Validate the Content-Type on PUT requests

Return a 415 (https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/415) when the Content-Type does not look like a valid MIME type (in the type/subtype format) Refs #137
2020-04-15 13:45:34 +02:00
parent ab673f1d43
commit 71d138894e
3 changed files with 17 additions and 0 deletions
--- a/lib/remote_storage/rest_provider.rb
+++ b/lib/remote_storage/rest_provider.rb
@@ -506,5 +506,10 @@ module RemoteStorage
      items
    end

+    def validate_content_type(content_type)
+      # Do not try to perform the PUT request when the Content-Type does not
+      # look like a MIME type
+      server.halt 415 unless content_type.match(/^.+\/.+/i)
+    end
  end
 end
--- a/lib/remote_storage/s3.rb
+++ b/lib/remote_storage/s3.rb
@@ -16,6 +16,8 @@ module RemoteStorage
    end

    def do_put_request(url, data, content_type)
+      validate_content_type(content_type)
+
      deal_with_unauthorized_requests do
        md5 = Digest::MD5.base64digest(data)
        authorization_headers = authorization_headers_for(