From 6ef3a7746503c283f00464be6b495aa9dfdebc66 Mon Sep 17 00:00:00 2001
From: n9k <originalcocaineninja@protonmail.com>
Date: Tue, 14 Jun 2022 04:50:28 +0000
Subject: [PATCH] Explicitly reject weird tokens

Includes really long tokens
---
 anonstream/routes/wrappers.py | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/anonstream/routes/wrappers.py b/anonstream/routes/wrappers.py
index 8a4484d..904959d 100644
--- a/anonstream/routes/wrappers.py
+++ b/anonstream/routes/wrappers.py
@@ -2,6 +2,8 @@
 # SPDX-License-Identifier: AGPL-3.0-or-later
 
 import hashlib
+import re
+import string
 import time
 from functools import wraps
 
@@ -19,6 +21,15 @@ USERS_BY_TOKEN = current_app.users_by_token
 USERS = current_app.users
 USERS_UPDATE_BUFFER = current_app.users_update_buffer
 
+TOKEN_ALPHABET = (
+    string.digits
+    + string.ascii_lowercase
+    + string.ascii_uppercase
+    + string.punctuation
+    + ' '
+)
+RE_TOKEN = re.compile(r'[%s]{1,256}' % re.escape(TOKEN_ALPHABET))
+
 def check_auth(context):
     auth = context.authorization
     return (
@@ -69,6 +80,10 @@ def with_user_from(context):
                     or generate_token()
                 )
 
+            # Reject invalid tokens
+            if not RE_TOKEN.fullmatch(token):
+                raise abort(400)
+
             # Update / create user
             user = USERS_BY_TOKEN.get(token)
             if user is not None: