MultipartRequestParser.php 6.4 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252
  1. <?php
  2. /**
  3. * @copyright Copyright (c) 2021, Louis Chemineau <louis@chmn.me>
  4. *
  5. * @author Louis Chemineau <louis@chmn.me>
  6. *
  7. * @license AGPL-3.0
  8. *
  9. * This code is free software: you can redistribute it and/or modify
  10. * it under the terms of the GNU Affero General Public License, version 3,
  11. * as published by the Free Software Foundation.
  12. *
  13. * This program is distributed in the hope that it will be useful,
  14. * but WITHOUT ANY WARRANTY; without even the implied warranty of
  15. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  16. * GNU Affero General Public License for more details.
  17. *
  18. * You should have received a copy of the GNU Affero General Public License, version 3,
  19. * along with this program. If not, see <http://www.gnu.org/licenses/>
  20. *
  21. */
  22. namespace OCA\DAV\BulkUpload;
  23. use OCP\AppFramework\Http;
  24. use Psr\Log\LoggerInterface;
  25. use Sabre\DAV\Exception;
  26. use Sabre\DAV\Exception\BadRequest;
  27. use Sabre\DAV\Exception\LengthRequired;
  28. use Sabre\HTTP\RequestInterface;
  29. class MultipartRequestParser {
  30. /** @var resource */
  31. private $stream;
  32. /** @var string */
  33. private $boundary = "";
  34. /** @var string */
  35. private $lastBoundary = "";
  36. /**
  37. * @throws BadRequest
  38. */
  39. public function __construct(
  40. RequestInterface $request,
  41. protected LoggerInterface $logger,
  42. ) {
  43. $stream = $request->getBody();
  44. $contentType = $request->getHeader('Content-Type');
  45. if (!is_resource($stream)) {
  46. throw new BadRequest('Body should be of type resource');
  47. }
  48. if ($contentType === null) {
  49. throw new BadRequest("Content-Type can not be null");
  50. }
  51. $this->stream = $stream;
  52. $boundary = $this->parseBoundaryFromHeaders($contentType);
  53. $this->boundary = '--'.$boundary."\r\n";
  54. $this->lastBoundary = '--'.$boundary."--\r\n";
  55. }
  56. /**
  57. * Parse the boundary from the Content-Type header.
  58. * Example: Content-Type: "multipart/related; boundary=boundary_bf38b9b4b10a303a28ed075624db3978"
  59. *
  60. * @throws BadRequest
  61. */
  62. private function parseBoundaryFromHeaders(string $contentType): string {
  63. try {
  64. [$mimeType, $boundary] = explode(';', $contentType);
  65. [$boundaryKey, $boundaryValue] = explode('=', $boundary);
  66. } catch (\Exception $e) {
  67. throw new BadRequest("Error while parsing boundary in Content-Type header.", Http::STATUS_BAD_REQUEST, $e);
  68. }
  69. $boundaryValue = trim($boundaryValue);
  70. // Remove potential quotes around boundary value.
  71. if (substr($boundaryValue, 0, 1) === '"' && substr($boundaryValue, -1) === '"') {
  72. $boundaryValue = substr($boundaryValue, 1, -1);
  73. }
  74. if (trim($mimeType) !== 'multipart/related') {
  75. throw new BadRequest('Content-Type must be multipart/related');
  76. }
  77. if (trim($boundaryKey) !== 'boundary') {
  78. throw new BadRequest('Boundary is invalid');
  79. }
  80. return $boundaryValue;
  81. }
  82. /**
  83. * Check whether the stream's cursor is sitting right before the provided string.
  84. *
  85. * @throws Exception
  86. */
  87. private function isAt(string $expectedContent): bool {
  88. $expectedContentLength = strlen($expectedContent);
  89. $content = fread($this->stream, $expectedContentLength);
  90. if ($content === false) {
  91. throw new Exception('An error occurred while checking content');
  92. }
  93. $seekBackResult = fseek($this->stream, -$expectedContentLength, SEEK_CUR);
  94. if ($seekBackResult === -1) {
  95. throw new Exception("Unknown error while seeking content", Http::STATUS_INTERNAL_SERVER_ERROR);
  96. }
  97. return $expectedContent === $content;
  98. }
  99. /**
  100. * Check whether the stream's cursor is sitting right before the boundary.
  101. */
  102. private function isAtBoundary(): bool {
  103. return $this->isAt($this->boundary);
  104. }
  105. /**
  106. * Check whether the stream's cursor is sitting right before the last boundary.
  107. */
  108. public function isAtLastBoundary(): bool {
  109. return $this->isAt($this->lastBoundary);
  110. }
  111. /**
  112. * Parse and return the next part of the multipart headers.
  113. *
  114. * Example:
  115. * --boundary_azertyuiop
  116. * Header1: value
  117. * Header2: value
  118. *
  119. * Content of
  120. * the part
  121. *
  122. */
  123. public function parseNextPart(): array {
  124. $this->readBoundary();
  125. $headers = $this->readPartHeaders();
  126. $content = $this->readPartContent($headers["content-length"], $headers["x-file-md5"]);
  127. return [$headers, $content];
  128. }
  129. /**
  130. * Read the boundary and check its content.
  131. *
  132. * @throws BadRequest
  133. */
  134. private function readBoundary(): string {
  135. if (!$this->isAtBoundary()) {
  136. throw new BadRequest("Boundary not found where it should be.");
  137. }
  138. return fread($this->stream, strlen($this->boundary));
  139. }
  140. /**
  141. * Return the headers of a part of the multipart body.
  142. *
  143. * @throws Exception
  144. * @throws BadRequest
  145. * @throws LengthRequired
  146. */
  147. private function readPartHeaders(): array {
  148. $headers = [];
  149. while (($line = fgets($this->stream)) !== "\r\n") {
  150. if ($line === false) {
  151. throw new Exception('An error occurred while reading headers of a part');
  152. }
  153. if (!str_contains($line, ':')) {
  154. $this->logger->error('Header missing ":" on bulk request: ' . json_encode($line));
  155. throw new Exception('An error occurred while reading headers of a part', Http::STATUS_BAD_REQUEST);
  156. }
  157. try {
  158. [$key, $value] = explode(':', $line, 2);
  159. $headers[strtolower(trim($key))] = trim($value);
  160. } catch (\Exception $e) {
  161. throw new BadRequest('An error occurred while parsing headers of a part', Http::STATUS_BAD_REQUEST, $e);
  162. }
  163. }
  164. if (!isset($headers["content-length"])) {
  165. throw new LengthRequired("The Content-Length header must not be null.");
  166. }
  167. if (!isset($headers["x-file-md5"])) {
  168. throw new BadRequest("The X-File-MD5 header must not be null.");
  169. }
  170. return $headers;
  171. }
  172. /**
  173. * Return the content of a part of the multipart body.
  174. *
  175. * @throws Exception
  176. * @throws BadRequest
  177. */
  178. private function readPartContent(int $length, string $md5): string {
  179. $computedMd5 = $this->computeMd5Hash($length);
  180. if ($md5 !== $computedMd5) {
  181. throw new BadRequest("Computed md5 hash is incorrect.");
  182. }
  183. if ($length === 0) {
  184. $content = '';
  185. } else {
  186. $content = stream_get_line($this->stream, $length);
  187. }
  188. if ($content === false) {
  189. throw new Exception("Fail to read part's content.");
  190. }
  191. if ($length !== 0 && feof($this->stream)) {
  192. throw new Exception("Unexpected EOF while reading stream.");
  193. }
  194. // Read '\r\n'.
  195. stream_get_contents($this->stream, 2);
  196. return $content;
  197. }
  198. /**
  199. * Compute the MD5 hash of the next x bytes.
  200. */
  201. private function computeMd5Hash(int $length): string {
  202. $context = hash_init('md5');
  203. hash_update_stream($context, $this->stream, $length);
  204. fseek($this->stream, -$length, SEEK_CUR);
  205. return hash_final($context);
  206. }
  207. }