From 6303effe59fb4004a075332f9487ae1b6d4c8b3a Mon Sep 17 00:00:00 2001 From: ed Date: Thu, 14 Aug 2025 17:49:48 +0000 Subject: [PATCH] configurable max num cookies --- copyparty/__main__.py | 2 ++ copyparty/httpcli.py | 8 ++++++-- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/copyparty/__main__.py b/copyparty/__main__.py index 86d8cdd5..22e219a7 100644 --- a/copyparty/__main__.py +++ b/copyparty/__main__.py @@ -1363,6 +1363,8 @@ def add_safety(ap): ap2.add_argument("--sus-urls", metavar="R", type=u, default=r"\.php$|(^|/)wp-(admin|content|includes)/", help="URLs which are considered sus / eligible for banning; disable with blank or [\033[32mno\033[0m]") ap2.add_argument("--nonsus-urls", metavar="R", type=u, default=r"^(favicon\.ico|robots\.txt)$|^apple-touch-icon|^\.well-known", help="harmless URLs ignored from 404-bans; disable with blank or [\033[32mno\033[0m]") ap2.add_argument("--early-ban", action="store_true", help="if a client is banned, reject its connection as soon as possible; not a good idea to enable when proxied behind cloudflare since it could ban your reverse-proxy") + ap2.add_argument("--cookie-nmax", metavar="N", type=int, default=50, help="reject HTTP-request from client if they send more than N cookies") + ap2.add_argument("--cookie-cmax", metavar="N", type=int, default=8192, help="reject HTTP-request from client if more than N characters in Cookie header") ap2.add_argument("--aclose", metavar="MIN", type=int, default=10, help="if a client maxes out the server connection limit, downgrade it from connection:keep-alive to connection:close for \033[33mMIN\033[0m minutes (and also kill its active connections) -- disable with 0") ap2.add_argument("--loris", metavar="B", type=int, default=60, help="if a client maxes out the server connection limit without sending headers, ban it for \033[33mB\033[0m minutes; disable with [\033[32m0\033[0m]") ap2.add_argument("--acao", metavar="V[,V]", type=u, default="*", help="Access-Control-Allow-Origin; list of origins (domains/IPs without port) to accept requests from; [\033[32mhttps://1.2.3.4\033[0m]. Default [\033[32m*\033[0m] allows requests from all sites but removes cookies and http-auth; only ?pw=hunter2 survives") diff --git a/copyparty/httpcli.py b/copyparty/httpcli.py index a7ff303d..479c4f07 100644 --- a/copyparty/httpcli.py +++ b/copyparty/httpcli.py @@ -562,7 +562,7 @@ class HttpCli(object): zso = self.headers.get("cookie") if zso: - if len(zso) > 8192: + if len(zso) > self.args.cookie_cmax: self.loud_reply("cookie header too big", status=400) return False zsll = [x.split("=", 1) for x in zso.split(";") if "=" in x] @@ -570,11 +570,15 @@ class HttpCli(object): cookie_pw = cookies.get("cppws") or cookies.get("cppwd") or "" if "b" in cookies and "b" not in uparam: uparam["b"] = cookies["b"] + if len(cookies) > self.args.cookie_nmax: + self.loud_reply("too many cookies", status=400) else: cookies = {} cookie_pw = "" - if len(uparam) > 10 or len(cookies) > 50: + if len(uparam) > 12: + t = "http-request rejected; num.params: %d %r" + self.log(t % (len(uparam), self.req), 3) self.loud_reply("u wot m8", status=400) return False