From 511f5cf192699319d083e24246ada91f4f215593 Mon Sep 17 00:00:00 2001
From: Bob Mottram <bob@freedombone.net>
Date: Thu, 15 Oct 2020 09:59:08 +0100
Subject: [PATCH] Check for invalid characters

---
 daemon.py |  6 ++++++
 utils.py  | 13 +++++++++++++
 2 files changed, 19 insertions(+)

diff --git a/daemon.py b/daemon.py
index 522703d8f..048bdf494 100644
--- a/daemon.py
+++ b/daemon.py
@@ -164,6 +164,7 @@ from shares import getSharesFeedForPerson
 from shares import addShare
 from shares import removeShare
 from shares import expireShares
+from utils import containsInvalidChars
 from utils import isSystemAccount
 from utils import setConfigParam
 from utils import getConfigParam
@@ -11759,6 +11760,11 @@ class PubServer(BaseHTTPRequestHandler):
                 self.server.POSTbusy = False
                 return
 
+        if containsInvalidChars(messageBytes.decode("utf-8")):
+            self._400()
+            self.server.POSTbusy = False
+            return
+
         # convert the raw bytes to json
         messageJson = json.loads(messageBytes)
 
diff --git a/utils.py b/utils.py
index bc8f9f061..6ed6c1c62 100644
--- a/utils.py
+++ b/utils.py
@@ -273,6 +273,19 @@ def isEvil(domain: str) -> bool:
     return False
 
 
+def containsInvalidChars(jsonStr: str) -> bool:
+    """Does the given json string contain invalid characters?
+    e.g. dubious clacks/admin dogwhistles
+    """
+    invalidStrings = {
+        '卐', '卍', '࿕', '࿖', '࿗', '࿘'
+    }
+    for isInvalid in invalidStrings:
+        if isInvalid in jsonStr:
+            return True
+    return False
+
+
 def createPersonDir(nickname: str, domain: str, baseDir: str,
                     dirname: str) -> str:
     """Create a directory for a person