Catch errors in multiple req.param(name, fn) handlers

History.md

@@ -3,6 +3,7 @@ unreleased
 
   * add explicit "Rosetta Flash JSONP abuse" protection
     - previous versions are not vulnerable; this is just explicit protection
+  * catch errors in multiple `req.param(name, fn)` handlers
   * deprecate `res.redirect(url, status)` -- use `res.redirect(status, url)` instead
   * fix `res.send(status, num)` to send `num` as json (not error)
   * remove unnecessary escaping when `res.jsonp` returns JSON response

lib/router/index.js

@@ -353,11 +353,7 @@ proto.process_params = function(layer, called, req, res, done) {
       value: paramVal
     };
 
-    try {
-      return paramCallback();
-    } catch (err) {
-      return done(err);
-    }
+    paramCallback();
   }
 
   // single param callbacks
@@ -376,7 +372,11 @@ proto.process_params = function(layer, called, req, res, done) {
 
     if (!fn) return param();
 
-    fn(req, res, paramCallback, paramVal, key.name);
+    try {
+      fn(req, res, paramCallback, paramVal, key.name);
+    } catch (e) {
+      paramCallback(e);
+    }
   }
 
   param();

test/app.param.js

@@ -237,6 +237,27 @@ describe('app', function(){
       .expect(500, done);
     })
 
+    it('should catch thrown secondary error', function(done){
+      var app = express();
+
+      app.param('id', function(req, res, next, val){
+        process.nextTick(next);
+      });
+
+      app.param('id', function(req, res, next, id){
+        throw new Error('err!');
+      });
+
+      app.get('/user/:id', function(req, res){
+        var id = req.params.id;
+        res.send('' + id);
+      });
+
+      request(app)
+      .get('/user/123')
+      .expect(500, done);
+    })
+
     it('should defer to next route', function(done){
       var app = express();