}
$content_type = 'text/plain' if ($is_url || $is_patch);
- $content_type = trim($content_type);
+ $content_type = clean_text($content_type);
+ # The subsets below cover all existing MIME types and charsets registered by IANA.
+ # (MIME type: RFC 2045 section 5.1; charset: RFC 2278 section 3.3)
my $legal_types = join('|', LEGAL_CONTENT_TYPES);
- if (!$content_type or $content_type !~ /^($legal_types)\/.+$/) {
+ if (!$content_type
+ || $content_type !~ /^($legal_types)\/[a-z0-9_\-\+\.]+(;.+)?$/i)
+ {
ThrowUserError("invalid_content_type", { contenttype => $content_type });
}
trick_taint($content_type);
# No file is attached, so it has no name.
return '' if $is_url;
- $filename = trim($filename);
+ $filename = clean_text($filename);
$filename || ThrowUserError('file_not_specified');
# Remove path info (if any) from the file name. The browser should do this
[% title = "Invalid Content-Type" %]
The content type <em>[% contenttype FILTER html %]</em> is invalid.
Valid types must be of the form <em>foo/bar</em> where <em>foo</em>
- is one of <em>[% constants.LEGAL_CONTENT_TYPES.join(', ') FILTER html %]</em>.
-
+ is one of <em>[% constants.LEGAL_CONTENT_TYPES.join(', ') FILTER html %]</em>
+ and <em>bar</em> must not contain any special characters (such as "=", "?", ...).
+
[% ELSIF error == "invalid_context" %]
[% title = "Invalid Context" %]
The context [% context FILTER html %] is invalid (must be a number,
projects / thirdparty / bugzilla.git / commitdiff
