IntenseFinance/firefly-iii
3
0
Fork 0
mirror of https://github.com/firefly-iii/firefly-iii.git synced 2025-02-25 18:45:27 -06:00
Code Issues Packages Projects Releases Wiki Activity

Fix #7140 by better validating header content.

Browse Source
This commit is contained in:
James Cole 2023-03-05 17:07:27 +01:00
parent 3df05eb63c
commit dad738ae42
No known key found for this signature in database
GPG Key ID: B49A324B7EAD6D80
1 changed files with 15 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
app/Http/Middleware/AcceptHeaders.php
View File

@ -56,11 +56,11 @@ class AcceptHeaders
}
// if bad 'Content-Type' header, refuse service.
if (('POST' === $method || 'PUT' === $method) && !$request->hasHeader('Content-Type')) {
$error = new BadHttpHeaderException('Content-Type header cannot be empty');
$error = new BadHttpHeaderException('Content-Type header cannot be empty.');
$error->statusCode = 415;
throw $error;
}
if (('POST' === $method || 'PUT' === $method) && !in_array($submitted, $contentTypes, true)) {
if (('POST' === $method || 'PUT' === $method) && !$this->acceptsHeader($submitted, $contentTypes)) {
$error = new BadHttpHeaderException(sprintf('Content-Type cannot be "%s"', $submitted));
$error->statusCode = 415;
throw $error;
@ -74,4 +74,17 @@ class AcceptHeaders
return $next($request);
}
/**
* @param string $content
* @param array $accepted
* @return bool
*/
private function acceptsHeader(string $content, array $accepted): bool
{
if (str_contains($content, ';')) {
$content = trim(explode(';', $content)[0]);
}
return in_array($content, $accepted, true);
}
}