From 70f7289c8cc8b3a956420cbd20b7d0375eafdf4e Mon Sep 17 00:00:00 2001
From: "Albert S." <mail@quitesimple.org>
Date: Mon, 3 Nov 2025 20:46:12 +0100
Subject: [PATCH] More checks for printable asciis

---
 gateway/httpgateway.cpp | 20 ++++++++++++--------
 utils.cpp               | 13 +++++++++++++
 utils.h                 |  2 ++
 3 files changed, 27 insertions(+), 8 deletions(-)

diff --git a/gateway/httpgateway.cpp b/gateway/httpgateway.cpp
index 248630a..62e1c9b 100644
--- a/gateway/httpgateway.cpp
+++ b/gateway/httpgateway.cpp
@@ -20,6 +20,7 @@ SOFTWARE.
 */
 #include "httpgateway.h"
 #include "../logger.h"
+#include <stdexcept>
 HttpGateway::HttpGateway(std::string listenaddr, int port, uint64_t maxPayloadLength)
 {
 	this->listenaddr = listenaddr;
@@ -34,13 +35,9 @@ bool HttpGateway::keepReading()
 
 Request HttpGateway::convertRequest(httplib::Request request)
 {
-
-	for(auto &c : request.target)
+	if(!utils::is_printable_ascii(request.target))
 	{
-		if( !(c >= ' ' && c <= '~'))
-		{
-			throw std::runtime_error("Invalid chars in URI: " + utils::catv(request.target));
-		}
+		throw std::runtime_error("Invalid chars in URI: " + utils::catv(request.target));
 	}
 
 	Request result;
@@ -64,6 +61,12 @@ Request HttpGateway::convertRequest(httplib::Request request)
 
 	if(request.has_header("COOKIE"))
 	{
+		std::string cookie = request.get_header_value("COOKIE");
+		if(!utils::is_printable_ascii(cookie))
+		{
+			/* We better bail */
+			throw std::runtime_error("Cookie with non printable chars sent");
+		}
 		result.initCookies(request.get_header_value("COOKIE"));
 	}
 	result.setIp("127.0.0.1");
@@ -100,8 +103,9 @@ void HttpGateway::work(RequestWorker &worker)
 		}
 		catch (std::exception &e)
 		{
-			snprintf(buf, sizeof(buf), fmt, e.what());
-			Logger::error() << "Exception caught in Httpgateway::work():" << utils::catv(e.what());
+			std::string exception = utils::html_xss(e.what());
+			snprintf(buf, sizeof(buf), fmt, exception.c_str());
+			Logger::error() << "Exception caught in Httpgateway::work():" << utils::html_xss(utils::catv(e.what()));
 		}
 		catch (...)
 		{
diff --git a/utils.cpp b/utils.cpp
index b18ce88..0de9ad1 100644
--- a/utils.cpp
+++ b/utils.cpp
@@ -238,3 +238,16 @@ std::string utils::catv(std::string_view view)
 	}
 	return result;
 }
+
+bool utils::is_printable_ascii(std::string view)
+{
+	for(char c : view)
+	{
+		if( !(c >= ' ' && c <= '~'))
+		{
+			return false;
+		}
+	}
+	return true;
+}
+
diff --git a/utils.h b/utils.h
index a1c21c2..6ac7f0a 100644
--- a/utils.h
+++ b/utils.h
@@ -93,6 +93,8 @@ template <class T> inline std::string toString(const T &v)
 std::string trim(std::string_view view);
 std::string catv(std::string_view view);
 
+bool is_printable_ascii(std::string view);
+
 
 } // namespace utils
 #endif