From da5e8103eda006680cfafae0811151fee133d064 Mon Sep 17 00:00:00 2001
From: Cathal Garvey <cathalgarvey@cathalgarvey.me>
Date: Fri, 22 Jan 2021 00:28:33 +0000
Subject: [PATCH] Adding Idempotent IDNA Decodes to Domain Checks

This operation _should_ be safe for non-IDNA domains. However, because so many different systems like Tor, Briar, i2p, etcetera, are supported by Epicyon, perhaps even this seemingly safe host transformation should be made opt-in as an argument to epicyon.
---
 daemon.py | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/daemon.py b/daemon.py
index bae485674..b0e2cc084 100644
--- a/daemon.py
+++ b/daemon.py
@@ -17,6 +17,7 @@ from socket import error as SocketError
 import errno
 from functools import partial
 import pyqrcode
+import idna
 # for saving images
 from hashlib import sha256
 from hashlib import sha1
@@ -9759,7 +9760,9 @@ class PubServer(BaseHTTPRequestHandler):
     def do_GET(self):
         callingDomain = self.server.domainFull
         if self.headers.get('Host'):
-            callingDomain = self.headers['Host']
+            # IDNA decoding is an idempotent operation so this should not break 'normal' domains.
+            # For non-IDNA domains perhaps this behaviour should be disabled: TODO add config option?
+            callingDomain = idna.decode(self.headers['Host'])
             if self.server.onionDomain:
                 if callingDomain != self.server.domain and \
                    callingDomain != self.server.domainFull and \
@@ -11908,7 +11911,8 @@ class PubServer(BaseHTTPRequestHandler):
     def do_HEAD(self):
         callingDomain = self.server.domainFull
         if self.headers.get('Host'):
-            callingDomain = self.headers['Host']
+            # As in the GET handler this should be idempotent but for security maybe make configurable.
+            callingDomain = idna.decode(self.headers['Host'])
             if self.server.onionDomain:
                 if callingDomain != self.server.domain and \
                    callingDomain != self.server.domainFull and \
@@ -12842,7 +12846,8 @@ class PubServer(BaseHTTPRequestHandler):
 
         callingDomain = self.server.domainFull
         if self.headers.get('Host'):
-            callingDomain = self.headers['Host']
+            # As notes in the GET handler, this should be idempotent but should be configurable just in case
+            callingDomain = idna.decode(self.headers['Host'])
             if self.server.onionDomain:
                 if callingDomain != self.server.domain and \
                    callingDomain != self.server.domainFull and \