[GitHub] cordova-labs pull request: CB-9563 Mulptipart form data is used ev...

[daserge]

Github user daserge commented on the pull request:

https://github.com/apache/cordova-labs/pull/9#issuecomment-159676223
  
Created https://issues.apache.org/jira/browse/CB-10080 for the disk-cache 
issue.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

-
To unsubscribe, e-mail: dev-unsubscr...@cordova.apache.org
For additional commands, e-mail: dev-h...@cordova.apache.org

[GitHub] cordova-labs pull request: CB-9563 Mulptipart form data is used ev...

[asfgit]

Github user asfgit closed the pull request at:

https://github.com/apache/cordova-labs/pull/9


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

-
To unsubscribe, e-mail: dev-unsubscr...@cordova.apache.org
For additional commands, e-mail: dev-h...@cordova.apache.org

[GitHub] cordova-labs pull request: CB-9563 Mulptipart form data is used ev...

[daserge]

Github user daserge commented on the pull request:

https://github.com/apache/cordova-labs/pull/9#issuecomment-159510578
  
@dblotsky, @stevengill, @shazron - Can you please advice on how to handle 
this issue?
Should we switch to manual form parsing or to some lib supporting in-memory 
storing?
I'm also not sure how the security issues need be tracked - should I create 
a Jira for this?


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

-
To unsubscribe, e-mail: dev-unsubscr...@cordova.apache.org
For additional commands, e-mail: dev-h...@cordova.apache.org

[GitHub] cordova-labs pull request: CB-9563 Mulptipart form data is used ev...

[dblotsky]

Github user dblotsky commented on the pull request:

https://github.com/apache/cordova-labs/pull/9#issuecomment-159401871
  
Do you think we can have some tests for this file? It's tedious to test it 
manually with `curl`. :/


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

-
To unsubscribe, e-mail: dev-unsubscr...@cordova.apache.org
For additional commands, e-mail: dev-h...@cordova.apache.org

[GitHub] cordova-labs pull request: CB-9563 Mulptipart form data is used ev...

[dblotsky]

Github user dblotsky commented on a diff in the pull request:

https://github.com/apache/cordova-labs/pull/9#discussion_r45791335
  
--- Diff: server.js ---
@@ -4,6 +4,8 @@ var formidable = require('formidable'),
 port = process.env.PORT || 5000;
 stringify = require('json-stringify-safe');
 
+var DIRECT_UPLOAD_LIMIT = 32;
--- End diff --

Please add that in a comment.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

-
To unsubscribe, e-mail: dev-unsubscr...@cordova.apache.org
For additional commands, e-mail: dev-h...@cordova.apache.org

[GitHub] cordova-labs pull request: CB-9563 Mulptipart form data is used ev...

[daserge]

Github user daserge commented on a diff in the pull request:

https://github.com/apache/cordova-labs/pull/9#discussion_r45791347
  
--- Diff: server.js ---
@@ -35,15 +37,34 @@ http.createServer(function (req, res) {
 res.writeHead(200, {'Content-Type': 'text/plain'});
 res.end("Hello!\n");
 } else if (req.url == '/upload' && (req.method.toLowerCase() == 'post' 
|| req.method.toLowerCase() == 'put')) {
-var form = new formidable.IncomingForm();
-form.parse(req, function(err, fields, files) {
-res.writeHead(200, {'content-type': 'text/plain'});
-console.log(stringify({fields: fields, files: files}));
+if(req.headers["content-type"].indexOf("multipart/form-data") === 
0) {
+console.log("multipart/form upload");
+var form = new formidable.IncomingForm();
+form.parse(req, function(err, fields, files) {
+res.writeHead(200, {'content-type': 'text/plain'});
+console.log(stringify({fields: fields, files: files}));
+
+res.write(stringify({fields: fields, files: files}));
+console.log
--- End diff --

Thanks, I will remove it. It was there before though, but it makes no sense.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

-
To unsubscribe, e-mail: dev-unsubscr...@cordova.apache.org
For additional commands, e-mail: dev-h...@cordova.apache.org

[GitHub] cordova-labs pull request: CB-9563 Mulptipart form data is used ev...

[dblotsky]

Github user dblotsky commented on a diff in the pull request:

https://github.com/apache/cordova-labs/pull/9#discussion_r45791371
  
--- Diff: server.js ---
@@ -4,6 +4,8 @@ var formidable = require('formidable'),
 port = process.env.PORT || 5000;
 stringify = require('json-stringify-safe');
 
+var DIRECT_UPLOAD_LIMIT = 32;
--- End diff --

I.E. The fact that it's bytes.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

-
To unsubscribe, e-mail: dev-unsubscr...@cordova.apache.org
For additional commands, e-mail: dev-h...@cordova.apache.org

[GitHub] cordova-labs pull request: CB-9563 Mulptipart form data is used ev...

[dblotsky]

Github user dblotsky commented on the pull request:

https://github.com/apache/cordova-labs/pull/9#issuecomment-159403068
  
The `formidable` package writes `multipart-form` files to a temporary file 
on disk. This is a **huge** security problem.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

-
To unsubscribe, e-mail: dev-unsubscr...@cordova.apache.org
For additional commands, e-mail: dev-h...@cordova.apache.org

[GitHub] cordova-labs pull request: CB-9563 Mulptipart form data is used ev...

[dblotsky]

Github user dblotsky commented on the pull request:

https://github.com/apache/cordova-labs/pull/9#issuecomment-159402244
  
Also... hold on... this server actually writes the files to disk. It should 
*not* do that.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

-
To unsubscribe, e-mail: dev-unsubscr...@cordova.apache.org
For additional commands, e-mail: dev-h...@cordova.apache.org

[GitHub] cordova-labs pull request: CB-9563 Mulptipart form data is used ev...

[dblotsky]

Github user dblotsky commented on the pull request:

https://github.com/apache/cordova-labs/pull/9#issuecomment-159411134
  
Please rewrite the form code so that nothing gets written to disk.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

-
To unsubscribe, e-mail: dev-unsubscr...@cordova.apache.org
For additional commands, e-mail: dev-h...@cordova.apache.org

[GitHub] cordova-labs pull request: CB-9563 Mulptipart form data is used ev...

[daserge]

Github user daserge commented on the pull request:

https://github.com/apache/cordova-labs/pull/9#issuecomment-159402700
  
I usually test it locally or with Heroku along with 
cordova-plugin-test-framework and the plugin auto tests.
What do you mean by writing to disk? Can you please point to the 
corresponding code?


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

-
To unsubscribe, e-mail: dev-unsubscr...@cordova.apache.org
For additional commands, e-mail: dev-h...@cordova.apache.org

[GitHub] cordova-labs pull request: CB-9563 Mulptipart form data is used ev...

[dblotsky]

Github user dblotsky commented on a diff in the pull request:

https://github.com/apache/cordova-labs/pull/9#discussion_r45790663
  
--- Diff: server.js ---
@@ -35,15 +37,34 @@ http.createServer(function (req, res) {
 res.writeHead(200, {'Content-Type': 'text/plain'});
 res.end("Hello!\n");
 } else if (req.url == '/upload' && (req.method.toLowerCase() == 'post' 
|| req.method.toLowerCase() == 'put')) {
-var form = new formidable.IncomingForm();
-form.parse(req, function(err, fields, files) {
-res.writeHead(200, {'content-type': 'text/plain'});
-console.log(stringify({fields: fields, files: files}));
+if(req.headers["content-type"].indexOf("multipart/form-data") === 
0) {
+console.log("multipart/form upload");
+var form = new formidable.IncomingForm();
+form.parse(req, function(err, fields, files) {
+res.writeHead(200, {'content-type': 'text/plain'});
+console.log(stringify({fields: fields, files: files}));
+
+res.write(stringify({fields: fields, files: files}));
+console.log
--- End diff --

Empty `console.log` here, is it intentional?


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

-
To unsubscribe, e-mail: dev-unsubscr...@cordova.apache.org
For additional commands, e-mail: dev-h...@cordova.apache.org

[GitHub] cordova-labs pull request: CB-9563 Mulptipart form data is used ev...

[dblotsky]

Github user dblotsky commented on a diff in the pull request:

https://github.com/apache/cordova-labs/pull/9#discussion_r45790741
  
--- Diff: server.js ---
@@ -4,6 +4,8 @@ var formidable = require('formidable'),
 port = process.env.PORT || 5000;
 stringify = require('json-stringify-safe');
 
+var DIRECT_UPLOAD_LIMIT = 32;
--- End diff --

What are the units for this?


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

-
To unsubscribe, e-mail: dev-unsubscr...@cordova.apache.org
For additional commands, e-mail: dev-h...@cordova.apache.org

[GitHub] cordova-labs pull request: CB-9563 Mulptipart form data is used ev...

[daserge]

Github user daserge commented on a diff in the pull request:

https://github.com/apache/cordova-labs/pull/9#discussion_r45791254
  
--- Diff: server.js ---
@@ -4,6 +4,8 @@ var formidable = require('formidable'),
 port = process.env.PORT || 5000;
 stringify = require('json-stringify-safe');
 
+var DIRECT_UPLOAD_LIMIT = 32;
--- End diff --

It's bytes; this corresponds to the test: 
https://github.com/apache/cordova-plugin-file-transfer/pull/117/files#diff-2a8a5fef3397df87ab538f028a5c6b50R955
 and the contents: 
https://github.com/apache/cordova-plugin-file-transfer/blob/9e93bad83c9e980cb593dc057fe8af40f35652f1/tests/tests.js#L710,
 which will be 17 bytes.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

-
To unsubscribe, e-mail: dev-unsubscr...@cordova.apache.org
For additional commands, e-mail: dev-h...@cordova.apache.org

[GitHub] cordova-labs pull request: CB-9563 Mulptipart form data is used ev...

[daserge]

GitHub user daserge opened a pull request:

https://github.com/apache/cordova-labs/pull/9

CB-9563 Mulptipart form data is used even a header named Content-Type…

… is present

Adds direct upload endpoint

[Jira issue](https://issues.apache.org/jira/browse/CB-9563)

You can merge this pull request into a Git repository by running:

$ git pull https://github.com/daserge/cordova-labs cordova-filetransfer

Alternatively you can review and apply these changes as the patch at:

https://github.com/apache/cordova-labs/pull/9.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

This closes #9


commit 31aaad447ac7a42558b25898cbcf02636e9f750a
Author: daserge 
Date:   2015-11-24T12:02:04Z

CB-9563 Mulptipart form data is used even a header named Content-Type is 
present

Adds direct upload endpoint




---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

-
To unsubscribe, e-mail: dev-unsubscr...@cordova.apache.org
For additional commands, e-mail: dev-h...@cordova.apache.org

[GitHub] cordova-labs pull request: CB-9563 Mulptipart form data is used ev...

[daserge]

Github user daserge commented on the pull request:

https://github.com/apache/cordova-labs/pull/9#issuecomment-159399788
  
@dblotsky, updated.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

-
To unsubscribe, e-mail: dev-unsubscr...@cordova.apache.org
For additional commands, e-mail: dev-h...@cordova.apache.org

[GitHub] cordova-labs pull request: CB-9563 Mulptipart form data is used ev...

[dblotsky]

Github user dblotsky commented on the pull request:

https://github.com/apache/cordova-labs/pull/9#issuecomment-159524926
  
We were only running this on one machine, and we took that machine down and 
requested for it to be rebuilt, so no worries. As for the change, we should 
either look into configuring Formidable not to write to disk, or into using 
another library. Manual parsing would be the least favourable option.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

-
To unsubscribe, e-mail: dev-unsubscr...@cordova.apache.org
For additional commands, e-mail: dev-h...@cordova.apache.org