alexvanin/frostfs-http-gw
1
0
Fork 0
forked from TrueCloudLab/frostfs-http-gw
Code Issues Pull requests Projects Releases Packages Wiki Activity

downloader: limit headers sent to the client to some valid subset

Browse source 
fasthttp doesn't do complete filtering/escaping for us, thus filter here.
This commit is contained in:
Roman Khimov 2021-04-29 23:46:38 +03:00 committed by Roman Khimov
parent 91c894cb8c
commit 7a46917781
1 changed files with 25 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

25
downloader/download.go
View file

@ -63,6 +63,28 @@ func (d *detector) Write(data []byte) (int, error) {
return d.Writer.Write(data) return d.Writer.Write(data)
} }
func isValidToken(s string) bool {
for _, c := range s {
if c <= ' ' || c > 127 {
return false
}
if strings.ContainsRune("()<>@,;:\\\"/[]?={}", c) {
return false
}
}
return true
}
func isValidValue(s string) bool {
for _, c := range s {
// HTTP specification allows for more technically, but we don't want to escape things.
if c < ' ' || c > 127 || c == '"' {
return false
}
}
return true
}
func (r *request) receiveFile(options *neofs.GetOptions) { func (r *request) receiveFile(options *neofs.GetOptions) {
var ( var (
err error err error
@ -108,6 +130,9 @@ func (r *request) receiveFile(options *neofs.GetOptions) {
for _, attr := range obj.Attributes() { for _, attr := range obj.Attributes() {
key := attr.Key() key := attr.Key()
val := attr.Value() val := attr.Value()
if !isValidToken(key) || !isValidValue(val) {
continue
}
r.Response.Header.Set("x-"+key, val) r.Response.Header.Set("x-"+key, val)
switch key { switch key {
case object.AttributeFileName: case object.AttributeFileName: