Before 1.0.0 I was using the rename function heavily to rename files based on a dynamic fieldname. I do not see an easy way to go about doing this anymore, and with requiring and fieldname on the single() call, am I going to have to rethink the way I was handling dynamic fieldnames?
polonel
All 7 comments
So there is basically two parts in this problem.
1) Renaming files based on fieldname
This is easily accomplished:
var storage = multer.diskStorage({
destination: '/tmp/uploads',
filename: function (req, file, cb) {
cb(null, file.fieldname)
}
})
2) Allowing any fieldnames
This is a bit more complicated. We actively opted to not allow this as of now because of the security problems that arose with the previous behaviour. I'm afraid that allowing this will encourage bad behaviour. Not necessarily by us but I can easily see people asking others for help being told to use that functionality without understanding the ramifications of that.
The problem with accepting any fieldnames is that you as a user of this library must take extra care to actually process all the fields uploaded.
E.g.
var upload = multer({ ... })
app.post('/upload-picture', upload, function (req, res, next) {
req.files['pic'].forEach(function (file) {
// Add the pictures to the users photo album
})
})
// A malicious user could now upload any files and stick them into the
// temporary directory by making a POST request with an unexpected fieldname.
//
// e.g. POST a huge file with the fieldname blah to /upload-picture
Would you mind explaining your use case so that we can discuss how this best could be resolved?
LinusU
on 20 Jul 2015
The entire form is dynamic and is generated in real-time depending on a _metadata_ schema defined by the end user. This results in the field names pulling from database and in some cases appends a "_X" (where X is a num) for multiple fields of the same type / name.
For example: One file upload could for an avatar image with another being for a zip of resources tied to this object. I wouldn't know in the codebase what the end user has named these fields in the schema. In the past It didn't matter as much because Multer was just accepted all fields and I would match the fields to the Schema after the post was complete.
I handled this in busboy before I started using Multer. It wasn't a very manageable solution so I went with Multer which really simplified the implementation.
polonel
on 20 Jul 2015
Is the schema uploaded as well with the request? Is the schema saved on the server and then being transmitted to the client, who will then upload the files?
I guess what I'm asking is if there is any way to get ahold of the schema before the files should be processed? In that case you could use the schema to dynamically generate the multer middleware for every incoming request.
e.g.
function dynamicSchema (req, res, next) {
// get ahold of the schema somehow
var schema = _
// convert schema to list of { name: _, maxCount: _ }
var fields = schameToFields(schema)
// pass it to multer
upload.fields(fields)(req, res, next)
}
app.post('/upload', dynamicSchema, function (req, res) {
// the files are in req.files
})
Yes that is what I'm trying to implement now. Thanks for the assistance and the information.
polonel
on 21 Jul 2015
@polonel Did it work out for you? :+1:
LinusU
on 6 Aug 2015
@LinusU Yes sorry I forgot to report back. All is good. Thanks for your suggestion on implementing this.
polonel
on 6 Aug 2015
No problem, glad to hear!
LinusU
on 7 Aug 2015
Related issues
donjae
路
4Comments
edi
路
4Comments
josephstgh
路
3Comments
trexanhvn
路
3Comments
sant123
路
4Comments
Most helpful comment
Is the schema uploaded as well with the request? Is the schema saved on the server and then being transmitted to the client, who will then upload the files?
I guess what I'm asking is if there is any way to get ahold of the schema before the files should be processed? In that case you could use the schema to dynamically generate the multer middleware for every incoming request.
e.g.