Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

\u2028 in filename kills header parsing

See original GitHub issue

Support plan

which support plan is this issue covered by? (e.g. Community, Sponsor, or Enterprise): community
is this issue currently blocking your project? (yes/no): no
is this issue affecting a production system? (yes/no): yes

Context

node version: v12.18.3
module (formidable) version: 1.2.2, 2.0.0-canary.20200402.2
environment (e.g. node, browser, native, OS): node
used with (i.e. popular names of modules): none
any other relevant information:

What are you trying to achieve or the steps to reproduce?

Some user-agents seem to allow sending filenames with the infamous \u2028 LINE SEPARATOR. It seems that the header parser dies with Request aborted on such filenames, since the character is parsed as a line feed. The value passed to _getFileName is cut at the \u2028.

I tried to modify test/fixture/js/special-chars-in-filename.js and *.http files to add a test but ran out of time. To test, try copy-pasting a literal \u2028 (not the string but the actual character) to one of the *.http files.

What was the result you got?

The header parser dies with Request aborted.

What result did you expect?

The filename is reported even if it contains \u2028.

Issue Analytics

State:
Created 3 years ago
Reactions:1
Comments:6 (4 by maintainers)

Top GitHub Comments

2reactions

tuomassalocommented, Jan 23, 2021

At least on macos, one can create a file with this char in the name with e.g.:

echo foo > $(perl -C -wle 'print "foo\x{2028}bar.txt"')

Checking:

ls | hexdump -C
00000000  66 6f 6f e2 80 a8 62 61  72 2e 74 78 74 0a        |foo...bar.txt.|
0000000e

NB: e2 80 a8 is the UTF-8 representation of \u2028.

2reactions

tuomassalocommented, Jan 23, 2021

@GrosSacASac, well - I didn’t, but I noticed the character in some legitimate files uploaded by a client. I noticed them since I used this library to migrate a big number of files from a legacy system. This legacy system had saved the upload filenames, so I believe at least some clients (OS/browser combinations) might be able to produce such stuff.

Unfortunately, I think they were uploaded about two years ago, so I didn’t have detailed logs about e.g. user-agent.

So, quite an edge case.

Top Results From Across the Web

NodeJS - gists · GitHub

This file contains bidirectional Unicode text that may be ... as defaulting the X-Powered-By header field. ... Parse Range header field,.

node-formidable - Bountysource

A node.js module for parsing form data, especially file uploads. ... file renaming or provide the callback to customize file names generation behaviour....

Soroush Dalili 🗹 on Twitter: "From now until Christmas, I will ...

Trailer headers in HTTP 1/2: - Additional header in the body of a HTTP request - Come with `Transfer-Encoding: chunked` after the last...

13 coffeescript snippets | HeyRod.com

Snippets are tiny notes I've collected for easy reference. Launching an SSL (HTTPS) Server in Node.js. JavaScript: var ...

Axway SecureTransport 5.4 Release Notes

Custom HTTP headers can be configured for reporting to the ICAP server. ... external parsers, when the name of a transferred file contains ......