Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

The methodOverride middleware should also look for _method in req.query #169

Closed
papandreou opened this Issue · 10 comments

6 participants

@papandreou

I would like to route certain POST multipart/form-data file uploads to a PUT handler in my Express app. Since bodyDecoder doesn't (and shouldn't) populate req.body with the parameters in the incoming form, there's no way to tell the methodOverride middleware do its magic.

Since I cannot set the X-HTTP-Method-Override HTTP header either the only sane place to put the method in the query string. So in other words I want this to work:

POST /foo?_method=PUT

I know there would be severe security implications if a simple GET request could be translated into any other method, but maybe translating POST to anything else could be allowed?

Best regards,
Papandreou

@tj
Owner
tj commented

hmm yeah not sure. This is the great joy of async :) everything is a PITA

@papandreou

Yeah, but of all the flavors of pain in the world, this is the one we've chosen out of free will :)

This is the only real use I have for the methodOverride middleware, so I'd be terribly sad to not see it implemented... But I can continue to use my own poor man's version, of course.

@tj
Owner
tj commented

I dont personally really see it as much of a security issue, because you could easily fashion a hack with the other things methodOverride support, people should never really assume any request is trust worthy so I would probably be fine with this, might be good to have some more input

@creationix
Owner

Also keep in mind that connect and express are very modular and you can easily make a custom middleware for your specific use case.

@papandreou

@creationix: Yeah, that's what I've done, and it works great. I chose to file the ticket anyway because file uploads in browsers that don' t support http://www.w3.org/TR/FileAPI/ seemed like the only real use case for a method override middleware since it'll always be a POST request with Content-Type: multipart/form-data no matter what you do. In all other cases you have the option to use an XHR instead.

@visionmedia: I agree, nothing is to be trusted, but there's a big difference between how much work an attacker has to do to make someone's browser do a POST vs. a GET request, so at least you should think twice before generically allowing any GET request to rewrite itself to eg. DELETE. Would be unfortunate if I could make you delete your stuff by getting you to view a forum post with an inline image pointing to http://visionmedia.ca/stuff?_method=DELETE while you were logged in.

@tj
Owner
tj commented

haha yeah, well like you said, you would have to omit GETs

@tj
Owner
tj commented

closing

@nfriedly

BTW, I made up a standalone module to do this if anybody else finds the need: https://github.com/nfriedly/connect-method-override-get

@acornejo

I use this functionality too, would a pull request to implement this be accepted?

It could be added with an option to turn it off (and perhaps even have it off by default).

@jonathanong

Not something we'd want to advocate. Plus, @nfriedly already made a module for it.

This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.