Merge pull request #1789 from galaxian85/bugfix/invalid-filename-caus…

…e-crash FIX: server crash when filename too long
hackmdio · Jan 13, 2023 · 19f494d · 19f494d
2 parents 30fe18d + 1ab2a36
commit 19f494d
Show file tree

Hide file tree

Showing 3 changed files with 89 additions and 13 deletions.
diff --git a/lib/imageRouter/index.js b/lib/imageRouter/index.js
@@ -16,13 +16,18 @@ const response = require('../response')
 const imageRouter = module.exports = Router()
 
 function checkImageValid (filepath) {
-  const buffer = readChunk.sync(filepath, 0, 12)
-  /** @type {{ ext: string, mime: string } | null} */
-  const mimetypeFromBuf = imageType(buffer)
-  const mimeTypeFromExt = mime.lookup(path.extname(filepath))
+  try {
+    const buffer = readChunk.sync(filepath, 0, 12)
+    /** @type {{ ext: string, mime: string } | null} */
+    const mimetypeFromBuf = imageType(buffer)
+    const mimeTypeFromExt = mime.lookup(path.extname(filepath))
 
-  return mimetypeFromBuf && config.allowedUploadMimeTypes.includes(mimetypeFromBuf.mime) &&
-         mimeTypeFromExt && config.allowedUploadMimeTypes.includes(mimeTypeFromExt)
+    return mimetypeFromBuf && config.allowedUploadMimeTypes.includes(mimetypeFromBuf.mime) &&
+          mimeTypeFromExt && config.allowedUploadMimeTypes.includes(mimeTypeFromExt)
+  } catch (err) {
+    logger.error(err)
+    return false
+  }
 }
 
 // upload image

diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -54,7 +54,7 @@
     "ejs": "~2.6.2",
     "express": "~4.17.1",
     "express-session": "~1.16.2",
-    "formidable": "~1.2.1",
+    "formidable": "^2.1.1",
     "helmet": "~3.20.0",
     "https-proxy-agent": "^3.0.1",
     "i18n": "~0.8.3",