aboutsummaryrefslogtreecommitdiffstats
path: root/apps/dav/lib/BulkUpload/MultipartRequestParser.php
diff options
context:
space:
mode:
Diffstat (limited to 'apps/dav/lib/BulkUpload/MultipartRequestParser.php')
-rw-r--r--apps/dav/lib/BulkUpload/MultipartRequestParser.php7
1 files changed, 7 insertions, 0 deletions
diff --git a/apps/dav/lib/BulkUpload/MultipartRequestParser.php b/apps/dav/lib/BulkUpload/MultipartRequestParser.php
index 96a90f82cde..50f8cff76ba 100644
--- a/apps/dav/lib/BulkUpload/MultipartRequestParser.php
+++ b/apps/dav/lib/BulkUpload/MultipartRequestParser.php
@@ -1,4 +1,5 @@
<?php
+
/**
* SPDX-FileCopyrightText: 2021 Nextcloud GmbH and Nextcloud contributors
* SPDX-License-Identifier: AGPL-3.0-only
@@ -57,7 +58,13 @@ class MultipartRequestParser {
*/
private function parseBoundaryFromHeaders(string $contentType): string {
try {
+ if (!str_contains($contentType, ';')) {
+ throw new \InvalidArgumentException('No semicolon in header');
+ }
[$mimeType, $boundary] = explode(';', $contentType);
+ if (!str_contains($boundary, '=')) {
+ throw new \InvalidArgumentException('No equal in boundary header');
+ }
[$boundaryKey, $boundaryValue] = explode('=', $boundary);
} catch (\Exception $e) {
throw new BadRequest('Error while parsing boundary in Content-Type header.', Http::STATUS_BAD_REQUEST, $e);
generated by cgit v1.2.3 (git 2.39.1) at 2025-07-03 00:36:10 +0000