Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update mime to a version without a security vulnarability #212

Closed
dotnetCarpenter opened this issue Dec 16, 2017 · 13 comments
Closed

Update mime to a version without a security vulnarability #212

dotnetCarpenter opened this issue Dec 16, 2017 · 13 comments

Comments

@dotnetCarpenter
Copy link
Collaborator

I stumble on this: https://david-dm.org/jfhbrook/node-ecstatic while looking at https://github.com/jfhbrook/node-ecstatic/blob/master/CONTRIBUTING.md#a-few-other-minor-guidelines

That seems pretty bad since it's not a dev dep and we have many hooks to set custom mime types, which someone might set from an entrusted source.
@jfhbrook
Copy link
Owner

jfhbrook commented Dec 16, 2017
edited

oh wow.

questions:

  • what version of mime are we on now? (v1, we need to be on v2)
  • what are the breaking changes between versions? (loss of es5 support though we lost that a while ago anyway; the loss of ability to load() config files)

@jfhbrook
Copy link
Owner

jfhbrook commented Dec 16, 2017
edited

shit, this means we have to solve #66 yeah?

also related: #168

@jfhbrook
Copy link
Owner

I guess we can do the upgrade, major semver ourselves, and kick the can on how we can make mime truly pluggable since I don't think anyone has actually tackled that problem yet

@dotnetCarpenter
Copy link
Collaborator Author

Yes there is breaking change. If I update and run node_modules/.bin/tap test/mime.js I get a lot of errors.

  1. not ok mime.lookup is not a function
  2. custom definition of mime-type with the mime package
    not ok Attempt to change mapping for "opml" extension from "text/x-opml" to "application/xml". Pass force=true to allow this, otherwise remove "opml" from the list of extensions for "application/xml".
  3. not ok mime.load is not a function

@dotnetCarpenter
Copy link
Collaborator Author

@jfhbrook heh I thought I fixed #66 in #143 one and a half year ago ;)
I'm sorry but I really don't have time at the moment. I use ecstatic every day but am behind on project that needs to be wrapped up ASAP. I just needed the log, so I did it. But I hope to have time next year to give ecstatic some ❤️

@dotnetCarpenter
Copy link
Collaborator Author

There was an idea about using mime-magic. Is that module out?

@jfhbrook
Copy link
Owner

yeah I was thinking about that! I don't remember why I didn't like the idea at the time. Maybe I was worried about cross-platform support? That seems squared with them shipping the windows binary. We already have to do a major change, so that's not an issue either

@dotnetCarpenter
Copy link
Collaborator Author

Do we need a coding date in January to refactor mime types, middleware and make ecstatic SPA friendly?

@jfhbrook
Copy link
Owner

ahaha oh man, yeah maybe

@dotnetCarpenter
Copy link
Collaborator Author

hehe... I'll be up for a weekend hackathon or something like that if life doesn't get in the way.

@jfhbrook
Copy link
Owner

yeah, gotcha.

I did some digging, looks like this mighta gotten patched in v1? https://github.com/broofa/node-mime/releases

@jfhbrook
Copy link
Owner

hell yeah he backported the fix

I'll have a release for this out today!

@jfhbrook
Copy link
Owner

2eb212d and published in 3.1.1.

Thanks for lookin' out!

@jfhbrook jfhbrook mentioned this issue Feb 19, 2018
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dotnetCarpenter @jfhbrook