Fixed bug #48190 (Content-type parameter "boundary" is not case-insensitive in HTTP uploads).

2 files changed, 17 insertions, 0 deletions

diff --git a/NEWS b/NEWS
index f7297cca80..629ffb5553 100644
--- a/NEWS
+++ b/NEWS
@@ -7,6 +7,8 @@ PHP                                                                        NEWS
   (Ilia)
 - Added stream_resolve_include_path(). (Mikko)
 
+- Fixed bug #48190 (Content-type parameter "boundary" is not case-insensitive
+  in HTTP uploads). (Ilia)
 - Fixed bug #47409 (extract() problem with array containing word "this").
   (Ilia, chrisstocktonaz at gmail dot com)
 
diff --git a/main/rfc1867.c b/main/rfc1867.c
index 291a07dffc..d37c1de760 100644
--- a/main/rfc1867.c
+++ b/main/rfc1867.c
@@ -32,6 +32,7 @@
 #include "php_globals.h"
 #include "php_variables.h"
 #include "rfc1867.h"
+#include "ext/standard/php_string.h"
 
 #define DEBUG_FILE_UPLOAD ZEND_DEBUG
 
@@ -796,6 +797,8 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler)
 	void *event_extra_data = NULL;
 	int llen = 0;
 	int upload_cnt = INI_INT("max_file_uploads");
+	
+	
 
 	if (SG(post_max_size) > 0 && SG(request_info).content_length > SG(post_max_size)) {
 		sapi_module.sapi_error(E_WARNING, "POST Content-Length of %ld bytes exceeds the limit of %ld bytes", SG(request_info).content_length, SG(post_max_size));
@@ -804,6 +807,18 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler)
 
 	/* Get the boundary */
 	boundary = strstr(content_type_dup, "boundary");
+	if (!boundary) {
+		int content_type_len = strlen(content_type_dup);
+		char *content_type_lcase = estrndup(content_type_dup, content_type_len);
+
+		php_strtolower(content_type_lcase, content_type_len);
+		boundary = strstr(content_type_lcase, "boundary");
+		if (boundary) {
+			boundary = content_type_dup + (boundary - content_type_lcase);
+		}
+		efree(content_type_lcase);
+	}
+
 	if (!boundary || !(boundary=strchr(boundary, '='))) {
 		sapi_module.sapi_error(E_WARNING, "Missing boundary in multipart/form-data POST data");
 		return;