From 62ace6aa0179346ca89126e48ded8349ed87d188 Mon Sep 17 00:00:00 2001
From: xjm <xjm@65776.no-reply.drupal.org>
Date: Tue, 15 Oct 2024 20:26:16 -0500
Subject: [PATCH] SA-CORE-2024-002 by prudloff, catch, larowlan, benjifisher,
 kim.pepper, wim leers, xjm

(cherry picked from commit 36ad383cda7847cfb75a8c69c53cb86909f79448)
---
 .../ckeditor5/src/Controller/CKEditor5ImageController.php    | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/core/modules/ckeditor5/src/Controller/CKEditor5ImageController.php b/core/modules/ckeditor5/src/Controller/CKEditor5ImageController.php
index 4492f4ec9945..b07ef54b59d7 100644
--- a/core/modules/ckeditor5/src/Controller/CKEditor5ImageController.php
+++ b/core/modules/ckeditor5/src/Controller/CKEditor5ImageController.php
@@ -82,8 +82,11 @@ public static function create(ContainerInterface $container) {
    */
   public function upload(Request $request): Response {
     // Getting the UploadedFile directly from the request.
-    /** @var \Symfony\Component\HttpFoundation\File\UploadedFile $upload */
+    /** @var \Symfony\Component\HttpFoundation\File\UploadedFile|null $upload */
     $upload = $request->files->get('upload');
+    if ($upload === NULL || !$upload->isValid()) {
+      throw new HttpException(500, $upload?->getErrorMessage() ?: 'Invalid file upload');
+    }
     $filename = $upload->getClientOriginalName();
 
     /** @var \Drupal\editor\EditorInterface $editor */
-- 
GitLab