Proper header production by ekkis · Pull Request #357 · form-data/form-data

ekkis · 2017-06-16T00:30:59Z

the existing code uses a for loop to iterate through headers but does
not check that the values are actually properties, therefore it picks
up methods. these methods can appear as they are defined within the
Object.prototype and including them in the headers breaks requests as
the stringified methods likely contain carriage returns, which breaks
the request due to malformation of the header

in general, it is better to use Object.keys(headers).forEach() but I
didn’t want to change the style of the code so a call to
.hasOwnProperty() solves the problem

the existing code uses a for loop to iterate through headers but does not check that the values are actually properties, therefore it picks up methods. these methods can appear as they are defined within the Object.prototype and including them in the headers breaks requests as the stringified methods likely contain carriage returns, which breaks the request due to malformation of the header in general, it is better to use Object.keys(headers).forEach() but I didn’t want to change the style of the code so a call to .hasOwnProperty() solves the problem

coveralls · 2017-06-16T00:39:41Z

Coverage increased (+0.01%) to 97.99% when pulling 8ff849c on ekkis:master into 3eabb17 on form-data:master.

ekkis · 2017-06-16T01:08:36Z

as added documentation, submitting a malformed header breaks the server like this:

/usr/src/app/node_modules/dicer/lib/HeaderParser.js:101
            this.header[h].push(m[2]);                                          
                           ^
                                                                                
TypeError: this.header[h].push is not a function
    at HeaderParser._parseHeader (/usr/src/app/node_modules/dicer/lib/HeaderParser.js:101:28)
    at HeaderParser._finish (/usr/src/app/node_modules/dicer/lib/HeaderParser.js:61:10)     
    at SBMH.<anonymous> (/usr/src/app/node_modules/dicer/lib/HeaderParser.js:41:12)         
    at emitMany (events.js:127:13)                                              
    at SBMH.emit (events.js:204:7)
    at SBMH._sbmh_feed (/usr/src/app/node_modules/streamsearch/lib/sbmh.js:159:14)          
    at SBMH.push (/usr/src/app/node_modules/streamsearch/lib/sbmh.js:56:14)     
    at HeaderParser.push (/usr/src/app/node_modules/dicer/lib/HeaderParser.js:47:19)                                                                            
    at Dicer._oninfo (/usr/src/app/node_modules/dicer/lib/Dicer.js:197:25)
    at SBMH.<anonymous> (/usr/src/app/node_modules/dicer/lib/Dicer.js:127:10)   
    at emitMany (events.js:127:13)
    at SBMH.emit (events.js:204:7)                                              
    at SBMH._sbmh_feed (/usr/src/app/node_modules/streamsearch/lib/sbmh.js:159:14)                                                                              
    at SBMH.push (/usr/src/app/node_modules/streamsearch/lib/sbmh.js:56:14)
    at Dicer._write (/usr/src/app/node_modules/dicer/lib/Dicer.js:109:17)       
    at doWrite (_stream_writable.js:329:12)

alexindigo · 2017-06-16T01:17:03Z

Looks good. Thanks for the fix.

alexindigo · 2017-06-16T01:17:31Z

Will publish updated version later tonight.

ekkis · 2017-06-16T01:56:11Z

I didn't review the entire codebase but you might want to look for similar uses of the for loop

alexindigo · 2017-06-16T02:00:02Z

Ok, I will check for more. Thanks.

alexindigo merged commit 2cd7226 into form-data:master Jun 16, 2017

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Proper header production#357

Proper header production#357
alexindigo merged 1 commit intoform-data:masterfrom
ekkis:master

ekkis commented Jun 16, 2017

Uh oh!

coveralls commented Jun 16, 2017 •

edited

Loading

Uh oh!

ekkis commented Jun 16, 2017

Uh oh!

alexindigo commented Jun 16, 2017

Uh oh!

alexindigo commented Jun 16, 2017

Uh oh!

ekkis commented Jun 16, 2017

Uh oh!

alexindigo commented Jun 16, 2017

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Conversation

ekkis commented Jun 16, 2017

Uh oh!

coveralls commented Jun 16, 2017 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

ekkis commented Jun 16, 2017

Uh oh!

alexindigo commented Jun 16, 2017

Uh oh!

alexindigo commented Jun 16, 2017

Uh oh!

ekkis commented Jun 16, 2017

Uh oh!

alexindigo commented Jun 16, 2017

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

coveralls commented Jun 16, 2017 •

edited

Loading