blankie
/
streamtg
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Blacklist non-printable ascii chars from Content-{Type,Disposition}

This commit is contained in:
blank X 2022-02-12 13:30:38 +07:00
parent 3a30cf29c1
commit 122aa375a6
Signed by: blankie
GPG Key ID: CC15FC822C7F61F5
1 changed files with 12 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
streamtg.py
View File

@ -31,8 +31,18 @@ def verify_hmac(hexdigest, chat_id, message_ids):
return True return True
return False return False
# saftea
def string_is_printable_ascii(string):
return not any(True for i in string.encode('ascii') if i < b'!' or i > b'~')
async def handler(request): async def handler(request):
query = request.query query = request.query
content_type = query.get('Content-Type')
if content_type and not string_is_printable_ascii(content_type):
return web.Response(status=400, text='Content-Type has a blacklisted character')
content_disposition = query.get('Content-Disposition')
if content_disposition and not string_is_printable_ascii(content_disposition):
return web.Response(status=400, text='Content-Disposition has a blacklisted character')
token = query.get('token') token = query.get('token')
hexdigest = query.get('hmac') hexdigest = query.get('hmac')
if not token and not hexdigest and (authorized_tokens or hmacs): if not token and not hexdigest and (authorized_tokens or hmacs):
@ -124,9 +134,9 @@ async def handler(request):
'Content-Length': str(length), 'Content-Length': str(length),
'Accept-Ranges': 'bytes' 'Accept-Ranges': 'bytes'
} }
if content_type := query.get('Content-Type'): if content_type:
headers['Content-Type'] = content_type headers['Content-Type'] = content_type
if content_disposition := query.get('Content-Disposition'): if content_disposition:
headers['Content-Disposition'] = content_disposition headers['Content-Disposition'] = content_disposition
async def download(): async def download():