Fix issue where invalid charset results in 400 when verify used

expressjs · Sep 28, 2015 · ccc0f82 · ccc0f82
1 parent 96767f4
commit ccc0f82
Show file tree

Hide file tree

Showing 5 changed files with 48 additions and 7 deletions.
diff --git a/HISTORY.md b/HISTORY.md
@@ -1,6 +1,7 @@
 unreleased
 ==========
 
+  * Fix issue where invalid charset results in 400 when `verify` used
   * deps: iconv-lite@0.4.12
     - Fix CESU-8 decoding in Node.js 4.x
   * deps: raw-body@~2.1.4

diff --git a/lib/read.js b/lib/read.js
@@ -37,32 +37,40 @@ module.exports = read
 
 function read(req, res, next, parse, debug, options) {
   var length
+  var opts = options || {}
   var stream
 
   // flag as parsed
   req._body = true
 
-  var opts = options || {}
+  // read options
+  var encoding = opts.encoding !== null
+    ? opts.encoding || 'utf-8'
+    : null
+  var verify = opts.verify
 
   try {
+    // get the content stream
     stream = contentstream(req, debug, opts.inflate)
     length = stream.length
     stream.length = undefined
   } catch (err) {
     return next(err)
   }
 
+  // set raw-body options
   opts.length = length
-
-  var encoding = opts.encoding !== null
-    ? opts.encoding || 'utf-8'
-    : null
-  var verify = opts.verify
-
   opts.encoding = verify
     ? null
     : encoding
 
+  // assert charset is supported
+  if (opts.encoding === null && encoding !== null && !iconv.encodingExists(encoding)) {
+    return next(createError(415, 'unsupported charset "' + encoding.toUpperCase() + '"', {
+      charset: encoding.toLowerCase()
+    }))
+  }
+
   // read body
   debug('read body')
   getBody(stream, opts, function (err, body) {

diff --git a/test/json.js b/test/json.js
@@ -373,6 +373,16 @@ describe('bodyParser.json()', function(){
       test.expect(200, '{"name":"论"}', done)
     })
 
+    it('should 415 on unknown charset prior to verify', function (done) {
+      var server = createServer({verify: function (req, res, buf) {
+        throw new Error('unexpected verify call')
+      }})
+
+      var test = request(server).post('/')
+      test.set('Content-Type', 'application/json; charset=x-bogus')
+      test.write(new Buffer('00000000', 'hex'))
+      test.expect(415, 'unsupported charset "X-BOGUS"', done)
+    })
   })
 
   describe('charset', function(){

diff --git a/test/text.js b/test/text.js
@@ -305,6 +305,17 @@ describe('bodyParser.text()', function(){
       .send('user is tobi')
       .expect(200, '"user is tobi"', done)
     })
+
+    it('should 415 on unknown charset prior to verify', function (done) {
+      var server = createServer({verify: function (req, res, buf) {
+        throw new Error('unexpected verify call')
+      }})
+
+      var test = request(server).post('/')
+      test.set('Content-Type', 'text/plain; charset=x-bogus')
+      test.write(new Buffer('00000000', 'hex'))
+      test.expect(415, 'unsupported charset "X-BOGUS"', done)
+    })
   })
 
   describe('charset', function(){

diff --git a/test/urlencoded.js b/test/urlencoded.js
@@ -529,6 +529,17 @@ describe('bodyParser.urlencoded()', function(){
       .send('user=tobi')
       .expect(200, '{"user":"tobi"}', done)
     })
+
+    it('should 415 on unknown charset prior to verify', function (done) {
+      var server = createServer({verify: function (req, res, buf) {
+        throw new Error('unexpected verify call')
+      }})
+
+      var test = request(server).post('/')
+      test.set('Content-Type', 'application/x-www-form-urlencoded; charset=x-bogus')
+      test.write(new Buffer('00000000', 'hex'))
+      test.expect(415, 'unsupported charset "X-BOGUS"', done)
+    })
   })
 
   describe('charset', function(){