fix(DAV): Check if the header is actually the expected format

Not sure how the test ever passed as it can only
throw with strict types which are not yet enabled

Signed-off-by: Joas Schilling <coding@schilljs.com>

Author: nickvergessen

apps/dav/lib/BulkUpload/MultipartRequestParser.php

@@ -57,7 +57,13 @@ public function __construct(
 	 */
 	private function parseBoundaryFromHeaders(string $contentType): string {
 		try {
+			if (!str_contains($contentType, ';')) {
+				throw new \InvalidArgumentException('No semicolon in header');
+			}
 			[$mimeType, $boundary] = explode(';', $contentType);
+			if (!str_contains($boundary, '=')) {
+				throw new \InvalidArgumentException('No equal in boundary header');
+			}
 			[$boundaryKey, $boundaryValue] = explode('=', $boundary);
 		} catch (\Exception $e) {
 			throw new BadRequest('Error while parsing boundary in Content-Type header.', Http::STATUS_BAD_REQUEST, $e);