kenmirrors/firefly-iii
1
0
Fork 0
mirror of https://github.com/firefly-iii/firefly-iii.git synced 2025-10-16 09:22:33 +00:00
Code Issues Projects Releases Wiki Activity

Fix #7140 by better validating header content.

Browse Source
This commit is contained in:
James Cole
2023-03-05 17:07:27 +01:00
parent 3df05eb63c
commit dad738ae42
1 changed files with 15 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
app/Http/Middleware/AcceptHeaders.php
View File

@@ -56,11 +56,11 @@ class AcceptHeaders
} }
// if bad 'Content-Type' header, refuse service. // if bad 'Content-Type' header, refuse service.
if (('POST' === $method || 'PUT' === $method) && !$request->hasHeader('Content-Type')) { if (('POST' === $method || 'PUT' === $method) && !$request->hasHeader('Content-Type')) {
$error = new BadHttpHeaderException('Content-Type header cannot be empty'); $error = new BadHttpHeaderException('Content-Type header cannot be empty.');
$error->statusCode = 415; $error->statusCode = 415;
throw $error; throw $error;
} }
if (('POST' === $method || 'PUT' === $method) && !in_array($submitted, $contentTypes, true)) { if (('POST' === $method || 'PUT' === $method) && !$this->acceptsHeader($submitted, $contentTypes)) {
$error = new BadHttpHeaderException(sprintf('Content-Type cannot be "%s"', $submitted)); $error = new BadHttpHeaderException(sprintf('Content-Type cannot be "%s"', $submitted));
$error->statusCode = 415; $error->statusCode = 415;
throw $error; throw $error;
@@ -74,4 +74,17 @@ class AcceptHeaders
return $next($request); return $next($request);
} }
/**
* @param string $content
* @param array $accepted
* @return bool
*/
private function acceptsHeader(string $content, array $accepted): bool
{
if (str_contains($content, ';')) {
$content = trim(explode(';', $content)[0]);
}
return in_array($content, $accepted, true);
}
} }