Check for suspicious headers

2024-07-26 21:16:56 +01:00 · 2024-07-26 21:16:56 +01:00 · b05968e9b7
parent ba07e86fec
commit b05968e9b7
3 changed files with 28 additions and 1 deletions
--- a/daemon_get.py
+++ b/daemon_get.py
@ -78,6 +78,7 @@ from httprequests import request_http
 from httpheaders import set_headers
 from httpheaders import logout_headers
 from httpheaders import logout_redirect
+from httpheaders import contains_suspicious_headers
 from httpcodes import http_200
 from httpcodes import http_402
 from httpcodes import http_403
@ -262,6 +263,12 @@ def daemon_http_get(self) -> None:
        http_402(self)
        return

+    # suspicious headers
+    if contains_suspicious_headers(self.headers):
+        print('GET HTTP suspicious headers ' + str(self.headers))
+        http_403(self)
+        return
+
    if contains_invalid_chars(str(self.headers)):
        print('GET HTTP headers contain invalid characters ' +
              str(self.headers))
--- a/daemon_post.py
+++ b/daemon_post.py
@ -35,6 +35,7 @@ from httpcodes import http_402
 from httpcodes import http_403
 from httpcodes import http_404
 from httpcodes import http_503
+from httpheaders import contains_suspicious_headers
 from httpheaders import update_headers_catalog
 from httpheaders import redirect_headers
 from daemon_utils import get_user_agent
@ -99,6 +100,12 @@ def daemon_http_post(self) -> None:
        http_402(self)
        return

+    # suspicious headers
+    if contains_suspicious_headers(self.headers):
+        print('POST HTTP suspicious headers ' + str(self.headers))
+        http_403(self)
+        return
+
    calling_domain = self.server.domain_full
    if self.headers.get('Host'):
        calling_domain = decoded_host(self.headers['Host'])
--- a/httpheaders.py
+++ b/httpheaders.py
@ -219,10 +219,23 @@ def update_headers_catalog(base_dir: str, headers_catalog: {},
    for fieldname, fieldvalue in headers.items():
        if fieldname in headers_catalog:
            continue
-        if fieldname == 'cookie' or fieldname == 'Cookie':
+        if fieldname in ('cookie', 'Cookie'):
            fieldvalue = ""
        headers_catalog[fieldname] = fieldvalue
        changed = True

    if changed:
        save_json(headers_catalog, headers_catalog_fieldname)
+
+
+def contains_suspicious_headers(headers: {}) -> bool:
+    """returns true if the given headers contain something suspicious
+    """
+    if 'Shellshock' in headers or \
+       'shellshock' in headers or \
+       'think-lang' in headers or \
+       'Think-lang' in headers:
+        return True
+    if '../../' in str(headers):
+        return True
+    return False