From 3e4cce17d0bae89b90b9521ca43f77d659c4bdf1 Mon Sep 17 00:00:00 2001
From: Tim K <tkuester@users.noreply.github.com>
Date: Fri, 5 Apr 2024 13:29:58 -0400
Subject: [PATCH] dps: Forbid users to specify their own headers

---
 taky/dps/__main__.py | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/taky/dps/__main__.py b/taky/dps/__main__.py
index 6d5e8c7..c65e2ab 100644
--- a/taky/dps/__main__.py
+++ b/taky/dps/__main__.py
@@ -53,6 +53,19 @@ def handle_request(self, listener, req, client, addr):
         headers = dict(req.headers)
         peer_cert = client.getpeercert()
 
+        # Don't let users specify these header values
+        forbidden_keys = [
+            "X-USER",
+            "X-SERIAL_NUMBER",
+            "X-ISSUER",
+            "X-REVOKED",
+            "X-NOT_BEFORE",
+            "X-NOT_AFTER",
+        ]
+        for keyname in forbidden_keys:
+            if keyname in headers:
+                headers.pop(keyname)
+
         if peer_cert:
             subject = dict(
                 [i for subtuple in peer_cert.get("subject") for i in subtuple]