downloader: limit headers sent to the client to some valid subset
fasthttp doesn't do complete filtering/escaping for us, thus filter here.
This commit is contained in:
parent
91c894cb8c
commit
7a46917781
1 changed files with 25 additions and 0 deletions
|
@ -63,6 +63,28 @@ func (d *detector) Write(data []byte) (int, error) {
|
||||||
return d.Writer.Write(data)
|
return d.Writer.Write(data)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func isValidToken(s string) bool {
|
||||||
|
for _, c := range s {
|
||||||
|
if c <= ' ' || c > 127 {
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
if strings.ContainsRune("()<>@,;:\\\"/[]?={}", c) {
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return true
|
||||||
|
}
|
||||||
|
|
||||||
|
func isValidValue(s string) bool {
|
||||||
|
for _, c := range s {
|
||||||
|
// HTTP specification allows for more technically, but we don't want to escape things.
|
||||||
|
if c < ' ' || c > 127 || c == '"' {
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return true
|
||||||
|
}
|
||||||
|
|
||||||
func (r *request) receiveFile(options *neofs.GetOptions) {
|
func (r *request) receiveFile(options *neofs.GetOptions) {
|
||||||
var (
|
var (
|
||||||
err error
|
err error
|
||||||
|
@ -108,6 +130,9 @@ func (r *request) receiveFile(options *neofs.GetOptions) {
|
||||||
for _, attr := range obj.Attributes() {
|
for _, attr := range obj.Attributes() {
|
||||||
key := attr.Key()
|
key := attr.Key()
|
||||||
val := attr.Value()
|
val := attr.Value()
|
||||||
|
if !isValidToken(key) || !isValidValue(val) {
|
||||||
|
continue
|
||||||
|
}
|
||||||
r.Response.Header.Set("x-"+key, val)
|
r.Response.Header.Set("x-"+key, val)
|
||||||
switch key {
|
switch key {
|
||||||
case object.AttributeFileName:
|
case object.AttributeFileName:
|
||||||
|
|
Loading…
Reference in a new issue