diff options
| author | Joas Schilling <coding@schilljs.com> | 2025-05-27 23:36:28 +0200 |
|---|---|---|
| committer | Joas Schilling <coding@schilljs.com> | 2025-05-27 23:38:14 +0200 |
| commit | ac8161ae3375bb013f567bcd00c47f43fd00334d (patch) | |
| tree | 67f9afc52f14b5fd6dc973ba235f486506cf472c | |
| parent | 18637eb0a36e052f27efab55e880f967b99a625e (diff) | |
| download | nextcloud-server-tests/noid/finish-dav.tar.gz nextcloud-server-tests/noid/finish-dav.zip | |
fix(DAV): Check if the header is actually the expected formattests/noid/finish-dav
Not sure how the test ever passed as it can only
throw with strict types which are not yet enabled
Signed-off-by: Joas Schilling <coding@schilljs.com>
| -rw-r--r-- | apps/dav/lib/BulkUpload/MultipartRequestParser.php | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/apps/dav/lib/BulkUpload/MultipartRequestParser.php b/apps/dav/lib/BulkUpload/MultipartRequestParser.php index 96a90f82cde..f23aca580cc 100644 --- a/apps/dav/lib/BulkUpload/MultipartRequestParser.php +++ b/apps/dav/lib/BulkUpload/MultipartRequestParser.php @@ -57,7 +57,13 @@ class MultipartRequestParser { */ private function parseBoundaryFromHeaders(string $contentType): string { try { + if (!str_contains($contentType, ';')) { + throw new \InvalidArgumentException('No semicolon in header'); + } [$mimeType, $boundary] = explode(';', $contentType); + if (!str_contains($boundary, '=')) { + throw new \InvalidArgumentException('No equal in boundary header'); + } [$boundaryKey, $boundaryValue] = explode('=', $boundary); } catch (\Exception $e) { throw new BadRequest('Error while parsing boundary in Content-Type header.', Http::STATUS_BAD_REQUEST, $e); |