Blacklist non-printable ascii chars from Content-{Type,Disposition}

streamtg.py

@@ -31,8 +31,18 @@ def verify_hmac(hexdigest, chat_id, message_ids):
             return True
     return False
 
+# saftea
+def string_is_printable_ascii(string):
+    return not any(True for i in string.encode('ascii') if i < b'!' or i > b'~')
+
 async def handler(request):
     query = request.query
+    content_type = query.get('Content-Type')
+    if content_type and not string_is_printable_ascii(content_type):
+        return web.Response(status=400, text='Content-Type has a blacklisted character')
+    content_disposition = query.get('Content-Disposition')
+    if content_disposition and not string_is_printable_ascii(content_disposition):
+        return web.Response(status=400, text='Content-Disposition has a blacklisted character')
     token = query.get('token')
     hexdigest = query.get('hmac')
     if not token and not hexdigest and (authorized_tokens or hmacs):
@@ -124,9 +134,9 @@ async def handler(request):
         'Content-Length': str(length),
         'Accept-Ranges': 'bytes'
     }
-    if content_type := query.get('Content-Type'):
+    if content_type:
         headers['Content-Type'] = content_type
-    if content_disposition := query.get('Content-Disposition'):
+    if content_disposition:
         headers['Content-Disposition'] = content_disposition
 
     async def download():