2005-07-25 02:18:37 +00:00
|
|
|
require 'uri'
|
2005-07-24 20:53:54 +00:00
|
|
|
require 'rex/proto/http'
|
|
|
|
|
|
|
|
module Rex
|
|
|
|
module Proto
|
|
|
|
module Http
|
|
|
|
|
|
|
|
###
|
|
|
|
#
|
|
|
|
# HTTP request class.
|
|
|
|
#
|
|
|
|
###
|
|
|
|
class Request < Packet
|
|
|
|
|
|
|
|
##
|
|
|
|
#
|
|
|
|
# Some individual request types.
|
|
|
|
#
|
|
|
|
##
|
2005-11-15 05:22:13 +00:00
|
|
|
|
|
|
|
#
|
|
|
|
# HTTP GET request class wrapper.
|
|
|
|
#
|
2005-07-24 20:53:54 +00:00
|
|
|
class Get < Request
|
|
|
|
def initialize(uri = '/', proto = DefaultProtocol)
|
|
|
|
super('GET', uri, proto)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2005-11-15 05:22:13 +00:00
|
|
|
#
|
|
|
|
# HTTP POST request class wrapper.
|
|
|
|
#
|
2005-07-24 20:53:54 +00:00
|
|
|
class Post < Request
|
|
|
|
def initialize(uri = '/', proto = DefaultProtocol)
|
|
|
|
super('POST', uri, proto)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2005-11-15 05:22:13 +00:00
|
|
|
#
|
|
|
|
# HTTP PUT request class wrapper.
|
|
|
|
#
|
2005-07-24 20:53:54 +00:00
|
|
|
class Put < Request
|
|
|
|
def initialize(uri = '/', proto = DefaultProtocol)
|
|
|
|
super('PUT', uri, proto)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2005-11-15 05:22:13 +00:00
|
|
|
#
|
|
|
|
# Initializes an instance of an HTTP request with the supplied method, URI,
|
|
|
|
# and protocol.
|
|
|
|
#
|
2005-07-24 20:53:54 +00:00
|
|
|
def initialize(method = 'GET', uri = '/', proto = DefaultProtocol)
|
|
|
|
super()
|
|
|
|
|
2005-07-25 02:18:37 +00:00
|
|
|
self.method = method
|
2006-01-23 21:58:53 +00:00
|
|
|
self.raw_uri = uri
|
2005-07-25 02:18:37 +00:00
|
|
|
self.uri_parts = {}
|
2005-09-15 23:37:38 +00:00
|
|
|
self.proto = proto || DefaultProtocol
|
* add junk pipelined request support
* fix socket creation on pipelined requests
* when a server says that the connection should be closed (Connection: closed), then close the connection, since its going to regardless, and we don't want to loose our state
* support non-standard line termination in headers. ie \n instead of \r\n
* add junk headers (X-rand: rand)
* add header folding (for evasion)
* add parse_header_re (still leaving parse_header around, though its dead code ATM) that does the right thing on non-standard line endings
* move 'gzip' to a 'compression' option
* add 'deflate' compression option (really, just raw zlib, and only firefox does deflate right)
* fix a bunch of TE:chunked decoding bugs based based on the fact that Apache doesn't always close chunks appropriately
* modify parse_body to not return state, since it doesn't always do that, and the return isn't used... self.state is.
* add TE:chunked request support
* normalize URIs in requests before saving them
* Move params out of the URI, but when the uri is requested, and the method is GET, and there are params, return a URI that has the params that are approrpiately encoded (needed for junk_params, see below)
* move request.to_s support of params to use the request params array when a POST, allows use of junk params support (see below). NOTE: If the body is provided, use the body instead of params, in case you want to hardcode the params in a POST request, eg: php_xmlrpc_eval.rb
* Add junk params when building a param list, eg: a=b becomes asdfasdf=asdrt32a&asdfad=okhgasd&a=b&hjklasdf=hkasgd
* add URI junk slash support (eg: /////foo.html)
* param splitting now supports both '&', and ';', which CGI.pm and PHP both allow
* add URI junk directory support, eg: /asdf/../foo.html
* add param encoding support, eg: param A with value '=' is A=%3d
* add URI junk self referring directory support, eg: /././foo.html
git-svn-id: file:///home/svn/incoming/trunk@3457 4d416f70-5f16-0410-b530-b9f4589650da
2006-01-27 21:57:44 +00:00
|
|
|
self.chunk_min_size = 1
|
|
|
|
self.chunk_max_size = 10
|
2005-09-15 23:37:38 +00:00
|
|
|
|
2005-11-24 02:02:10 +00:00
|
|
|
update_uri_parts
|
2005-07-24 20:53:54 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
#
|
|
|
|
# Updates the command parts for this specific packet type.
|
|
|
|
#
|
|
|
|
def update_cmd_parts(str)
|
|
|
|
if (md = str.match(/^(.+?)\s+(.+?)\s+HTTP\/(.+?)\r?\n?$/))
|
2005-07-25 02:18:37 +00:00
|
|
|
self.method = md[1]
|
2006-01-23 21:58:53 +00:00
|
|
|
self.raw_uri = URI.decode(md[2])
|
2005-07-25 02:18:37 +00:00
|
|
|
self.proto = md[3]
|
|
|
|
|
2005-11-24 02:02:10 +00:00
|
|
|
update_uri_parts
|
2005-07-25 02:18:37 +00:00
|
|
|
else
|
|
|
|
raise RuntimeError, "Invalid request command string", caller
|
2005-07-24 20:53:54 +00:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2005-11-24 02:02:10 +00:00
|
|
|
#
|
|
|
|
# Split the URI into the resource being requested and its query string.
|
|
|
|
#
|
|
|
|
def update_uri_parts
|
|
|
|
# If it has a query string, get the parts.
|
2006-01-23 21:58:53 +00:00
|
|
|
if ((self.raw_uri) and (md = self.raw_uri.match(/(.+?)\?(.*)$/)))
|
2005-11-24 02:02:10 +00:00
|
|
|
self.uri_parts['QueryString'] = parse_cgi_qstring(md[2])
|
|
|
|
self.uri_parts['Resource'] = md[1]
|
|
|
|
# Otherwise, just assume that the URI is equal to the resource being
|
|
|
|
# requested.
|
|
|
|
else
|
2005-11-24 05:13:40 +00:00
|
|
|
self.uri_parts['QueryString'] = {}
|
2006-01-23 21:58:53 +00:00
|
|
|
self.uri_parts['Resource'] = self.raw_uri
|
2005-11-24 02:02:10 +00:00
|
|
|
end
|
|
|
|
|
* add junk pipelined request support
* fix socket creation on pipelined requests
* when a server says that the connection should be closed (Connection: closed), then close the connection, since its going to regardless, and we don't want to loose our state
* support non-standard line termination in headers. ie \n instead of \r\n
* add junk headers (X-rand: rand)
* add header folding (for evasion)
* add parse_header_re (still leaving parse_header around, though its dead code ATM) that does the right thing on non-standard line endings
* move 'gzip' to a 'compression' option
* add 'deflate' compression option (really, just raw zlib, and only firefox does deflate right)
* fix a bunch of TE:chunked decoding bugs based based on the fact that Apache doesn't always close chunks appropriately
* modify parse_body to not return state, since it doesn't always do that, and the return isn't used... self.state is.
* add TE:chunked request support
* normalize URIs in requests before saving them
* Move params out of the URI, but when the uri is requested, and the method is GET, and there are params, return a URI that has the params that are approrpiately encoded (needed for junk_params, see below)
* move request.to_s support of params to use the request params array when a POST, allows use of junk params support (see below). NOTE: If the body is provided, use the body instead of params, in case you want to hardcode the params in a POST request, eg: php_xmlrpc_eval.rb
* Add junk params when building a param list, eg: a=b becomes asdfasdf=asdrt32a&asdfad=okhgasd&a=b&hjklasdf=hkasgd
* add URI junk slash support (eg: /////foo.html)
* param splitting now supports both '&', and ';', which CGI.pm and PHP both allow
* add URI junk directory support, eg: /asdf/../foo.html
* add param encoding support, eg: param A with value '=' is A=%3d
* add URI junk self referring directory support, eg: /././foo.html
git-svn-id: file:///home/svn/incoming/trunk@3457 4d416f70-5f16-0410-b530-b9f4589650da
2006-01-27 21:57:44 +00:00
|
|
|
self.normalize!(resource)
|
2005-11-24 02:02:10 +00:00
|
|
|
# Set the relative resource to the actual resource.
|
|
|
|
self.relative_resource = resource
|
|
|
|
end
|
|
|
|
|
* add junk pipelined request support
* fix socket creation on pipelined requests
* when a server says that the connection should be closed (Connection: closed), then close the connection, since its going to regardless, and we don't want to loose our state
* support non-standard line termination in headers. ie \n instead of \r\n
* add junk headers (X-rand: rand)
* add header folding (for evasion)
* add parse_header_re (still leaving parse_header around, though its dead code ATM) that does the right thing on non-standard line endings
* move 'gzip' to a 'compression' option
* add 'deflate' compression option (really, just raw zlib, and only firefox does deflate right)
* fix a bunch of TE:chunked decoding bugs based based on the fact that Apache doesn't always close chunks appropriately
* modify parse_body to not return state, since it doesn't always do that, and the return isn't used... self.state is.
* add TE:chunked request support
* normalize URIs in requests before saving them
* Move params out of the URI, but when the uri is requested, and the method is GET, and there are params, return a URI that has the params that are approrpiately encoded (needed for junk_params, see below)
* move request.to_s support of params to use the request params array when a POST, allows use of junk params support (see below). NOTE: If the body is provided, use the body instead of params, in case you want to hardcode the params in a POST request, eg: php_xmlrpc_eval.rb
* Add junk params when building a param list, eg: a=b becomes asdfasdf=asdrt32a&asdfad=okhgasd&a=b&hjklasdf=hkasgd
* add URI junk slash support (eg: /////foo.html)
* param splitting now supports both '&', and ';', which CGI.pm and PHP both allow
* add URI junk directory support, eg: /asdf/../foo.html
* add param encoding support, eg: param A with value '=' is A=%3d
* add URI junk self referring directory support, eg: /././foo.html
git-svn-id: file:///home/svn/incoming/trunk@3457 4d416f70-5f16-0410-b530-b9f4589650da
2006-01-27 21:57:44 +00:00
|
|
|
# normalize out multiple slashes, directory traversal, and self referrential directories
|
|
|
|
def normalize!(str)
|
|
|
|
i = nil
|
|
|
|
while (str.gsub!(/(\/\.\/|\/\w+\/\.\.\/|\/\/)/,'/')); if (i.nil?); i = 1; else; i += 1; end; end
|
|
|
|
i
|
|
|
|
end
|
|
|
|
|
2006-01-23 21:58:53 +00:00
|
|
|
# Puts a URI back together based on the URI parts
|
|
|
|
def uri
|
* add junk pipelined request support
* fix socket creation on pipelined requests
* when a server says that the connection should be closed (Connection: closed), then close the connection, since its going to regardless, and we don't want to loose our state
* support non-standard line termination in headers. ie \n instead of \r\n
* add junk headers (X-rand: rand)
* add header folding (for evasion)
* add parse_header_re (still leaving parse_header around, though its dead code ATM) that does the right thing on non-standard line endings
* move 'gzip' to a 'compression' option
* add 'deflate' compression option (really, just raw zlib, and only firefox does deflate right)
* fix a bunch of TE:chunked decoding bugs based based on the fact that Apache doesn't always close chunks appropriately
* modify parse_body to not return state, since it doesn't always do that, and the return isn't used... self.state is.
* add TE:chunked request support
* normalize URIs in requests before saving them
* Move params out of the URI, but when the uri is requested, and the method is GET, and there are params, return a URI that has the params that are approrpiately encoded (needed for junk_params, see below)
* move request.to_s support of params to use the request params array when a POST, allows use of junk params support (see below). NOTE: If the body is provided, use the body instead of params, in case you want to hardcode the params in a POST request, eg: php_xmlrpc_eval.rb
* Add junk params when building a param list, eg: a=b becomes asdfasdf=asdrt32a&asdfad=okhgasd&a=b&hjklasdf=hkasgd
* add URI junk slash support (eg: /////foo.html)
* param splitting now supports both '&', and ';', which CGI.pm and PHP both allow
* add URI junk directory support, eg: /asdf/../foo.html
* add param encoding support, eg: param A with value '=' is A=%3d
* add URI junk self referring directory support, eg: /././foo.html
git-svn-id: file:///home/svn/incoming/trunk@3457 4d416f70-5f16-0410-b530-b9f4589650da
2006-01-27 21:57:44 +00:00
|
|
|
str = self.uri_parts['Resource'].dup || '/'
|
2006-01-27 05:33:08 +00:00
|
|
|
|
|
|
|
# /././././
|
|
|
|
if self.junk_self_referring_directories
|
* add junk pipelined request support
* fix socket creation on pipelined requests
* when a server says that the connection should be closed (Connection: closed), then close the connection, since its going to regardless, and we don't want to loose our state
* support non-standard line termination in headers. ie \n instead of \r\n
* add junk headers (X-rand: rand)
* add header folding (for evasion)
* add parse_header_re (still leaving parse_header around, though its dead code ATM) that does the right thing on non-standard line endings
* move 'gzip' to a 'compression' option
* add 'deflate' compression option (really, just raw zlib, and only firefox does deflate right)
* fix a bunch of TE:chunked decoding bugs based based on the fact that Apache doesn't always close chunks appropriately
* modify parse_body to not return state, since it doesn't always do that, and the return isn't used... self.state is.
* add TE:chunked request support
* normalize URIs in requests before saving them
* Move params out of the URI, but when the uri is requested, and the method is GET, and there are params, return a URI that has the params that are approrpiately encoded (needed for junk_params, see below)
* move request.to_s support of params to use the request params array when a POST, allows use of junk params support (see below). NOTE: If the body is provided, use the body instead of params, in case you want to hardcode the params in a POST request, eg: php_xmlrpc_eval.rb
* Add junk params when building a param list, eg: a=b becomes asdfasdf=asdrt32a&asdfad=okhgasd&a=b&hjklasdf=hkasgd
* add URI junk slash support (eg: /////foo.html)
* param splitting now supports both '&', and ';', which CGI.pm and PHP both allow
* add URI junk directory support, eg: /asdf/../foo.html
* add param encoding support, eg: param A with value '=' is A=%3d
* add URI junk self referring directory support, eg: /././foo.html
git-svn-id: file:///home/svn/incoming/trunk@3457 4d416f70-5f16-0410-b530-b9f4589650da
2006-01-27 21:57:44 +00:00
|
|
|
str.gsub!(/\//) {
|
2006-01-23 23:57:50 +00:00
|
|
|
'/.' * (rand(3) + 1) + '/'
|
|
|
|
}
|
2006-01-27 05:33:08 +00:00
|
|
|
end
|
2006-01-23 21:58:53 +00:00
|
|
|
|
2006-01-27 05:33:08 +00:00
|
|
|
# /RAND/../RAND../
|
2006-01-23 21:58:53 +00:00
|
|
|
if self.junk_directories
|
* add junk pipelined request support
* fix socket creation on pipelined requests
* when a server says that the connection should be closed (Connection: closed), then close the connection, since its going to regardless, and we don't want to loose our state
* support non-standard line termination in headers. ie \n instead of \r\n
* add junk headers (X-rand: rand)
* add header folding (for evasion)
* add parse_header_re (still leaving parse_header around, though its dead code ATM) that does the right thing on non-standard line endings
* move 'gzip' to a 'compression' option
* add 'deflate' compression option (really, just raw zlib, and only firefox does deflate right)
* fix a bunch of TE:chunked decoding bugs based based on the fact that Apache doesn't always close chunks appropriately
* modify parse_body to not return state, since it doesn't always do that, and the return isn't used... self.state is.
* add TE:chunked request support
* normalize URIs in requests before saving them
* Move params out of the URI, but when the uri is requested, and the method is GET, and there are params, return a URI that has the params that are approrpiately encoded (needed for junk_params, see below)
* move request.to_s support of params to use the request params array when a POST, allows use of junk params support (see below). NOTE: If the body is provided, use the body instead of params, in case you want to hardcode the params in a POST request, eg: php_xmlrpc_eval.rb
* Add junk params when building a param list, eg: a=b becomes asdfasdf=asdrt32a&asdfad=okhgasd&a=b&hjklasdf=hkasgd
* add URI junk slash support (eg: /////foo.html)
* param splitting now supports both '&', and ';', which CGI.pm and PHP both allow
* add URI junk directory support, eg: /asdf/../foo.html
* add param encoding support, eg: param A with value '=' is A=%3d
* add URI junk self referring directory support, eg: /././foo.html
git-svn-id: file:///home/svn/incoming/trunk@3457 4d416f70-5f16-0410-b530-b9f4589650da
2006-01-27 21:57:44 +00:00
|
|
|
str.gsub!(/\//) {
|
2006-01-23 21:58:53 +00:00
|
|
|
dirs = ''
|
2006-01-23 23:57:50 +00:00
|
|
|
rand(5)+5.times {
|
|
|
|
dirs += '/' + Rex::Text.rand_text_alpha(rand(5) + 1) + '/..'
|
2006-01-23 21:58:53 +00:00
|
|
|
}
|
|
|
|
dirs + '/'
|
|
|
|
}
|
|
|
|
end
|
|
|
|
|
2006-01-27 05:33:08 +00:00
|
|
|
# ////
|
|
|
|
#
|
* add junk pipelined request support
* fix socket creation on pipelined requests
* when a server says that the connection should be closed (Connection: closed), then close the connection, since its going to regardless, and we don't want to loose our state
* support non-standard line termination in headers. ie \n instead of \r\n
* add junk headers (X-rand: rand)
* add header folding (for evasion)
* add parse_header_re (still leaving parse_header around, though its dead code ATM) that does the right thing on non-standard line endings
* move 'gzip' to a 'compression' option
* add 'deflate' compression option (really, just raw zlib, and only firefox does deflate right)
* fix a bunch of TE:chunked decoding bugs based based on the fact that Apache doesn't always close chunks appropriately
* modify parse_body to not return state, since it doesn't always do that, and the return isn't used... self.state is.
* add TE:chunked request support
* normalize URIs in requests before saving them
* Move params out of the URI, but when the uri is requested, and the method is GET, and there are params, return a URI that has the params that are approrpiately encoded (needed for junk_params, see below)
* move request.to_s support of params to use the request params array when a POST, allows use of junk params support (see below). NOTE: If the body is provided, use the body instead of params, in case you want to hardcode the params in a POST request, eg: php_xmlrpc_eval.rb
* Add junk params when building a param list, eg: a=b becomes asdfasdf=asdrt32a&asdfad=okhgasd&a=b&hjklasdf=hkasgd
* add URI junk slash support (eg: /////foo.html)
* param splitting now supports both '&', and ';', which CGI.pm and PHP both allow
* add URI junk directory support, eg: /asdf/../foo.html
* add param encoding support, eg: param A with value '=' is A=%3d
* add URI junk self referring directory support, eg: /././foo.html
git-svn-id: file:///home/svn/incoming/trunk@3457 4d416f70-5f16-0410-b530-b9f4589650da
2006-01-27 21:57:44 +00:00
|
|
|
# NOTE: this must be done after all other odd directory junk, since they would cancel this out
|
2006-01-23 21:58:53 +00:00
|
|
|
if self.junk_slashes
|
* add junk pipelined request support
* fix socket creation on pipelined requests
* when a server says that the connection should be closed (Connection: closed), then close the connection, since its going to regardless, and we don't want to loose our state
* support non-standard line termination in headers. ie \n instead of \r\n
* add junk headers (X-rand: rand)
* add header folding (for evasion)
* add parse_header_re (still leaving parse_header around, though its dead code ATM) that does the right thing on non-standard line endings
* move 'gzip' to a 'compression' option
* add 'deflate' compression option (really, just raw zlib, and only firefox does deflate right)
* fix a bunch of TE:chunked decoding bugs based based on the fact that Apache doesn't always close chunks appropriately
* modify parse_body to not return state, since it doesn't always do that, and the return isn't used... self.state is.
* add TE:chunked request support
* normalize URIs in requests before saving them
* Move params out of the URI, but when the uri is requested, and the method is GET, and there are params, return a URI that has the params that are approrpiately encoded (needed for junk_params, see below)
* move request.to_s support of params to use the request params array when a POST, allows use of junk params support (see below). NOTE: If the body is provided, use the body instead of params, in case you want to hardcode the params in a POST request, eg: php_xmlrpc_eval.rb
* Add junk params when building a param list, eg: a=b becomes asdfasdf=asdrt32a&asdfad=okhgasd&a=b&hjklasdf=hkasgd
* add URI junk slash support (eg: /////foo.html)
* param splitting now supports both '&', and ';', which CGI.pm and PHP both allow
* add URI junk directory support, eg: /asdf/../foo.html
* add param encoding support, eg: param A with value '=' is A=%3d
* add URI junk self referring directory support, eg: /././foo.html
git-svn-id: file:///home/svn/incoming/trunk@3457 4d416f70-5f16-0410-b530-b9f4589650da
2006-01-27 21:57:44 +00:00
|
|
|
str.gsub!(/\//) {
|
|
|
|
'/' * (rand(3) + 2)
|
2006-01-23 21:58:53 +00:00
|
|
|
}
|
* add junk pipelined request support
* fix socket creation on pipelined requests
* when a server says that the connection should be closed (Connection: closed), then close the connection, since its going to regardless, and we don't want to loose our state
* support non-standard line termination in headers. ie \n instead of \r\n
* add junk headers (X-rand: rand)
* add header folding (for evasion)
* add parse_header_re (still leaving parse_header around, though its dead code ATM) that does the right thing on non-standard line endings
* move 'gzip' to a 'compression' option
* add 'deflate' compression option (really, just raw zlib, and only firefox does deflate right)
* fix a bunch of TE:chunked decoding bugs based based on the fact that Apache doesn't always close chunks appropriately
* modify parse_body to not return state, since it doesn't always do that, and the return isn't used... self.state is.
* add TE:chunked request support
* normalize URIs in requests before saving them
* Move params out of the URI, but when the uri is requested, and the method is GET, and there are params, return a URI that has the params that are approrpiately encoded (needed for junk_params, see below)
* move request.to_s support of params to use the request params array when a POST, allows use of junk params support (see below). NOTE: If the body is provided, use the body instead of params, in case you want to hardcode the params in a POST request, eg: php_xmlrpc_eval.rb
* Add junk params when building a param list, eg: a=b becomes asdfasdf=asdrt32a&asdfad=okhgasd&a=b&hjklasdf=hkasgd
* add URI junk slash support (eg: /////foo.html)
* param splitting now supports both '&', and ';', which CGI.pm and PHP both allow
* add URI junk directory support, eg: /asdf/../foo.html
* add param encoding support, eg: param A with value '=' is A=%3d
* add URI junk self referring directory support, eg: /././foo.html
git-svn-id: file:///home/svn/incoming/trunk@3457 4d416f70-5f16-0410-b530-b9f4589650da
2006-01-27 21:57:44 +00:00
|
|
|
str.sub!(/^[\/]+/, '/') # only one beginning slash!
|
2006-01-23 21:58:53 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
if self.method != 'POST'
|
* add junk pipelined request support
* fix socket creation on pipelined requests
* when a server says that the connection should be closed (Connection: closed), then close the connection, since its going to regardless, and we don't want to loose our state
* support non-standard line termination in headers. ie \n instead of \r\n
* add junk headers (X-rand: rand)
* add header folding (for evasion)
* add parse_header_re (still leaving parse_header around, though its dead code ATM) that does the right thing on non-standard line endings
* move 'gzip' to a 'compression' option
* add 'deflate' compression option (really, just raw zlib, and only firefox does deflate right)
* fix a bunch of TE:chunked decoding bugs based based on the fact that Apache doesn't always close chunks appropriately
* modify parse_body to not return state, since it doesn't always do that, and the return isn't used... self.state is.
* add TE:chunked request support
* normalize URIs in requests before saving them
* Move params out of the URI, but when the uri is requested, and the method is GET, and there are params, return a URI that has the params that are approrpiately encoded (needed for junk_params, see below)
* move request.to_s support of params to use the request params array when a POST, allows use of junk params support (see below). NOTE: If the body is provided, use the body instead of params, in case you want to hardcode the params in a POST request, eg: php_xmlrpc_eval.rb
* Add junk params when building a param list, eg: a=b becomes asdfasdf=asdrt32a&asdfad=okhgasd&a=b&hjklasdf=hkasgd
* add URI junk slash support (eg: /////foo.html)
* param splitting now supports both '&', and ';', which CGI.pm and PHP both allow
* add URI junk directory support, eg: /asdf/../foo.html
* add param encoding support, eg: param A with value '=' is A=%3d
* add URI junk self referring directory support, eg: /././foo.html
git-svn-id: file:///home/svn/incoming/trunk@3457 4d416f70-5f16-0410-b530-b9f4589650da
2006-01-27 21:57:44 +00:00
|
|
|
if param_string.size > 0
|
|
|
|
str += '?' + param_string
|
|
|
|
end
|
|
|
|
end
|
|
|
|
str
|
|
|
|
end
|
2006-01-23 21:58:53 +00:00
|
|
|
|
* add junk pipelined request support
* fix socket creation on pipelined requests
* when a server says that the connection should be closed (Connection: closed), then close the connection, since its going to regardless, and we don't want to loose our state
* support non-standard line termination in headers. ie \n instead of \r\n
* add junk headers (X-rand: rand)
* add header folding (for evasion)
* add parse_header_re (still leaving parse_header around, though its dead code ATM) that does the right thing on non-standard line endings
* move 'gzip' to a 'compression' option
* add 'deflate' compression option (really, just raw zlib, and only firefox does deflate right)
* fix a bunch of TE:chunked decoding bugs based based on the fact that Apache doesn't always close chunks appropriately
* modify parse_body to not return state, since it doesn't always do that, and the return isn't used... self.state is.
* add TE:chunked request support
* normalize URIs in requests before saving them
* Move params out of the URI, but when the uri is requested, and the method is GET, and there are params, return a URI that has the params that are approrpiately encoded (needed for junk_params, see below)
* move request.to_s support of params to use the request params array when a POST, allows use of junk params support (see below). NOTE: If the body is provided, use the body instead of params, in case you want to hardcode the params in a POST request, eg: php_xmlrpc_eval.rb
* Add junk params when building a param list, eg: a=b becomes asdfasdf=asdrt32a&asdfad=okhgasd&a=b&hjklasdf=hkasgd
* add URI junk slash support (eg: /////foo.html)
* param splitting now supports both '&', and ';', which CGI.pm and PHP both allow
* add URI junk directory support, eg: /asdf/../foo.html
* add param encoding support, eg: param A with value '=' is A=%3d
* add URI junk self referring directory support, eg: /././foo.html
git-svn-id: file:///home/svn/incoming/trunk@3457 4d416f70-5f16-0410-b530-b9f4589650da
2006-01-27 21:57:44 +00:00
|
|
|
def param_string
|
|
|
|
params=[]
|
|
|
|
self.uri_parts['QueryString'].each_pair { |param, value|
|
|
|
|
# inject a random number of params in between each param
|
2006-01-23 21:58:53 +00:00
|
|
|
if self.junk_params
|
|
|
|
rand(10)+5.times {
|
* add junk pipelined request support
* fix socket creation on pipelined requests
* when a server says that the connection should be closed (Connection: closed), then close the connection, since its going to regardless, and we don't want to loose our state
* support non-standard line termination in headers. ie \n instead of \r\n
* add junk headers (X-rand: rand)
* add header folding (for evasion)
* add parse_header_re (still leaving parse_header around, though its dead code ATM) that does the right thing on non-standard line endings
* move 'gzip' to a 'compression' option
* add 'deflate' compression option (really, just raw zlib, and only firefox does deflate right)
* fix a bunch of TE:chunked decoding bugs based based on the fact that Apache doesn't always close chunks appropriately
* modify parse_body to not return state, since it doesn't always do that, and the return isn't used... self.state is.
* add TE:chunked request support
* normalize URIs in requests before saving them
* Move params out of the URI, but when the uri is requested, and the method is GET, and there are params, return a URI that has the params that are approrpiately encoded (needed for junk_params, see below)
* move request.to_s support of params to use the request params array when a POST, allows use of junk params support (see below). NOTE: If the body is provided, use the body instead of params, in case you want to hardcode the params in a POST request, eg: php_xmlrpc_eval.rb
* Add junk params when building a param list, eg: a=b becomes asdfasdf=asdrt32a&asdfad=okhgasd&a=b&hjklasdf=hkasgd
* add URI junk slash support (eg: /////foo.html)
* param splitting now supports both '&', and ';', which CGI.pm and PHP both allow
* add URI junk directory support, eg: /asdf/../foo.html
* add param encoding support, eg: param A with value '=' is A=%3d
* add URI junk self referring directory support, eg: /././foo.html
git-svn-id: file:///home/svn/incoming/trunk@3457 4d416f70-5f16-0410-b530-b9f4589650da
2006-01-27 21:57:44 +00:00
|
|
|
params.push(Rex::Text.rand_text_alpha(rand(16) + 5) + '=' + Rex::Text.rand_text_alpha(rand(10) + 1))
|
2006-01-23 21:58:53 +00:00
|
|
|
}
|
|
|
|
end
|
* add junk pipelined request support
* fix socket creation on pipelined requests
* when a server says that the connection should be closed (Connection: closed), then close the connection, since its going to regardless, and we don't want to loose our state
* support non-standard line termination in headers. ie \n instead of \r\n
* add junk headers (X-rand: rand)
* add header folding (for evasion)
* add parse_header_re (still leaving parse_header around, though its dead code ATM) that does the right thing on non-standard line endings
* move 'gzip' to a 'compression' option
* add 'deflate' compression option (really, just raw zlib, and only firefox does deflate right)
* fix a bunch of TE:chunked decoding bugs based based on the fact that Apache doesn't always close chunks appropriately
* modify parse_body to not return state, since it doesn't always do that, and the return isn't used... self.state is.
* add TE:chunked request support
* normalize URIs in requests before saving them
* Move params out of the URI, but when the uri is requested, and the method is GET, and there are params, return a URI that has the params that are approrpiately encoded (needed for junk_params, see below)
* move request.to_s support of params to use the request params array when a POST, allows use of junk params support (see below). NOTE: If the body is provided, use the body instead of params, in case you want to hardcode the params in a POST request, eg: php_xmlrpc_eval.rb
* Add junk params when building a param list, eg: a=b becomes asdfasdf=asdrt32a&asdfad=okhgasd&a=b&hjklasdf=hkasgd
* add URI junk slash support (eg: /////foo.html)
* param splitting now supports both '&', and ';', which CGI.pm and PHP both allow
* add URI junk directory support, eg: /asdf/../foo.html
* add param encoding support, eg: param A with value '=' is A=%3d
* add URI junk self referring directory support, eg: /././foo.html
git-svn-id: file:///home/svn/incoming/trunk@3457 4d416f70-5f16-0410-b530-b9f4589650da
2006-01-27 21:57:44 +00:00
|
|
|
if value.kind_of?(Array)
|
|
|
|
value.each { |subvalue|
|
|
|
|
params.push(self.escape(param) + '=' + self.escape(subvalue))
|
|
|
|
}
|
|
|
|
else
|
|
|
|
if !value.nil?
|
|
|
|
params.push(self.escape(param) + '=' + self.escape(value))
|
|
|
|
else
|
|
|
|
params.push(self.escape(param))
|
|
|
|
end
|
2006-01-23 21:58:53 +00:00
|
|
|
end
|
* add junk pipelined request support
* fix socket creation on pipelined requests
* when a server says that the connection should be closed (Connection: closed), then close the connection, since its going to regardless, and we don't want to loose our state
* support non-standard line termination in headers. ie \n instead of \r\n
* add junk headers (X-rand: rand)
* add header folding (for evasion)
* add parse_header_re (still leaving parse_header around, though its dead code ATM) that does the right thing on non-standard line endings
* move 'gzip' to a 'compression' option
* add 'deflate' compression option (really, just raw zlib, and only firefox does deflate right)
* fix a bunch of TE:chunked decoding bugs based based on the fact that Apache doesn't always close chunks appropriately
* modify parse_body to not return state, since it doesn't always do that, and the return isn't used... self.state is.
* add TE:chunked request support
* normalize URIs in requests before saving them
* Move params out of the URI, but when the uri is requested, and the method is GET, and there are params, return a URI that has the params that are approrpiately encoded (needed for junk_params, see below)
* move request.to_s support of params to use the request params array when a POST, allows use of junk params support (see below). NOTE: If the body is provided, use the body instead of params, in case you want to hardcode the params in a POST request, eg: php_xmlrpc_eval.rb
* Add junk params when building a param list, eg: a=b becomes asdfasdf=asdrt32a&asdfad=okhgasd&a=b&hjklasdf=hkasgd
* add URI junk slash support (eg: /////foo.html)
* param splitting now supports both '&', and ';', which CGI.pm and PHP both allow
* add URI junk directory support, eg: /asdf/../foo.html
* add param encoding support, eg: param A with value '=' is A=%3d
* add URI junk self referring directory support, eg: /././foo.html
git-svn-id: file:///home/svn/incoming/trunk@3457 4d416f70-5f16-0410-b530-b9f4589650da
2006-01-27 21:57:44 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
# inject some junk params at the end of the param list, just to be sure :P
|
|
|
|
if self.junk_params
|
|
|
|
rand(10)+5.times {
|
|
|
|
params.push(Rex::Text.rand_text_alpha(rand(32) + 5) + '=' + Rex::Text.rand_text_alpha(rand(64) + 5))
|
|
|
|
}
|
2006-01-23 21:58:53 +00:00
|
|
|
end
|
* add junk pipelined request support
* fix socket creation on pipelined requests
* when a server says that the connection should be closed (Connection: closed), then close the connection, since its going to regardless, and we don't want to loose our state
* support non-standard line termination in headers. ie \n instead of \r\n
* add junk headers (X-rand: rand)
* add header folding (for evasion)
* add parse_header_re (still leaving parse_header around, though its dead code ATM) that does the right thing on non-standard line endings
* move 'gzip' to a 'compression' option
* add 'deflate' compression option (really, just raw zlib, and only firefox does deflate right)
* fix a bunch of TE:chunked decoding bugs based based on the fact that Apache doesn't always close chunks appropriately
* modify parse_body to not return state, since it doesn't always do that, and the return isn't used... self.state is.
* add TE:chunked request support
* normalize URIs in requests before saving them
* Move params out of the URI, but when the uri is requested, and the method is GET, and there are params, return a URI that has the params that are approrpiately encoded (needed for junk_params, see below)
* move request.to_s support of params to use the request params array when a POST, allows use of junk params support (see below). NOTE: If the body is provided, use the body instead of params, in case you want to hardcode the params in a POST request, eg: php_xmlrpc_eval.rb
* Add junk params when building a param list, eg: a=b becomes asdfasdf=asdrt32a&asdfad=okhgasd&a=b&hjklasdf=hkasgd
* add URI junk slash support (eg: /////foo.html)
* param splitting now supports both '&', and ';', which CGI.pm and PHP both allow
* add URI junk directory support, eg: /asdf/../foo.html
* add param encoding support, eg: param A with value '=' is A=%3d
* add URI junk self referring directory support, eg: /././foo.html
git-svn-id: file:///home/svn/incoming/trunk@3457 4d416f70-5f16-0410-b530-b9f4589650da
2006-01-27 21:57:44 +00:00
|
|
|
params.join('&')
|
2006-01-23 21:58:53 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
# Updates the underlying URI structure
|
* add junk pipelined request support
* fix socket creation on pipelined requests
* when a server says that the connection should be closed (Connection: closed), then close the connection, since its going to regardless, and we don't want to loose our state
* support non-standard line termination in headers. ie \n instead of \r\n
* add junk headers (X-rand: rand)
* add header folding (for evasion)
* add parse_header_re (still leaving parse_header around, though its dead code ATM) that does the right thing on non-standard line endings
* move 'gzip' to a 'compression' option
* add 'deflate' compression option (really, just raw zlib, and only firefox does deflate right)
* fix a bunch of TE:chunked decoding bugs based based on the fact that Apache doesn't always close chunks appropriately
* modify parse_body to not return state, since it doesn't always do that, and the return isn't used... self.state is.
* add TE:chunked request support
* normalize URIs in requests before saving them
* Move params out of the URI, but when the uri is requested, and the method is GET, and there are params, return a URI that has the params that are approrpiately encoded (needed for junk_params, see below)
* move request.to_s support of params to use the request params array when a POST, allows use of junk params support (see below). NOTE: If the body is provided, use the body instead of params, in case you want to hardcode the params in a POST request, eg: php_xmlrpc_eval.rb
* Add junk params when building a param list, eg: a=b becomes asdfasdf=asdrt32a&asdfad=okhgasd&a=b&hjklasdf=hkasgd
* add URI junk slash support (eg: /////foo.html)
* param splitting now supports both '&', and ';', which CGI.pm and PHP both allow
* add URI junk directory support, eg: /asdf/../foo.html
* add param encoding support, eg: param A with value '=' is A=%3d
* add URI junk self referring directory support, eg: /././foo.html
git-svn-id: file:///home/svn/incoming/trunk@3457 4d416f70-5f16-0410-b530-b9f4589650da
2006-01-27 21:57:44 +00:00
|
|
|
def uri=(str)
|
|
|
|
self.raw_uri = str
|
2006-01-23 21:58:53 +00:00
|
|
|
update_uri_parts
|
|
|
|
end
|
* add junk pipelined request support
* fix socket creation on pipelined requests
* when a server says that the connection should be closed (Connection: closed), then close the connection, since its going to regardless, and we don't want to loose our state
* support non-standard line termination in headers. ie \n instead of \r\n
* add junk headers (X-rand: rand)
* add header folding (for evasion)
* add parse_header_re (still leaving parse_header around, though its dead code ATM) that does the right thing on non-standard line endings
* move 'gzip' to a 'compression' option
* add 'deflate' compression option (really, just raw zlib, and only firefox does deflate right)
* fix a bunch of TE:chunked decoding bugs based based on the fact that Apache doesn't always close chunks appropriately
* modify parse_body to not return state, since it doesn't always do that, and the return isn't used... self.state is.
* add TE:chunked request support
* normalize URIs in requests before saving them
* Move params out of the URI, but when the uri is requested, and the method is GET, and there are params, return a URI that has the params that are approrpiately encoded (needed for junk_params, see below)
* move request.to_s support of params to use the request params array when a POST, allows use of junk params support (see below). NOTE: If the body is provided, use the body instead of params, in case you want to hardcode the params in a POST request, eg: php_xmlrpc_eval.rb
* Add junk params when building a param list, eg: a=b becomes asdfasdf=asdrt32a&asdfad=okhgasd&a=b&hjklasdf=hkasgd
* add URI junk slash support (eg: /////foo.html)
* param splitting now supports both '&', and ';', which CGI.pm and PHP both allow
* add URI junk directory support, eg: /asdf/../foo.html
* add param encoding support, eg: param A with value '=' is A=%3d
* add URI junk self referring directory support, eg: /././foo.html
git-svn-id: file:///home/svn/incoming/trunk@3457 4d416f70-5f16-0410-b530-b9f4589650da
2006-01-27 21:57:44 +00:00
|
|
|
|
2006-01-27 05:33:08 +00:00
|
|
|
# Returns a URI escaped version of the provided string, by providing an additional argument, all characters are escaped
|
|
|
|
def escape(str, all = nil)
|
2006-01-23 21:58:53 +00:00
|
|
|
if all
|
|
|
|
return str.gsub(/./) { |s| Rex::Text.to_hex(s, '%') }
|
|
|
|
else
|
|
|
|
return str.gsub(/[^a-zA-Z1-9]/) { |s| Rex::Text.to_hex(s, '%') }
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
* add junk pipelined request support
* fix socket creation on pipelined requests
* when a server says that the connection should be closed (Connection: closed), then close the connection, since its going to regardless, and we don't want to loose our state
* support non-standard line termination in headers. ie \n instead of \r\n
* add junk headers (X-rand: rand)
* add header folding (for evasion)
* add parse_header_re (still leaving parse_header around, though its dead code ATM) that does the right thing on non-standard line endings
* move 'gzip' to a 'compression' option
* add 'deflate' compression option (really, just raw zlib, and only firefox does deflate right)
* fix a bunch of TE:chunked decoding bugs based based on the fact that Apache doesn't always close chunks appropriately
* modify parse_body to not return state, since it doesn't always do that, and the return isn't used... self.state is.
* add TE:chunked request support
* normalize URIs in requests before saving them
* Move params out of the URI, but when the uri is requested, and the method is GET, and there are params, return a URI that has the params that are approrpiately encoded (needed for junk_params, see below)
* move request.to_s support of params to use the request params array when a POST, allows use of junk params support (see below). NOTE: If the body is provided, use the body instead of params, in case you want to hardcode the params in a POST request, eg: php_xmlrpc_eval.rb
* Add junk params when building a param list, eg: a=b becomes asdfasdf=asdrt32a&asdfad=okhgasd&a=b&hjklasdf=hkasgd
* add URI junk slash support (eg: /////foo.html)
* param splitting now supports both '&', and ';', which CGI.pm and PHP both allow
* add URI junk directory support, eg: /asdf/../foo.html
* add param encoding support, eg: param A with value '=' is A=%3d
* add URI junk self referring directory support, eg: /././foo.html
git-svn-id: file:///home/svn/incoming/trunk@3457 4d416f70-5f16-0410-b530-b9f4589650da
2006-01-27 21:57:44 +00:00
|
|
|
# Returns a request packet
|
|
|
|
def to_s
|
|
|
|
str = ''
|
|
|
|
if self.junk_pipeline
|
|
|
|
host = ''
|
|
|
|
if self.headers['Host']
|
|
|
|
host = "Host: #{self.headers['Host']}\r\n"
|
|
|
|
end
|
|
|
|
str += "GET / HTTP/1.1\r\n#{host}Connection: Keep-Alive\r\n\r\n" * self.junk_pipeline
|
|
|
|
self.headers['Connection'] = 'Closed'
|
|
|
|
end
|
|
|
|
str + super
|
|
|
|
end
|
|
|
|
|
|
|
|
def body
|
|
|
|
str = super || ''
|
|
|
|
if str.length > 0
|
|
|
|
return str
|
|
|
|
end
|
|
|
|
|
|
|
|
if self.method == 'POST'
|
|
|
|
return param_string
|
|
|
|
end
|
|
|
|
''
|
|
|
|
end
|
2006-01-23 21:58:53 +00:00
|
|
|
|
2005-07-24 20:53:54 +00:00
|
|
|
#
|
2005-11-15 05:22:13 +00:00
|
|
|
# Returns the command string derived from the three values.
|
2005-07-24 20:53:54 +00:00
|
|
|
#
|
|
|
|
def cmd_string
|
|
|
|
"#{self.method} #{self.uri} HTTP/#{self.proto}\r\n"
|
|
|
|
end
|
|
|
|
|
2005-07-25 02:18:37 +00:00
|
|
|
#
|
|
|
|
# Returns the resource that is being requested.
|
|
|
|
#
|
|
|
|
def resource
|
|
|
|
self.uri_parts['Resource']
|
|
|
|
end
|
|
|
|
|
2005-11-24 02:02:10 +00:00
|
|
|
#
|
|
|
|
# Changes the resource URI. This is used when making a request relative to
|
|
|
|
# a given mount point.
|
|
|
|
#
|
|
|
|
def resource=(rsrc)
|
|
|
|
self.uri_parts['Resource'] = rsrc
|
|
|
|
end
|
|
|
|
|
2005-07-25 02:18:37 +00:00
|
|
|
#
|
|
|
|
# If there were CGI parameters in the URI, this will hold a hash of each
|
|
|
|
# variable to value. If there is more than one value for a given variable,
|
|
|
|
# and array of each value is returned.
|
|
|
|
#
|
|
|
|
def qstring
|
|
|
|
self.uri_parts['QueryString']
|
|
|
|
end
|
|
|
|
|
2005-11-24 02:02:10 +00:00
|
|
|
#
|
|
|
|
# Returns a hash of variables that contain information about the request,
|
|
|
|
# such as the remote host information.
|
|
|
|
#
|
|
|
|
# TODO
|
|
|
|
#
|
|
|
|
def meta_vars
|
|
|
|
end
|
|
|
|
|
2005-11-15 05:22:13 +00:00
|
|
|
#
|
|
|
|
# The method being used for the request (e.g. GET).
|
|
|
|
#
|
2005-07-24 20:53:54 +00:00
|
|
|
attr_accessor :method
|
2005-11-15 05:22:13 +00:00
|
|
|
#
|
2006-01-23 21:58:53 +00:00
|
|
|
# The raw URI being requested, before any mucking gets to it
|
2005-11-15 05:22:13 +00:00
|
|
|
#
|
2006-01-23 21:58:53 +00:00
|
|
|
attr_accessor :raw_uri
|
|
|
|
|
2005-11-15 05:22:13 +00:00
|
|
|
#
|
|
|
|
# The split up parts of the URI.
|
|
|
|
#
|
2005-07-25 02:18:37 +00:00
|
|
|
attr_accessor :uri_parts
|
2005-11-15 05:22:13 +00:00
|
|
|
#
|
|
|
|
# The protocol to be sent with the request.
|
|
|
|
#
|
2005-07-24 20:53:54 +00:00
|
|
|
attr_accessor :proto
|
* add junk pipelined request support
* fix socket creation on pipelined requests
* when a server says that the connection should be closed (Connection: closed), then close the connection, since its going to regardless, and we don't want to loose our state
* support non-standard line termination in headers. ie \n instead of \r\n
* add junk headers (X-rand: rand)
* add header folding (for evasion)
* add parse_header_re (still leaving parse_header around, though its dead code ATM) that does the right thing on non-standard line endings
* move 'gzip' to a 'compression' option
* add 'deflate' compression option (really, just raw zlib, and only firefox does deflate right)
* fix a bunch of TE:chunked decoding bugs based based on the fact that Apache doesn't always close chunks appropriately
* modify parse_body to not return state, since it doesn't always do that, and the return isn't used... self.state is.
* add TE:chunked request support
* normalize URIs in requests before saving them
* Move params out of the URI, but when the uri is requested, and the method is GET, and there are params, return a URI that has the params that are approrpiately encoded (needed for junk_params, see below)
* move request.to_s support of params to use the request params array when a POST, allows use of junk params support (see below). NOTE: If the body is provided, use the body instead of params, in case you want to hardcode the params in a POST request, eg: php_xmlrpc_eval.rb
* Add junk params when building a param list, eg: a=b becomes asdfasdf=asdrt32a&asdfad=okhgasd&a=b&hjklasdf=hkasgd
* add URI junk slash support (eg: /////foo.html)
* param splitting now supports both '&', and ';', which CGI.pm and PHP both allow
* add URI junk directory support, eg: /asdf/../foo.html
* add param encoding support, eg: param A with value '=' is A=%3d
* add URI junk self referring directory support, eg: /././foo.html
git-svn-id: file:///home/svn/incoming/trunk@3457 4d416f70-5f16-0410-b530-b9f4589650da
2006-01-27 21:57:44 +00:00
|
|
|
|
2005-11-24 02:02:10 +00:00
|
|
|
#
|
|
|
|
# The resource path relative to the root of a server mount point.
|
|
|
|
#
|
|
|
|
attr_accessor :relative_resource
|
2005-07-24 20:53:54 +00:00
|
|
|
|
2006-01-27 05:33:08 +00:00
|
|
|
# add junk directories
|
|
|
|
attr_accessor :junk_directories
|
|
|
|
|
2006-01-23 21:58:53 +00:00
|
|
|
# add junk slashes
|
2006-01-27 05:33:08 +00:00
|
|
|
attr_accessor :junk_slashes
|
* add junk pipelined request support
* fix socket creation on pipelined requests
* when a server says that the connection should be closed (Connection: closed), then close the connection, since its going to regardless, and we don't want to loose our state
* support non-standard line termination in headers. ie \n instead of \r\n
* add junk headers (X-rand: rand)
* add header folding (for evasion)
* add parse_header_re (still leaving parse_header around, though its dead code ATM) that does the right thing on non-standard line endings
* move 'gzip' to a 'compression' option
* add 'deflate' compression option (really, just raw zlib, and only firefox does deflate right)
* fix a bunch of TE:chunked decoding bugs based based on the fact that Apache doesn't always close chunks appropriately
* modify parse_body to not return state, since it doesn't always do that, and the return isn't used... self.state is.
* add TE:chunked request support
* normalize URIs in requests before saving them
* Move params out of the URI, but when the uri is requested, and the method is GET, and there are params, return a URI that has the params that are approrpiately encoded (needed for junk_params, see below)
* move request.to_s support of params to use the request params array when a POST, allows use of junk params support (see below). NOTE: If the body is provided, use the body instead of params, in case you want to hardcode the params in a POST request, eg: php_xmlrpc_eval.rb
* Add junk params when building a param list, eg: a=b becomes asdfasdf=asdrt32a&asdfad=okhgasd&a=b&hjklasdf=hkasgd
* add URI junk slash support (eg: /////foo.html)
* param splitting now supports both '&', and ';', which CGI.pm and PHP both allow
* add URI junk directory support, eg: /asdf/../foo.html
* add param encoding support, eg: param A with value '=' is A=%3d
* add URI junk self referring directory support, eg: /././foo.html
git-svn-id: file:///home/svn/incoming/trunk@3457 4d416f70-5f16-0410-b530-b9f4589650da
2006-01-27 21:57:44 +00:00
|
|
|
|
2006-01-27 05:33:08 +00:00
|
|
|
# add junk self referring directories (aka /././././
|
2006-01-23 23:57:50 +00:00
|
|
|
attr_accessor :junk_self_referring_directories
|
2006-01-23 21:58:53 +00:00
|
|
|
|
|
|
|
# add junk params
|
|
|
|
attr_accessor :junk_params
|
* add junk pipelined request support
* fix socket creation on pipelined requests
* when a server says that the connection should be closed (Connection: closed), then close the connection, since its going to regardless, and we don't want to loose our state
* support non-standard line termination in headers. ie \n instead of \r\n
* add junk headers (X-rand: rand)
* add header folding (for evasion)
* add parse_header_re (still leaving parse_header around, though its dead code ATM) that does the right thing on non-standard line endings
* move 'gzip' to a 'compression' option
* add 'deflate' compression option (really, just raw zlib, and only firefox does deflate right)
* fix a bunch of TE:chunked decoding bugs based based on the fact that Apache doesn't always close chunks appropriately
* modify parse_body to not return state, since it doesn't always do that, and the return isn't used... self.state is.
* add TE:chunked request support
* normalize URIs in requests before saving them
* Move params out of the URI, but when the uri is requested, and the method is GET, and there are params, return a URI that has the params that are approrpiately encoded (needed for junk_params, see below)
* move request.to_s support of params to use the request params array when a POST, allows use of junk params support (see below). NOTE: If the body is provided, use the body instead of params, in case you want to hardcode the params in a POST request, eg: php_xmlrpc_eval.rb
* Add junk params when building a param list, eg: a=b becomes asdfasdf=asdrt32a&asdfad=okhgasd&a=b&hjklasdf=hkasgd
* add URI junk slash support (eg: /////foo.html)
* param splitting now supports both '&', and ';', which CGI.pm and PHP both allow
* add URI junk directory support, eg: /asdf/../foo.html
* add param encoding support, eg: param A with value '=' is A=%3d
* add URI junk self referring directory support, eg: /././foo.html
git-svn-id: file:///home/svn/incoming/trunk@3457 4d416f70-5f16-0410-b530-b9f4589650da
2006-01-27 21:57:44 +00:00
|
|
|
|
|
|
|
# add junk pipeline requests
|
|
|
|
attr_accessor :junk_pipeline
|
2006-01-23 21:58:53 +00:00
|
|
|
|
2005-07-25 02:18:37 +00:00
|
|
|
protected
|
|
|
|
|
|
|
|
#
|
|
|
|
# Parses a CGI query string into the var/val combinations.
|
|
|
|
#
|
|
|
|
def parse_cgi_qstring(str)
|
|
|
|
qstring = {}
|
|
|
|
|
|
|
|
# Delimit on each variable
|
* add junk pipelined request support
* fix socket creation on pipelined requests
* when a server says that the connection should be closed (Connection: closed), then close the connection, since its going to regardless, and we don't want to loose our state
* support non-standard line termination in headers. ie \n instead of \r\n
* add junk headers (X-rand: rand)
* add header folding (for evasion)
* add parse_header_re (still leaving parse_header around, though its dead code ATM) that does the right thing on non-standard line endings
* move 'gzip' to a 'compression' option
* add 'deflate' compression option (really, just raw zlib, and only firefox does deflate right)
* fix a bunch of TE:chunked decoding bugs based based on the fact that Apache doesn't always close chunks appropriately
* modify parse_body to not return state, since it doesn't always do that, and the return isn't used... self.state is.
* add TE:chunked request support
* normalize URIs in requests before saving them
* Move params out of the URI, but when the uri is requested, and the method is GET, and there are params, return a URI that has the params that are approrpiately encoded (needed for junk_params, see below)
* move request.to_s support of params to use the request params array when a POST, allows use of junk params support (see below). NOTE: If the body is provided, use the body instead of params, in case you want to hardcode the params in a POST request, eg: php_xmlrpc_eval.rb
* Add junk params when building a param list, eg: a=b becomes asdfasdf=asdrt32a&asdfad=okhgasd&a=b&hjklasdf=hkasgd
* add URI junk slash support (eg: /////foo.html)
* param splitting now supports both '&', and ';', which CGI.pm and PHP both allow
* add URI junk directory support, eg: /asdf/../foo.html
* add param encoding support, eg: param A with value '=' is A=%3d
* add URI junk self referring directory support, eg: /././foo.html
git-svn-id: file:///home/svn/incoming/trunk@3457 4d416f70-5f16-0410-b530-b9f4589650da
2006-01-27 21:57:44 +00:00
|
|
|
str.split(/[;&]/).each { |vv|
|
2005-07-25 02:18:37 +00:00
|
|
|
var = vv
|
|
|
|
val = ''
|
|
|
|
|
2005-11-22 03:20:09 +00:00
|
|
|
if (md = vv.match(/(.+?)=(.*)/))
|
2005-07-25 02:18:37 +00:00
|
|
|
var = md[1]
|
|
|
|
val = md[2]
|
|
|
|
end
|
|
|
|
|
|
|
|
# Add the item to the hash with logic to convert values to an array
|
|
|
|
# if so desired.
|
|
|
|
if (qstring.include?(var))
|
|
|
|
if (qstring[var].kind_of?(Array))
|
|
|
|
qstring[var] << val
|
|
|
|
else
|
|
|
|
curr = self.qstring[var]
|
|
|
|
qstring[var] = [ curr, val ]
|
|
|
|
end
|
|
|
|
else
|
|
|
|
qstring[var] = val
|
|
|
|
end
|
|
|
|
}
|
|
|
|
|
|
|
|
return qstring
|
|
|
|
end
|
|
|
|
|
2005-07-24 20:53:54 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|