Test for invalid characters on HTTP GET

daemon_get.py

@@ -85,6 +85,7 @@ from httpcodes import http_304
 from httpcodes import http_400
 from httpcodes import http_503
 from httpcodes import write2
+from utils import contains_invalid_chars
 from utils import save_json
 from utils import data_dir
 from utils import user_agent_domain
@@ -244,11 +245,17 @@ def daemon_http_get(self) -> None:
 
     if self.headers.get('Server'):
         if self.headers['Server'] in corp_servers():
-            if self.server.debug:
-                print('Corporate leech bounced: ' + self.headers['Server'])
+            print('GET HTTP Corporate leech bounced: ' +
+                  self.headers['Server'])
             http_402(self)
             return
 
+    if contains_invalid_chars(str(self.headers)):
+        print('GET HTTP headers contain invalid characters ' +
+              str(self.headers))
+        http_402(self)
+        return
+
     if self.headers.get('Host'):
         calling_domain = decoded_host(self.headers['Host'])
         if self.server.onion_domain:

daemon_post.py

@@ -11,6 +11,7 @@ import time
 import errno
 import json
 from socket import error as SocketError
+from utils import corp_servers
 from utils import string_ends_with
 from utils import get_config_param
 from utils import decoded_host
@@ -29,8 +30,9 @@ from inbox import inbox_message_has_params
 from inbox import inbox_permitted_message
 from httpsig import getheader_signature_input
 from httpcodes import http_200
-from httpcodes import http_404
 from httpcodes import http_400
+from httpcodes import http_402
+from httpcodes import http_404
 from httpcodes import http_503
 from httpheaders import redirect_headers
 from daemon_utils import get_user_agent
@@ -118,6 +120,21 @@ def daemon_http_post(self) -> None:
     self.server.postreq_busy = True
     self.server.last_postreq = curr_time_postreq
 
+    if self.headers.get('Server'):
+        if self.headers['Server'] in corp_servers():
+            print('POST HTTP Corporate leech bounced: ' +
+                  self.headers['Server'])
+            http_402(self)
+            self.server.postreq_busy = False
+            return
+
+    if contains_invalid_chars(str(self.headers)):
+        print('POST HTTP headers contain invalid characters ' +
+              str(self.headers))
+        http_402(self)
+        self.server.postreq_busy = False
+        return
+
     ua_str = get_user_agent(self)
 
     block, self.server.blocked_cache_last_updated = \

scripts/invalid

@@ -1,2 +1,2 @@
 #!/bin/bash
-journalctl -u epicyon | grep "invalid header"
+journalctl -u epicyon | grep "invalid header\|invalid characters"