We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
go version
$ go version go version go1.20 linux/amd64
Yes.
go env
$ go env GO111MODULE="" GOARCH="amd64" GOBIN="" GOCACHE="/home/[redacted]/.cache/go-build" GOENV="/home/[redacted]/.config/go/env" GOEXE="" GOEXPERIMENT="" GOFLAGS="" GOHOSTARCH="amd64" GOHOSTOS="linux" GOINSECURE="" GOMODCACHE="/home/[redacted]/go/pkg/mod" GONOPROXY="" GONOSUMDB="" GOOS="linux" GOPATH="/home/[redacted]/go" GOPRIVATE="" GOPROXY="https://proxy.golang.org,direct" GOROOT="/usr/local/go" GOSUMDB="sum.golang.org" GOTMPDIR="" GOTOOLDIR="/usr/local/go/pkg/tool/linux_amd64" GOVCS="" GOVERSION="go1.20" GCCGO="gccgo" GOAMD64="v1" AR="ar" CC="gcc" CXX="g++" CGO_ENABLED="1" GOMOD="/dev/null" GOWORK="" CGO_CFLAGS="-O2 -g" CGO_CPPFLAGS="" CGO_CXXFLAGS="-O2 -g" CGO_FFLAGS="-O2 -g" CGO_LDFLAGS="-O2 -g" PKG_CONFIG="pkg-config" GOGCCFLAGS="-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build3274595099=/tmp/go-build -gno-record-gcc-switches"
Following this issue: #40430 and this commit: 5246fa5
The issue still occurs if the part filename is empty. No error is returned, the part is added to the form with a length of 0.
// mime/multipart/formdata.go#L68 if filename == "" { // value, store as string in memory n, err := io.CopyN(&b, p, maxValueBytes+1) // Overflow here //... }
Current workaround is to pass math.MaxInt64 - 1 as the maxMemory parameter.
math.MaxInt64 - 1
maxMemory
Demo: https://go.dev/play/p/-GM_8eG1ylb
I would expect the file to be read correctly.
The operation failed silently and the file was added to the form with a size of 0 byte.
The text was updated successfully, but these errors were encountered:
feel free to send a fix
cc @neild @minux
Sorry, something went wrong.
Change https://go.dev/cl/467557 mentions this issue: mime/multipart: fix Reader.ReadForm overflow when passed math.MaxInt64 as the parameter
mime/multipart: fix Reader.ReadForm overflow when passed math.MaxInt64 as the parameter
Change https://go.dev/cl/467615 mentions this issue: mime/multipart: fix maxMemory param overflow
mime/multipart: fix maxMemory param overflow
d61ae9d
No branches or pull requests
What version of Go are you using (
go version
)?Does this issue reproduce with the latest release?
Yes.
What operating system and processor architecture are you using (
go env
)?go env
OutputWhat did you do?
Following this issue: #40430 and this commit: 5246fa5
The issue still occurs if the part filename is empty. No error is returned, the part is added to the form with a length of 0.
Current workaround is to pass
math.MaxInt64 - 1
as themaxMemory
parameter.Demo: https://go.dev/play/p/-GM_8eG1ylb
What did you expect to see?
I would expect the file to be read correctly.
What did you see instead?
The operation failed silently and the file was added to the form with a size of 0 byte.
The text was updated successfully, but these errors were encountered: