From b081ba49c8133931e23d32577eac4fdc4b334ac8 Mon Sep 17 00:00:00 2001
From: jin <jinshuaiyu@kylinos.cn>
Date: Tue, 12 Aug 2025 17:14:28 +0800
Subject: [PATCH] fix CVE-2025-7783

(cherry picked from commit a838d9b4cf33c34e1df3e0c75f35b7b6d65a3ec9)
---
 ...ng-crypto-random-for-boundary-values.patch | 39 +++++++++++++++++++
 nodejs-form-data.spec                         | 10 ++++-
 2 files changed, 47 insertions(+), 2 deletions(-)
 create mode 100644 CVE-2025-7783-Fix-Switch-to-using-crypto-random-for-boundary-values.patch

diff --git a/CVE-2025-7783-Fix-Switch-to-using-crypto-random-for-boundary-values.patch b/CVE-2025-7783-Fix-Switch-to-using-crypto-random-for-boundary-values.patch
new file mode 100644
index 0000000..ac7ff20
--- /dev/null
+++ b/CVE-2025-7783-Fix-Switch-to-using-crypto-random-for-boundary-values.patch
@@ -0,0 +1,39 @@
+From 534bb5bf53ae6da4cbd707a4c0b015e7e87c18e7 Mon Sep 17 00:00:00 2001
+From: Ben Shonaldmann <ben@benweissmann.com>
+Date: Fri Feb 21 21:20:43 2025 -0500
+Subject: [PATCH] CVE-2025-7783 Fix Switch to using crypto random for boundary
+ values
+
+---
+ lib/form_data.js | 8 ++------
+ 1 file changed, 2 insertions(+), 6 deletions(-)
+
+diff --git a/lib/form_data.js b/lib/form_data.js
+index 5b33f55..2df1f31 100644
+--- a/lib/form_data.js
++++ b/lib/form_data.js
+@@ -7,6 +7,7 @@ var parseUrl = require('url').parse;
+ var fs = require('fs');
+ var mime = require('mime-types');
+ var async = require('async');
++var crypto = require('crypto');
+ 
+ module.exports = FormData;
+ function FormData() {
+@@ -217,12 +218,7 @@ FormData.prototype.getBoundary = function() {
+ FormData.prototype._generateBoundary = function() {
+   // This generates a 50 character boundary similar to those used by Firefox.
+   // They are optimized for boyer-moore parsing.
+-  var boundary = '--------------------------';
+-  for (var i = 0; i < 24; i++) {
+-    boundary += Math.floor(Math.random() * 10).toString(16);
+-  }
+-
+-  this._boundary = boundary;
++  this._boundary = '--------------------------' + crypto.randomBytes(12).toString('hex');
+ };
+ 
+ // Note: getLengthSync DOESN'T calculate streams length
+-- 
+2.43.0
+
diff --git a/nodejs-form-data.spec b/nodejs-form-data.spec
index 28f0e01..3ccac82 100644
--- a/nodejs-form-data.spec
+++ b/nodejs-form-data.spec
@@ -2,11 +2,14 @@
 %global enable_tests 0
 Name:                nodejs-form-data
 Version:             0.2.0
-Release:             1
+Release:             2
 Summary:             A module to create readable "multipart/form-data" streams
 License:             MIT
 URL:                 https://github.com/form-data/form-data
 Source0:             https://github.com/form-data/form-data/archive/0.2/form-data-%{version}.tar.gz
+Patch1:              CVE-2025-7783-Fix-Switch-to-using-crypto-random-for-boundary-values.patch
+
+
 BuildArch:           noarch
 ExclusiveArch:       %{nodejs_arches} noarch
 ExclusiveArch:       %{ix86} x86_64 %{arm} noarch
@@ -21,10 +24,10 @@ submit forms and file uploads to other web applications.
 
 %prep
 %setup -q -n form-data-0.2
+%patch 1 -p1
 %nodejs_fixdep async "^1.5.0"
 %nodejs_fixdep mime-types "^2.1.7"
 %nodejs_fixdep combined-stream "^1.0.5"
-
 %build
 
 %install
@@ -44,5 +47,8 @@ cp -pr package.json lib %{buildroot}%{nodejs_sitelib}/form-data
 %{nodejs_sitelib}/form-data
 
 %changelog
+* Tue Aug 12 2025 jinshuaiyu <jinshuaiyu@kylinos.cn> - 0.2.0-2
+- fix CVE-2025-7783
+
 * Thu Aug 20 2020 Anan Fu <fuanan3@huawei.com> - 0.2.0-1
 - package init
-- 
Gitee