Bug Report: Formidable incorrectly attempts to parse JSON when boundary contains "json" substring
Version: formidable@^3.5.2
Environment: Node.js server
Description:
When the multipart boundary string contains the substring "json" (case-insensitive? - tested with "JsonTestBoundary"), Formidable incorrectly attempts to parse the incoming request body as JSON instead of handling it as multipart/form-data.
Steps to Reproduce:
-
Server code:
new Formidable.IncomingForm().parse(req, (err, fields, files) => { if (err) { send(res, form data error: ${err}); return; } });
-
Client request (curl):
curl -X POST http://server:3000/body/form/fields -H "Content-Type: multipart/form-data; boundary=----JsonTestBoundary" -d "------JsonTestBoundary\r\nContent-Disposition: form-data; name="arg1"\r\n\r\ntest value\r\n------JsonTestBoundary--\r\n"
Expected Behavior:
The request should be parsed as multipart/form-data successfully, extracting field arg1 with value test value.
Actual Behavior:
Formidable throws a JSON parsing error:
form data error: SyntaxError: Unexpected number in JSON at position 1
Root Cause Analysis:
The boundary string contains the word "json", which appears to trigger Formidable's automatic JSON parsing logic. When "json" is detected anywhere in the boundary, Formidable incorrectly treats the entire request body as JSON rather than respecting the Content-Type: multipart/form-data header.
Workaround:
Avoid using the word "json" in boundary strings. The following boundaries work correctly:
- ----TestBoundary
- ----MultipartBoundary
- ----AnyBoundaryWithoutJson
Suggested Fix:
Formidable should never attempt to parse request body as JSON when Content-Type header is explicitly set to multipart/form-data. The boundary string content should not influence the parsing strategy.
Bug Report: Formidable incorrectly attempts to parse JSON when boundary contains "json" substring
Version: formidable@^3.5.2
Environment: Node.js server
Description:
When the multipart boundary string contains the substring "json" (case-insensitive? - tested with "JsonTestBoundary"), Formidable incorrectly attempts to parse the incoming request body as JSON instead of handling it as multipart/form-data.
Steps to Reproduce:
Server code:
new Formidable.IncomingForm().parse(req, (err, fields, files) => { if (err) { send(res, form data error: ${err}); return; } });
Client request (curl):
curl -X POST http://server:3000/body/form/fields -H "Content-Type: multipart/form-data; boundary=----JsonTestBoundary" -d "------JsonTestBoundary\r\nContent-Disposition: form-data; name="arg1"\r\n\r\ntest value\r\n------JsonTestBoundary--\r\n"
Expected Behavior:
The request should be parsed as multipart/form-data successfully, extracting field arg1 with value test value.
Actual Behavior:
Formidable throws a JSON parsing error:
form data error: SyntaxError: Unexpected number in JSON at position 1
Root Cause Analysis:
The boundary string contains the word "json", which appears to trigger Formidable's automatic JSON parsing logic. When "json" is detected anywhere in the boundary, Formidable incorrectly treats the entire request body as JSON rather than respecting the Content-Type: multipart/form-data header.
Workaround:
Avoid using the word "json" in boundary strings. The following boundaries work correctly:
Suggested Fix:
Formidable should never attempt to parse request body as JSON when Content-Type header is explicitly set to multipart/form-data. The boundary string content should not influence the parsing strategy.