Fix request reception bugs

* Reject requests longer than 1024 bytes, as per standard
* Prevent slow-loris-style timeouts

diff --git a/cbs-srv.py b/cbs-srv.py
index cb7b6f045033e11cde76a34331f3726b2d51af19..1940529125a0dfb5af63010e115f8d576a4c4d86 100755 (executable)
--- a/cbs-srv.py
+++ b/cbs-srv.py
@@ -13,6 +13,7 @@ import mimetypes
 
 import logging
 import yaml
+import time
 
 logging.basicConfig(level=logging.INFO)
 mimetypes.add_type('text/gemini', '.gmi')
@@ -33,20 +34,26 @@ class CBSException(Exception):
         self.logdata = logdata
 
 
-def recv_req(conn: SSL.Connection, timeout=.1):
+def recv_req(conn: SSL.Connection, timeout=.5):
     data = b''
+    start = time.time()
     while True:
+        # This prevents "slow loris" types of timeouts
+        if time.time() > start + timeout:
+            raise CBSException(59, 'Timeout while waiting for URL')
         ready = select.select([conn], [], [], timeout)
         if ready[0]:
-            data += conn.recv(4096)
+            data += conn.recv(1024)
             if b'\r\n' in data:
                 lines = data.splitlines()
                 if len(lines) > 1:
-                    logging.warning('Discarding data after URL line of request: {}'.format(data))
+                    logging.warning(f'Discarding data after URL line of request: {data}')
+                if len(lines[0]) > 1024:
+                    raise CBSException(59, 'URL too long', lines[0])
                 try:
                     req = lines[0].decode('ascii')
                 except UnicodeDecodeError:
-                    raise CBSException(59, 'Non-ascii URL', data)
+                    raise CBSException(59, 'Non-ascii URL', lines[0])
                 return req
         else:
             raise CBSException(59, 'Timeout while waiting for URL')