Skip to content

Commit

Permalink
dps: Forbid users to specify their own headers
Browse files Browse the repository at this point in the history
  • Loading branch information
tkuester committed Apr 5, 2024
1 parent 0cd64c9 commit 3e4cce1
Showing 1 changed file with 13 additions and 0 deletions.
13 changes: 13 additions & 0 deletions taky/dps/__main__.py
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,19 @@ def handle_request(self, listener, req, client, addr):
headers = dict(req.headers)
peer_cert = client.getpeercert()

# Don't let users specify these header values
forbidden_keys = [
"X-USER",
"X-SERIAL_NUMBER",
"X-ISSUER",
"X-REVOKED",
"X-NOT_BEFORE",
"X-NOT_AFTER",
]
for keyname in forbidden_keys:
if keyname in headers:
headers.pop(keyname)

if peer_cert:
subject = dict(
[i for subtuple in peer_cert.get("subject") for i in subtuple]
Expand Down

0 comments on commit 3e4cce1

Please sign in to comment.