From 87bc2c1611b0a56cc583318975e8a0f99232f638 Mon Sep 17 00:00:00 2001
From: Ian Gulliver <ian@flamingcow.tv>
Date: Tue, 30 Apr 2019 02:07:48 +0000
Subject: [PATCH] Whitelist for storing request headers

---
 Makefile        | 6 +++---
 fastcgi.cc      | 7 ++++---
 fastcgi.h       | 6 ++++--
 fastcgi_conn.cc | 7 +++++--
 fastcgi_conn.h  | 6 ++++--
 sse.cc          | 4 +++-
 6 files changed, 23 insertions(+), 13 deletions(-)

diff --git a/Makefile b/Makefile
index fb93c94..6d72446 100644
--- a/Makefile
+++ b/Makefile
@@ -3,13 +3,13 @@ all: example_simple example_clock
 objects = sse.o sse_stream.o fastcgi.o fastcgi_conn.o fastcgi_request.o fastcgi_parse.o stream_buffer.o buffer.o
 
 example_simple: example_simple.o $(objects) Makefile
-	clang++ -std=gnu++2a -o example_simple example_simple.o $(objects) -lgflags -lglog -lpthread
+	clang++ -O3 -std=gnu++2a -o example_simple example_simple.o $(objects) -lgflags -lglog -lpthread
 
 example_clock: example_clock.o $(objects) Makefile
-	clang++ -std=gnu++2a -o example_clock example_clock.o $(objects) -lgflags -lglog -lpthread
+	clang++ -O3 -std=gnu++2a -o example_clock example_clock.o $(objects) -lgflags -lglog -lpthread
 
 %.o: %.cc *.h Makefile
-	clang++ -std=gnu++2a -Wall -Werror -c -o $@ $<
+	clang++ -O3 -std=gnu++2a -Wall -Werror -c -o $@ $<
 
 clean:
 	rm --force exmaple_simple example_clock *.o
diff --git a/fastcgi.cc b/fastcgi.cc
index f5f27de..e008a85 100644
--- a/fastcgi.cc
+++ b/fastcgi.cc
@@ -7,8 +7,9 @@
 #include "fastcgi.h"
 #include "fastcgi_conn.h"
 
-FastCGIServer::FastCGIServer(int port, const std::function<void(std::unique_ptr<FastCGIRequest>)>& callback)
-		: callback_(callback) {
+FastCGIServer::FastCGIServer(int port, const std::function<void(std::unique_ptr<FastCGIRequest>)>& callback, const std::unordered_set<std::string_view>& headers)
+		: callback_(callback),
+		  headers_(headers) {
 	LOG(INFO) << "listening on [::1]:" << port;
 
 	signal(SIGPIPE, SIG_IGN);
@@ -42,7 +43,7 @@ void FastCGIServer::Serve() {
 		PCHECK(client_sock >= 0) << "accept()";
 		CHECK_EQ(client_addr.sin6_family, AF_INET6);
 
-		auto *conn = new FastCGIConn(client_sock, client_addr, callback_);
+		auto *conn = new FastCGIConn(client_sock, client_addr, callback_, headers_);
 		std::thread thread([conn]() { conn->Serve(); });
 		thread.detach();
 	}
diff --git a/fastcgi.h b/fastcgi.h
index 1097bd8..47388bc 100644
--- a/fastcgi.h
+++ b/fastcgi.h
@@ -2,15 +2,17 @@
 
 #include <functional>
 #include <memory>
+#include <unordered_set>
 
 #include "fastcgi_request.h"
 
 class FastCGIServer {
   public:
-  	FastCGIServer(int port, const std::function<void(std::unique_ptr<FastCGIRequest>)>& callback);
+	FastCGIServer(int port, const std::function<void(std::unique_ptr<FastCGIRequest>)>& callback, const std::unordered_set<std::string_view>& headers={});
 	void Serve();
 
   private:
 	int listen_sock_;
-  	std::function<void(std::unique_ptr<FastCGIRequest>)> callback_;
+	const std::function<void(std::unique_ptr<FastCGIRequest>)> callback_;
+	const std::unordered_set<std::string_view> headers_;
 };
diff --git a/fastcgi_conn.cc b/fastcgi_conn.cc
index 5e13388..b8b1f91 100644
--- a/fastcgi_conn.cc
+++ b/fastcgi_conn.cc
@@ -7,9 +7,10 @@
 #include "fastcgi_parse.h"
 #include "fastcgi_request.h"
 
-FastCGIConn::FastCGIConn(int sock, const sockaddr_in6& client_addr, const std::function<void(std::unique_ptr<FastCGIRequest>)>& callback)
+FastCGIConn::FastCGIConn(int sock, const sockaddr_in6& client_addr, const std::function<void(std::unique_ptr<FastCGIRequest>)>& callback, const std::unordered_set<std::string_view>& headers)
 		: sock_(sock),
 		  callback_(callback),
+		  headers_(headers),
 		  buf_(sock, fastcgi_max_record_len) {
 	char client_addr_str[INET6_ADDRSTRLEN];
 	PCHECK(inet_ntop(AF_INET6, &client_addr.sin6_addr, client_addr_str, sizeof(client_addr_str)));
@@ -61,7 +62,9 @@ void FastCGIConn::Serve() {
 					const auto *param_header = param_buf.ReadObj<FastCGIParamHeader>();
 					std::string_view key(param_buf.Read(param_header->key_length), param_header->key_length);
 					std::string_view value(param_buf.Read(param_header->value_length), param_header->value_length);
-					request_->AddParam(key, value);
+					if (headers_.find(key) != headers_.end()) {
+						request_->AddParam(key, value);
+					}
 				}
 			}
 			break;
diff --git a/fastcgi_conn.h b/fastcgi_conn.h
index 3b7069a..8be573b 100644
--- a/fastcgi_conn.h
+++ b/fastcgi_conn.h
@@ -2,6 +2,7 @@
 
 #include <functional>
 #include <unordered_map>
+#include <unordered_set>
 
 #include "stream_buffer.h"
 
@@ -10,7 +11,7 @@ class FastCGIRequest;
 
 class FastCGIConn {
   public:
-	FastCGIConn(int sock, const sockaddr_in6& client_addr, const std::function<void(std::unique_ptr<FastCGIRequest>)>& callback);
+	FastCGIConn(int sock, const sockaddr_in6& client_addr, const std::function<void(std::unique_ptr<FastCGIRequest>)>& callback, const std::unordered_set<std::string_view>& headers);
 	~FastCGIConn();
 
 	void Serve();
@@ -19,7 +20,8 @@ class FastCGIConn {
 
   private:
   	const int sock_;
-  	std::function<void(std::unique_ptr<FastCGIRequest>)> callback_;
+	const std::function<void(std::unique_ptr<FastCGIRequest>)>& callback_;
+	const std::unordered_set<std::string_view>& headers_;
 
 	uint64_t requests_ = 0;
 
diff --git a/sse.cc b/sse.cc
index 28db3fc..b4470dc 100644
--- a/sse.cc
+++ b/sse.cc
@@ -2,7 +2,9 @@
 
 SSEServer::SSEServer(int port, const std::function<void(std::unique_ptr<SSEStream>)>& callback)
 		: callback_(callback),
-		  fastcgi_server_(port, [this](std::unique_ptr<FastCGIRequest> request) { OnRequest(std::move(request)); }) {}
+		  fastcgi_server_(port,
+		                  [this](std::unique_ptr<FastCGIRequest> request) { OnRequest(std::move(request)); },
+						  {"HTTP_ACCEPT"}) {}
 
 void SSEServer::Serve() {
 	fastcgi_server_.Serve();