indymedia
/
epicyon
mirror of https://gitlab.com/bashrc2/epicyon
7
4
Fork 1
Code Issues 14 Releases Wiki Activity

Adding Idempotent IDNA Decodes to Domain Checks 

This operation _should_ be safe for non-IDNA domains. However, because so many different systems like Tor, Briar, i2p, etcetera, are supported by Epicyon, perhaps even this seemingly safe host transformation should be made opt-in as an argument to epicyon.
merge-requests/30/head
Cathal Garvey 2021-01-22 00:28:33 +00:00
parent 449d91c0ea
commit da5e8103ed
1 changed files with 8 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
daemon.py
View File

@ -17,6 +17,7 @@ from socket import error as SocketError
import errno import errno
from functools import partial from functools import partial
import pyqrcode import pyqrcode
import idna
# for saving images # for saving images
from hashlib import sha256 from hashlib import sha256
from hashlib import sha1 from hashlib import sha1
@ -9759,7 +9760,9 @@ class PubServer(BaseHTTPRequestHandler):
def do_GET(self): def do_GET(self):
callingDomain = self.server.domainFull callingDomain = self.server.domainFull
if self.headers.get('Host'): if self.headers.get('Host'):
callingDomain = self.headers['Host'] # IDNA decoding is an idempotent operation so this should not break 'normal' domains.
# For non-IDNA domains perhaps this behaviour should be disabled: TODO add config option?
callingDomain = idna.decode(self.headers['Host'])
if self.server.onionDomain: if self.server.onionDomain:
if callingDomain != self.server.domain and \ if callingDomain != self.server.domain and \
callingDomain != self.server.domainFull and \ callingDomain != self.server.domainFull and \
@ -11908,7 +11911,8 @@ class PubServer(BaseHTTPRequestHandler):
def do_HEAD(self): def do_HEAD(self):
callingDomain = self.server.domainFull callingDomain = self.server.domainFull
if self.headers.get('Host'): if self.headers.get('Host'):
callingDomain = self.headers['Host'] # As in the GET handler this should be idempotent but for security maybe make configurable.
callingDomain = idna.decode(self.headers['Host'])
if self.server.onionDomain: if self.server.onionDomain:
if callingDomain != self.server.domain and \ if callingDomain != self.server.domain and \
callingDomain != self.server.domainFull and \ callingDomain != self.server.domainFull and \
@ -12842,7 +12846,8 @@ class PubServer(BaseHTTPRequestHandler):
callingDomain = self.server.domainFull callingDomain = self.server.domainFull
if self.headers.get('Host'): if self.headers.get('Host'):
callingDomain = self.headers['Host'] # As notes in the GET handler, this should be idempotent but should be configurable just in case
callingDomain = idna.decode(self.headers['Host'])
if self.server.onionDomain: if self.server.onionDomain:
if callingDomain != self.server.domain and \ if callingDomain != self.server.domain and \
callingDomain != self.server.domainFull and \ callingDomain != self.server.domainFull and \