[GitHub] cordova-labs pull request: CB-9563 Mulptipart form data is used ev...
Github user daserge commented on the pull request: https://github.com/apache/cordova-labs/pull/9#issuecomment-159676223 Created https://issues.apache.org/jira/browse/CB-10080 for the disk-cache issue. --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. --- - To unsubscribe, e-mail: dev-unsubscr...@cordova.apache.org For additional commands, e-mail: dev-h...@cordova.apache.org
[GitHub] cordova-labs pull request: CB-9563 Mulptipart form data is used ev...
Github user asfgit closed the pull request at: https://github.com/apache/cordova-labs/pull/9 --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. --- - To unsubscribe, e-mail: dev-unsubscr...@cordova.apache.org For additional commands, e-mail: dev-h...@cordova.apache.org
[GitHub] cordova-labs pull request: CB-9563 Mulptipart form data is used ev...
Github user dblotsky commented on the pull request: https://github.com/apache/cordova-labs/pull/9#issuecomment-159524926 We were only running this on one machine, and we took that machine down and requested for it to be rebuilt, so no worries. As for the change, we should either look into configuring Formidable not to write to disk, or into using another library. Manual parsing would be the least favourable option. --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. --- - To unsubscribe, e-mail: dev-unsubscr...@cordova.apache.org For additional commands, e-mail: dev-h...@cordova.apache.org
[GitHub] cordova-labs pull request: CB-9563 Mulptipart form data is used ev...
Github user daserge commented on the pull request: https://github.com/apache/cordova-labs/pull/9#issuecomment-159510578 @dblotsky, @stevengill, @shazron - Can you please advice on how to handle this issue? Should we switch to manual form parsing or to some lib supporting in-memory storing? I'm also not sure how the security issues need be tracked - should I create a Jira for this? --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. --- - To unsubscribe, e-mail: dev-unsubscr...@cordova.apache.org For additional commands, e-mail: dev-h...@cordova.apache.org
[GitHub] cordova-labs pull request: CB-9563 Mulptipart form data is used ev...
Github user dblotsky commented on the pull request: https://github.com/apache/cordova-labs/pull/9#issuecomment-159411134 Please rewrite the form code so that nothing gets written to disk. --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. --- - To unsubscribe, e-mail: dev-unsubscr...@cordova.apache.org For additional commands, e-mail: dev-h...@cordova.apache.org
[GitHub] cordova-labs pull request: CB-9563 Mulptipart form data is used ev...
Github user dblotsky commented on the pull request: https://github.com/apache/cordova-labs/pull/9#issuecomment-159403068 The `formidable` package writes `multipart-form` files to a temporary file on disk. This is a **huge** security problem. --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. --- - To unsubscribe, e-mail: dev-unsubscr...@cordova.apache.org For additional commands, e-mail: dev-h...@cordova.apache.org
[GitHub] cordova-labs pull request: CB-9563 Mulptipart form data is used ev...
Github user daserge commented on the pull request: https://github.com/apache/cordova-labs/pull/9#issuecomment-159402700 I usually test it locally or with Heroku along with cordova-plugin-test-framework and the plugin auto tests. What do you mean by writing to disk? Can you please point to the corresponding code? --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. --- - To unsubscribe, e-mail: dev-unsubscr...@cordova.apache.org For additional commands, e-mail: dev-h...@cordova.apache.org
[GitHub] cordova-labs pull request: CB-9563 Mulptipart form data is used ev...
Github user dblotsky commented on the pull request: https://github.com/apache/cordova-labs/pull/9#issuecomment-159402244 Also... hold on... this server actually writes the files to disk. It should *not* do that. --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. --- - To unsubscribe, e-mail: dev-unsubscr...@cordova.apache.org For additional commands, e-mail: dev-h...@cordova.apache.org
[GitHub] cordova-labs pull request: CB-9563 Mulptipart form data is used ev...
Github user dblotsky commented on the pull request: https://github.com/apache/cordova-labs/pull/9#issuecomment-159401871 Do you think we can have some tests for this file? It's tedious to test it manually with `curl`. :/ --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. --- - To unsubscribe, e-mail: dev-unsubscr...@cordova.apache.org For additional commands, e-mail: dev-h...@cordova.apache.org
[GitHub] cordova-labs pull request: CB-9563 Mulptipart form data is used ev...
Github user daserge commented on the pull request: https://github.com/apache/cordova-labs/pull/9#issuecomment-159399788 @dblotsky, updated. --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. --- - To unsubscribe, e-mail: dev-unsubscr...@cordova.apache.org For additional commands, e-mail: dev-h...@cordova.apache.org
[GitHub] cordova-labs pull request: CB-9563 Mulptipart form data is used ev...
Github user dblotsky commented on a diff in the pull request: https://github.com/apache/cordova-labs/pull/9#discussion_r45791371 --- Diff: server.js --- @@ -4,6 +4,8 @@ var formidable = require('formidable'), port = process.env.PORT || 5000; stringify = require('json-stringify-safe'); +var DIRECT_UPLOAD_LIMIT = 32; --- End diff -- I.E. The fact that it's bytes. --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. --- - To unsubscribe, e-mail: dev-unsubscr...@cordova.apache.org For additional commands, e-mail: dev-h...@cordova.apache.org
[GitHub] cordova-labs pull request: CB-9563 Mulptipart form data is used ev...
Github user daserge commented on a diff in the pull request: https://github.com/apache/cordova-labs/pull/9#discussion_r45791347 --- Diff: server.js --- @@ -35,15 +37,34 @@ http.createServer(function (req, res) { res.writeHead(200, {'Content-Type': 'text/plain'}); res.end("Hello!\n"); } else if (req.url == '/upload' && (req.method.toLowerCase() == 'post' || req.method.toLowerCase() == 'put')) { -var form = new formidable.IncomingForm(); -form.parse(req, function(err, fields, files) { -res.writeHead(200, {'content-type': 'text/plain'}); -console.log(stringify({fields: fields, files: files})); +if(req.headers["content-type"].indexOf("multipart/form-data") === 0) { +console.log("multipart/form upload"); +var form = new formidable.IncomingForm(); +form.parse(req, function(err, fields, files) { +res.writeHead(200, {'content-type': 'text/plain'}); +console.log(stringify({fields: fields, files: files})); + +res.write(stringify({fields: fields, files: files})); +console.log --- End diff -- Thanks, I will remove it. It was there before though, but it makes no sense. --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. --- - To unsubscribe, e-mail: dev-unsubscr...@cordova.apache.org For additional commands, e-mail: dev-h...@cordova.apache.org
[GitHub] cordova-labs pull request: CB-9563 Mulptipart form data is used ev...
Github user dblotsky commented on a diff in the pull request: https://github.com/apache/cordova-labs/pull/9#discussion_r45791335 --- Diff: server.js --- @@ -4,6 +4,8 @@ var formidable = require('formidable'), port = process.env.PORT || 5000; stringify = require('json-stringify-safe'); +var DIRECT_UPLOAD_LIMIT = 32; --- End diff -- Please add that in a comment. --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. --- - To unsubscribe, e-mail: dev-unsubscr...@cordova.apache.org For additional commands, e-mail: dev-h...@cordova.apache.org
[GitHub] cordova-labs pull request: CB-9563 Mulptipart form data is used ev...
Github user daserge commented on a diff in the pull request: https://github.com/apache/cordova-labs/pull/9#discussion_r45791254 --- Diff: server.js --- @@ -4,6 +4,8 @@ var formidable = require('formidable'), port = process.env.PORT || 5000; stringify = require('json-stringify-safe'); +var DIRECT_UPLOAD_LIMIT = 32; --- End diff -- It's bytes; this corresponds to the test: https://github.com/apache/cordova-plugin-file-transfer/pull/117/files#diff-2a8a5fef3397df87ab538f028a5c6b50R955 and the contents: https://github.com/apache/cordova-plugin-file-transfer/blob/9e93bad83c9e980cb593dc057fe8af40f35652f1/tests/tests.js#L710, which will be 17 bytes. --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. --- - To unsubscribe, e-mail: dev-unsubscr...@cordova.apache.org For additional commands, e-mail: dev-h...@cordova.apache.org
[GitHub] cordova-labs pull request: CB-9563 Mulptipart form data is used ev...
Github user dblotsky commented on a diff in the pull request: https://github.com/apache/cordova-labs/pull/9#discussion_r45790741 --- Diff: server.js --- @@ -4,6 +4,8 @@ var formidable = require('formidable'), port = process.env.PORT || 5000; stringify = require('json-stringify-safe'); +var DIRECT_UPLOAD_LIMIT = 32; --- End diff -- What are the units for this? --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. --- - To unsubscribe, e-mail: dev-unsubscr...@cordova.apache.org For additional commands, e-mail: dev-h...@cordova.apache.org
[GitHub] cordova-labs pull request: CB-9563 Mulptipart form data is used ev...
Github user dblotsky commented on a diff in the pull request: https://github.com/apache/cordova-labs/pull/9#discussion_r45790663 --- Diff: server.js --- @@ -35,15 +37,34 @@ http.createServer(function (req, res) { res.writeHead(200, {'Content-Type': 'text/plain'}); res.end("Hello!\n"); } else if (req.url == '/upload' && (req.method.toLowerCase() == 'post' || req.method.toLowerCase() == 'put')) { -var form = new formidable.IncomingForm(); -form.parse(req, function(err, fields, files) { -res.writeHead(200, {'content-type': 'text/plain'}); -console.log(stringify({fields: fields, files: files})); +if(req.headers["content-type"].indexOf("multipart/form-data") === 0) { +console.log("multipart/form upload"); +var form = new formidable.IncomingForm(); +form.parse(req, function(err, fields, files) { +res.writeHead(200, {'content-type': 'text/plain'}); +console.log(stringify({fields: fields, files: files})); + +res.write(stringify({fields: fields, files: files})); +console.log --- End diff -- Empty `console.log` here, is it intentional? --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. --- - To unsubscribe, e-mail: dev-unsubscr...@cordova.apache.org For additional commands, e-mail: dev-h...@cordova.apache.org
[GitHub] cordova-labs pull request: CB-9563 Mulptipart form data is used ev...
GitHub user daserge opened a pull request: https://github.com/apache/cordova-labs/pull/9 CB-9563 Mulptipart form data is used even a header named Content-Type⦠⦠is present Adds direct upload endpoint [Jira issue](https://issues.apache.org/jira/browse/CB-9563) You can merge this pull request into a Git repository by running: $ git pull https://github.com/daserge/cordova-labs cordova-filetransfer Alternatively you can review and apply these changes as the patch at: https://github.com/apache/cordova-labs/pull/9.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #9 commit 31aaad447ac7a42558b25898cbcf02636e9f750a Author: daserge Date: 2015-11-24T12:02:04Z CB-9563 Mulptipart form data is used even a header named Content-Type is present Adds direct upload endpoint --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. --- - To unsubscribe, e-mail: dev-unsubscr...@cordova.apache.org For additional commands, e-mail: dev-h...@cordova.apache.org