From 3e4cce17d0bae89b90b9521ca43f77d659c4bdf1 Mon Sep 17 00:00:00 2001 From: Tim K Date: Fri, 5 Apr 2024 13:29:58 -0400 Subject: [PATCH] dps: Forbid users to specify their own headers --- taky/dps/__main__.py | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/taky/dps/__main__.py b/taky/dps/__main__.py index 6d5e8c7..c65e2ab 100644 --- a/taky/dps/__main__.py +++ b/taky/dps/__main__.py @@ -53,6 +53,19 @@ def handle_request(self, listener, req, client, addr): headers = dict(req.headers) peer_cert = client.getpeercert() + # Don't let users specify these header values + forbidden_keys = [ + "X-USER", + "X-SERIAL_NUMBER", + "X-ISSUER", + "X-REVOKED", + "X-NOT_BEFORE", + "X-NOT_AFTER", + ] + for keyname in forbidden_keys: + if keyname in headers: + headers.pop(keyname) + if peer_cert: subject = dict( [i for subtuple in peer_cert.get("subject") for i in subtuple]