From 122aa375a6eacd3ae71a15da36cdfccc830392c0 Mon Sep 17 00:00:00 2001
From: blank X <blankie@nixnetmail.com>
Date: Sat, 12 Feb 2022 13:30:38 +0700
Subject: [PATCH] Blacklist non-printable ascii chars from
 Content-{Type,Disposition}

---
 streamtg.py | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/streamtg.py b/streamtg.py
index af37c62..b2fd186 100644
--- a/streamtg.py
+++ b/streamtg.py
@@ -31,8 +31,18 @@ def verify_hmac(hexdigest, chat_id, message_ids):
             return True
     return False
 
+# saftea
+def string_is_printable_ascii(string):
+    return not any(True for i in string.encode('ascii') if i < b'!' or i > b'~')
+
 async def handler(request):
     query = request.query
+    content_type = query.get('Content-Type')
+    if content_type and not string_is_printable_ascii(content_type):
+        return web.Response(status=400, text='Content-Type has a blacklisted character')
+    content_disposition = query.get('Content-Disposition')
+    if content_disposition and not string_is_printable_ascii(content_disposition):
+        return web.Response(status=400, text='Content-Disposition has a blacklisted character')
     token = query.get('token')
     hexdigest = query.get('hmac')
     if not token and not hexdigest and (authorized_tokens or hmacs):
@@ -124,9 +134,9 @@ async def handler(request):
         'Content-Length': str(length),
         'Accept-Ranges': 'bytes'
     }
-    if content_type := query.get('Content-Type'):
+    if content_type:
         headers['Content-Type'] = content_type
-    if content_disposition := query.get('Content-Disposition'):
+    if content_disposition:
         headers['Content-Disposition'] = content_disposition
 
     async def download():