Test for invalid characters on HTTP GET

2024-07-19 19:11:54 +01:00 · 2024-07-19 19:11:54 +01:00 · ccb2073d36
parent da341f92f1
commit ccb2073d36
3 changed files with 28 additions and 4 deletions
--- a/daemon_get.py
+++ b/daemon_get.py
@ -85,6 +85,7 @@ from httpcodes import http_304
 from httpcodes import http_400
 from httpcodes import http_503
 from httpcodes import write2
+from utils import contains_invalid_chars
 from utils import save_json
 from utils import data_dir
 from utils import user_agent_domain
@ -244,8 +245,14 @@ def daemon_http_get(self) -> None:

    if self.headers.get('Server'):
        if self.headers['Server'] in corp_servers():
-            if self.server.debug:
-                print('Corporate leech bounced: ' + self.headers['Server'])
+            print('GET HTTP Corporate leech bounced: ' +
+                  self.headers['Server'])
+            http_402(self)
+            return
+
+    if contains_invalid_chars(str(self.headers)):
+        print('GET HTTP headers contain invalid characters ' +
+              str(self.headers))
        http_402(self)
        return

--- a/daemon_post.py
+++ b/daemon_post.py
@ -11,6 +11,7 @@ import time
 import errno
 import json
 from socket import error as SocketError
+from utils import corp_servers
 from utils import string_ends_with
 from utils import get_config_param
 from utils import decoded_host
@ -29,8 +30,9 @@ from inbox import inbox_message_has_params
 from inbox import inbox_permitted_message
 from httpsig import getheader_signature_input
 from httpcodes import http_200
-from httpcodes import http_404
 from httpcodes import http_400
+from httpcodes import http_402
+from httpcodes import http_404
 from httpcodes import http_503
 from httpheaders import redirect_headers
 from daemon_utils import get_user_agent
@ -118,6 +120,21 @@ def daemon_http_post(self) -> None:
    self.server.postreq_busy = True
    self.server.last_postreq = curr_time_postreq

+    if self.headers.get('Server'):
+        if self.headers['Server'] in corp_servers():
+            print('POST HTTP Corporate leech bounced: ' +
+                  self.headers['Server'])
+            http_402(self)
+            self.server.postreq_busy = False
+            return
+
+    if contains_invalid_chars(str(self.headers)):
+        print('POST HTTP headers contain invalid characters ' +
+              str(self.headers))
+        http_402(self)
+        self.server.postreq_busy = False
+        return
+
    ua_str = get_user_agent(self)

    block, self.server.blocked_cache_last_updated = \
--- a/scripts/invalid
+++ b/scripts/invalid
@ -1,2 +1,2 @@
 #!/bin/bash
-journalctl -u epicyon | grep "invalid header"
+journalctl -u epicyon | grep "invalid header\|invalid characters"