Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

multipart Status #1438

Closed
pinkforest opened this issue Oct 16, 2022 · 3 comments
Closed

multipart Status #1438

pinkforest opened this issue Oct 16, 2022 · 3 comments
Labels
Unmaintained Informational / Unmaintained

Comments

@pinkforest
Copy link
Contributor

6,789,801 downloads all time, ~12k a day.

Whilst going through iron - #1424 - and some other crates around the space I forgot to flag multipart to clarify it's status.

@abonander - Just wondering is multipart still being actively maintained or would be it be deprecated ?

These issues caught my eye - some of the I think are hyper a bit like in iron:

Hyper/Iron are optional dependencies though -

hyper = { version = ">=0.9, <0.11", optional = true, default-features = false }
iron = { version = ">=0.4,<0.7", optional = true }

Considering hyper has several advisories - some related to the above.

Normally this wouldn't be an issue with the optional deps as the advisory pops up via hyper picked up -

But I'm just wondering whether this all maintained considering outdated deps e.g. hyper w/ advisories -

There is no upgrade path to hyper current track 0.14
Issue essentially seems that the crate forces to use very old version of hyper from 0.11 track from 5 yrs ago ?

NOTE: Some of these MAY NOT be applicable - No further analysis has been done yet
NOTE.2: Maintainer is the first point to verify these issues whether affected or not

Parser creates invalid uninitialized value - >= 0.14.12
https://github.com/rustsec/advisory-db/blob/main/crates/hyper/RUSTSEC-2022-0022.md

Integer overflow in hyper's parsing of the Transfer-Encoding - >= 0.14.10
https://github.com/rustsec/advisory-db/blob/main/crates/hyper/RUSTSEC-2021-0079.md

Lenient hyper header parsing of Content-Length - >= 0.14.10
https://github.com/rustsec/advisory-db/blob/main/crates/hyper/RUSTSEC-2021-0078.md

Unaffected - Only between 0.12.0 < 0.14.3
https://github.com/rustsec/advisory-db/blob/main/crates/hyper/RUSTSEC-2021-0020.md

Unaffected - Only between 0.11.0 < 0.12.34
https://github.com/rustsec/advisory-db/blob/main/crates/hyper/RUSTSEC-2020-0008.md

Headers containing newline characters - >= 0.10.2", "< 0.10.0, >= 0.9.18"
https://github.com/rustsec/advisory-db/blob/main/crates/hyper/RUSTSEC-2017-0002.md

HTTPS MitM vulnerability - >= 0.9.4
https://github.com/rustsec/advisory-db/blob/main/crates/hyper/RUSTSEC-2016-0002.md

@pinkforest pinkforest added Unmaintained Informational / Unmaintained Waiting-Maintainer Waiting-Maintainer labels Oct 16, 2022
@Ltrlg
Copy link

Ltrlg commented Feb 15, 2023

According to GitHub, @abonander archived the multipart repository yesterday.

@pinkforest
Copy link
Contributor Author

pinkforest commented Apr 1, 2023

Ok - I think we may need to flag unmaintained status on this crate

I noticed multiparty and warp moved to using it.

There also seems multer crate

I wonder if there are other forks / impls we could potentially refer to ?

@amousset
Copy link
Member

Advisory published #1679

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Unmaintained Informational / Unmaintained
Projects
None yet
Development

No branches or pull requests

3 participants