Blacklist non-printable ascii chars from Content-{Type,Disposition}

2022-02-12 13:30:38 +07:00 · 2022-02-12 13:30:38 +07:00 · 122aa375a6
parent 3a30cf29c1
commit 122aa375a6
1 changed files with 12 additions and 2 deletions
--- a/streamtg.py
+++ b/streamtg.py
@ -31,8 +31,18 @@ def verify_hmac(hexdigest, chat_id, message_ids):
            return True
    return False

+# saftea
+def string_is_printable_ascii(string):
+    return not any(True for i in string.encode('ascii') if i < b'!' or i > b'~')
+
 async def handler(request):
    query = request.query
+    content_type = query.get('Content-Type')
+    if content_type and not string_is_printable_ascii(content_type):
+        return web.Response(status=400, text='Content-Type has a blacklisted character')
+    content_disposition = query.get('Content-Disposition')
+    if content_disposition and not string_is_printable_ascii(content_disposition):
+        return web.Response(status=400, text='Content-Disposition has a blacklisted character')
    token = query.get('token')
    hexdigest = query.get('hmac')
    if not token and not hexdigest and (authorized_tokens or hmacs):
@ -124,9 +134,9 @@ async def handler(request):
        'Content-Length': str(length),
        'Accept-Ranges': 'bytes'
    }
-    if content_type := query.get('Content-Type'):
+    if content_type:
        headers['Content-Type'] = content_type
-    if content_disposition := query.get('Content-Disposition'):
+    if content_disposition:
        headers['Content-Disposition'] = content_disposition

    async def download():