addressed.