Check for contradicting browsers within user agent

2026-04-07 16:13:20 +01:00 · 2026-04-07 16:13:20 +01:00 · 339e466838
parent 9e52c7e438
commit 339e466838
3 changed files with 30 additions and 0 deletions
--- a/daemon_get.py
+++ b/daemon_get.py
@ -96,6 +96,7 @@ from flags import is_artist
 from flags import is_blog_post
 from timeFunctions import date_utcnow
 from timeFunctions import get_current_time_int
+from utils import check_mixed_user_agent
 from utils import string_starts_with
 from utils import is_yggdrasil_address
 from utils import replace_strings
@ -382,6 +383,12 @@ def daemon_http_get(self) -> None:

    ua_str = get_user_agent(self)

+    # contradictory browsers within the user agent indicate
+    # malevolent intent
+    if check_mixed_user_agent(ua_str):
+        http_400(self)
+        return
+
    if ua_str:
        if 'Epicyon/' in ua_str:
            log_epicyon_instances(self.server.base_dir, ua_str,
--- a/daemon_post.py
+++ b/daemon_post.py
@ -12,6 +12,7 @@ import errno
 import json
 from socket import error as SocketError
 from flags import is_corporate
+from utils import check_mixed_user_agent
 from utils import string_starts_with
 from utils import is_yggdrasil_address
 from utils import replace_strings
@ -282,6 +283,12 @@ def daemon_http_post(self) -> None:

    ua_str = get_user_agent(self)

+    # contradictory browsers within the user agent indicate
+    # malevolent intent
+    if check_mixed_user_agent(ua_str):
+        http_400(self)
+        return
+
    if ua_str:
        if 'Epicyon/' in ua_str:
            log_epicyon_instances(self.server.base_dir, ua_str,
--- a/utils.py
+++ b/utils.py
@ -4104,6 +4104,22 @@ def get_instance_url(calling_domain: str,
    return instance_url


+def check_mixed_user_agent(ua_str: str):
+    """Check if there are contradicting browsers within the user agent
+    """
+    if not ua_str:
+        return False
+
+    client_user_agents = ('Mozilla', 'Chrome', 'Safari')
+    matching_agents = []
+    for client_ua in client_user_agents:
+        if client_ua in ua_str:
+            matching_agents.append(client_ua)
+    if len(matching_agents) > 1:
+        return True
+    return False
+
+
 def check_bad_path(path: str):
    """for http GET or POST check that the path looks valid
    """