From 7a4691778165cceb60a2b217f6db5d322aa21745 Mon Sep 17 00:00:00 2001 From: Roman Khimov Date: Thu, 29 Apr 2021 23:46:38 +0300 Subject: [PATCH] downloader: limit headers sent to the client to some valid subset fasthttp doesn't do complete filtering/escaping for us, thus filter here. --- downloader/download.go | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/downloader/download.go b/downloader/download.go index 60fca76..037710d 100644 --- a/downloader/download.go +++ b/downloader/download.go @@ -63,6 +63,28 @@ func (d *detector) Write(data []byte) (int, error) { return d.Writer.Write(data) } +func isValidToken(s string) bool { + for _, c := range s { + if c <= ' ' || c > 127 { + return false + } + if strings.ContainsRune("()<>@,;:\\\"/[]?={}", c) { + return false + } + } + return true +} + +func isValidValue(s string) bool { + for _, c := range s { + // HTTP specification allows for more technically, but we don't want to escape things. + if c < ' ' || c > 127 || c == '"' { + return false + } + } + return true +} + func (r *request) receiveFile(options *neofs.GetOptions) { var ( err error @@ -108,6 +130,9 @@ func (r *request) receiveFile(options *neofs.GetOptions) { for _, attr := range obj.Attributes() { key := attr.Key() val := attr.Value() + if !isValidToken(key) || !isValidValue(val) { + continue + } r.Response.Header.Set("x-"+key, val) switch key { case object.AttributeFileName: