search

vapor / multipart-kit

🏞 Parses and serializes multipart-encoded data with Codable support.
MIT License
136 stars 40 forks source link

Crash on multipart/form-data decoding with empty mime type. #53

Open sderiu opened 3 years ago

sderiu commented 3 years ago

Describe the bug

Server crashes on a multipart/form-data request with an empty mimeType.

To Reproduce

Steps to reproduce the behavior:

  1. Send a multipart/form-data request from a client with an empty mime type.
  2. Try decoding the request in a Content conform struct on the server.
  3. Server crashes with a fatalError, no error messages provided.

Expected behavior

The request throw a decoding error avoiding server crashes and providing a readable error message.

Environment

Additional context

This is how the AlamoFire request is sent (See MultipartFormData): 

multipart.append(file, withName: "file", fileName: "my_file.zip", mimeType: "")

and this is how I decode it : 


func upload(_ req: Request) throws {
      let file = try req.content.decode(Upload.self)
      // doing some other stuff
}
struct Upload: Content {
     let file : File 
}

Using Backtrace I found the line where the fatalError is raised :

Fatal error: file Vapor/MultipartParser.swift, line 186

The error is raised on the handleHeadersComplete function.

Me and the iOS developer spent some hours digging into the MultipartParser decoding strategy and we found the headers decoding is made using three different functions:

Simplifying a lot the handleHeaderField function read the header name, handleHeaderValue the value for that header and handleHeadersComplete declares the header is complete.

Passing an empty mime type, the parser fail to decode the "Content-Type" header raising a fatalError, stopping the execution and causing a server crash.

0xTim commented 3 years ago

Moving to here to track it

siemensikkema commented 3 years ago

@sderiu Could you please check again with the latest version? (4.0.1)