multipart Status

[pinkforest]

6,789,801 downloads all time, ~12k a day.

Whilst going through iron - #1424 - and some other crates around the space I forgot to flag multipart to clarify it's status.

• https://crates.io/crates/multipart - Release over a year ago
• https://github.com/abonander/multipart

@abonander - Just wondering is multipart still being actively maintained or would be it be deprecated ?

These issues caught my eye - some of the I think are hyper a bit like in iron:

• twoway dependency is dead abonander/multipart#143 -
• There is open PR on twoway - Add unmaintained twoway #1435
• "\r\n" straddling the buffer end is erroneously sent as part of the part's contents. abonander/multipart#139 - "\r\n" straddling the buffer end (sounds like outdated hyper crate)
• Got MissingContentDisposition Error when parsing the response body of Multipart ranges abonander/multipart#131 - Got MissingContentDisposition Error
• Calling form.prepare()?.boundary() twice panics abonander/multipart#122 - Panic
• StringError("text was not valid unicode") abonander/multipart#106

Hyper/Iron are optional dependencies though -

hyper = { version = ">=0.9, <0.11", optional = true, default-features = false }
iron = { version = ">=0.4,<0.7", optional = true }

Considering hyper has several advisories - some related to the above.

Normally this wouldn't be an issue with the optional deps as the advisory pops up via hyper picked up -

But I'm just wondering whether this all maintained considering outdated deps e.g. hyper w/ advisories -

There is no upgrade path to hyper current track 0.14
Issue essentially seems that the crate forces to use very old version of hyper from 0.11 track from 5 yrs ago ?

NOTE: Some of these MAY NOT be applicable - No further analysis has been done yet
NOTE.2: Maintainer is the first point to verify these issues whether affected or not

Parser creates invalid uninitialized value - >= 0.14.12
https://github.com/rustsec/advisory-db/blob/main/crates/hyper/RUSTSEC-2022-0022.md

Integer overflow in hyper's parsing of the Transfer-Encoding - >= 0.14.10
https://github.com/rustsec/advisory-db/blob/main/crates/hyper/RUSTSEC-2021-0079.md

Lenient hyper header parsing of Content-Length - >= 0.14.10
https://github.com/rustsec/advisory-db/blob/main/crates/hyper/RUSTSEC-2021-0078.md

Unaffected - Only between 0.12.0 < 0.14.3
https://github.com/rustsec/advisory-db/blob/main/crates/hyper/RUSTSEC-2021-0020.md

Unaffected - Only between 0.11.0 < 0.12.34
https://github.com/rustsec/advisory-db/blob/main/crates/hyper/RUSTSEC-2020-0008.md

Headers containing newline characters - >= 0.10.2", "< 0.10.0, >= 0.9.18"
https://github.com/rustsec/advisory-db/blob/main/crates/hyper/RUSTSEC-2017-0002.md

HTTPS MitM vulnerability - >= 0.9.4
https://github.com/rustsec/advisory-db/blob/main/crates/hyper/RUSTSEC-2016-0002.md

[Ltrlg]

According to GitHub, @abonander archived the multipart repository yesterday.

[pinkforest]

Ok - I think we may need to flag unmaintained status on this crate

I noticed multiparty and warp moved to using it.

• Reimplement multipart and make it stream the file upload seanmonstar/warp#846
• use multiparty crate seanmonstar/warp#1031

There also seems multer crate

• Implement multipart with multer seanmonstar/warp#1033

I wonder if there are other forks / impls we could potentially refer to ?

[amousset]

Advisory published #1679