Prevent NPE if multipart form is empty #13
No reviewers
Labels
No Label
break
bug
duplicate
enhancement
help wanted
invalid
question
wontfix
No Milestone
No Assignees
3 Participants
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: go-chi/binding#13
Loading…
Reference in New Issue
Block a user
No description provided.
Delete Branch "zeripath/binding:prevent-panic-with-empty-multipart-form"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
In https://github.com/go-gitea/gitea/issues/19698 a fuzzer has passed an
empty multipart form which causes go-chi/binding to throw an NPE.
This PR simply protects against this by checking if the multipart form is nil
before trying to map it.
Signed-off-by: Andrew Thornton art27@cantab.net
@ -150,2 +150,4 @@
req.ParseForm()
}
if form == nil {
return append(errors, Validate(req, formStruct)...)
It looks good.
ps: if the
form, parseErr := multipartReader.ReadForm(MaxMemory)
gets error, the error should have been reported by line 146.Maybe the change code be:
-- OR --
Just return as early as
multipartReader.ReadForm
returns error. If the form is broken, it's not necessary to doreq.ParseForm()
for the broken form IMO.