Fix out-of-band error event from busboy

[max-mathieu]

Fixes #1176

[MelleB]

I'm experiencing this as well. Can someone review this?

Tests which actually trigger this behavior are missing from this PR.

[nerder]

Any chance this will be merged any time soon?

[nandorcsupor-met]

Any chance this will be merged any time soon?

Yep we desparately need this. Only solution is to downgrade the package.

[podplatnikm]

Bump, any update?

[raymond-tyr]

Any update on this?
I've validated this approach during testing and it works

[CodeFoxLk]

any update?

[IamLizu]

Perhaps the feature branch requires a rebase or it least the test commands needs to be updated to,

standard && mocha --reporter spec --bail --exit --check-leaks test/

I have noticed that more test fails if its just kept to standard && mocha.

And just ran the test after changing the test command, still 2 test fails. One of them looks like this,

  1) Disk Storage should process parser/form-data POST request:

      Uncaught AssertionError [ERR_ASSERTION]: Expected values to be strictly equal:

1803 !== 1778

      + expected - actual

      -1803
      +1778

      at test\disk-storage.js:45:14
      at test\_util.js:26:7
      at done (lib\make-middleware.js:47:7)
      at indicateDone (lib\make-middleware.js:51:68)
      at lib\make-middleware.js:157:11
      at WriteStream.<anonymous> (storage\disk.js:43:9)
      at WriteStream.emit (node:events:526:35)
      at finish (node:internal/streams/writable:937:10)
      at node:internal/streams/writable:918:13
      at process.processTicksAndRejections (node:internal/process/task_queues:82:21)

I am not posting the 2nd one because it says "operation not permitted", thats mostly because I am on personal PC, windows right now and I don't want to mess it up lol. I will run the test from a different PC tomorrow.

[max-mathieu]

@IamLizu I branched off lts -- should I rebase to master? I ran this branch tests and they passed. I also merged master in and ran tests with standard && mocha --reporter spec --bail --exit --check-leaks test/ and they also all passed

Since this issue allows an attacker to craft a malformed request and take down any express app that uses multer, should that be a CVE? That's one reason why I branched off lts since no releases have been made since 1.4.5-lts.1

[RudyLang]

I agree with @max-mathieu that this should be labelled as a CVE, and that this solution needs to be merged sooner than later.
@UlisesGascon Just tagging you because you appear to be the most current and active approver.

[Ben-Lawrencee]

This would be greatly appreciated. Please merge soon! 🙏

[LinusU]

Sorry for the way too long delay here!

tests added here: 4ce82b0
changelog added here: 502c03d
tagged a new release: 8ec534f

And published to npm 🚀

https://www.npmjs.com/package/multer/v/1.4.5-lts.2

[mhassan1]

This fix doesn't handle the case where two error events are emitted by busboy; see #1296.