Multer crashes when name attribute is absent in multipart #553
Description
A multipart request without a 'name' attribute will produce an error and result with a crash of multer.
Here is an example of such a multipart request (every line break is a CRLF).
POST / HTTP/1.1
Host: localhost
content-type:multipart/form-data;boundary=abcde
Content-Length: 69--abcde
Content-Disposition: form-data; nam="a"data
--abcde-
Busboy will not detect the field name and return
fieldname = undefined
val = data
The crash occurs when multer call the append-field as it will try to access the length property of 'fieldname'.
Here is the stacktrace:
/home/user/node_modules/append-field/lib/parse-path.js:13
var len = key.length
^TypeError: Cannot read property 'length' of undefined
at parsePath (/home/user/node_modules/append-field/lib/parse-path.js:13:17)
at appendField (/home/user/node_modules/append-field/index.js:5:15)
at Busboy. (/home/user/node_modules/multer/lib/make-middleware.js:93:7)
at Busboy.emit (events.js:159:13)
at Busboy.emit (/home/user/node_modules/busboy/lib/main.js:38:33)
at PartStream.onEnd (/home/user/node_modules/busboy/lib/types/multipart.js:261:15)
at PartStream.emit (events.js:164:20)
at endReadableNT (_stream_readable.js:1062:12)
at process._tickCallback (internal/process/next_tick.js:152:19)
It seems to me that this issue can be fixed by adding a check at line 91 in make-middleware.js. We check that the fieldname is not empty.
if (!fieldname) return abortWithCode('NO_NAME_ATTRIBUTE')This way, we will return a 500 instead of crashing.