2005-07-24 20:53:54 +00:00
|
|
|
require 'rex/proto/http'
|
|
|
|
|
|
|
|
module Rex
|
|
|
|
module Proto
|
|
|
|
module Http
|
|
|
|
|
|
|
|
###
|
|
|
|
#
|
|
|
|
# Represents the logical HTTP header portion of an HTTP packet (request or
|
|
|
|
# response).
|
|
|
|
#
|
|
|
|
###
|
|
|
|
class Packet::Header < Hash
|
|
|
|
|
2005-11-15 05:22:13 +00:00
|
|
|
#
|
|
|
|
# Initializes an HTTP packet header class that inherits from a Hash base
|
|
|
|
# class.
|
|
|
|
#
|
2005-07-24 20:53:54 +00:00
|
|
|
def initialize
|
|
|
|
self.dcase_hash = {}
|
|
|
|
|
|
|
|
reset
|
|
|
|
end
|
|
|
|
|
|
|
|
#
|
|
|
|
# Parses a header from a string.
|
|
|
|
#
|
* add junk pipelined request support
* fix socket creation on pipelined requests
* when a server says that the connection should be closed (Connection: closed), then close the connection, since its going to regardless, and we don't want to loose our state
* support non-standard line termination in headers. ie \n instead of \r\n
* add junk headers (X-rand: rand)
* add header folding (for evasion)
* add parse_header_re (still leaving parse_header around, though its dead code ATM) that does the right thing on non-standard line endings
* move 'gzip' to a 'compression' option
* add 'deflate' compression option (really, just raw zlib, and only firefox does deflate right)
* fix a bunch of TE:chunked decoding bugs based based on the fact that Apache doesn't always close chunks appropriately
* modify parse_body to not return state, since it doesn't always do that, and the return isn't used... self.state is.
* add TE:chunked request support
* normalize URIs in requests before saving them
* Move params out of the URI, but when the uri is requested, and the method is GET, and there are params, return a URI that has the params that are approrpiately encoded (needed for junk_params, see below)
* move request.to_s support of params to use the request params array when a POST, allows use of junk params support (see below). NOTE: If the body is provided, use the body instead of params, in case you want to hardcode the params in a POST request, eg: php_xmlrpc_eval.rb
* Add junk params when building a param list, eg: a=b becomes asdfasdf=asdrt32a&asdfad=okhgasd&a=b&hjklasdf=hkasgd
* add URI junk slash support (eg: /////foo.html)
* param splitting now supports both '&', and ';', which CGI.pm and PHP both allow
* add URI junk directory support, eg: /asdf/../foo.html
* add param encoding support, eg: param A with value '=' is A=%3d
* add URI junk self referring directory support, eg: /././foo.html
git-svn-id: file:///home/svn/incoming/trunk@3457 4d416f70-5f16-0410-b530-b9f4589650da
2006-01-27 21:57:44 +00:00
|
|
|
# XXX - Putting : in a header value fucks this up pretty badly
|
2005-07-24 20:53:54 +00:00
|
|
|
def from_s(header)
|
|
|
|
reset
|
|
|
|
|
2006-03-09 19:51:37 +00:00
|
|
|
# ghettoooooo!
|
|
|
|
# If we don't have any newlines..., put one there.
|
|
|
|
if (header.size > 0 && header !~ /\r\n/)
|
|
|
|
header += "\r\n"
|
|
|
|
end
|
|
|
|
|
* add junk pipelined request support
* fix socket creation on pipelined requests
* when a server says that the connection should be closed (Connection: closed), then close the connection, since its going to regardless, and we don't want to loose our state
* support non-standard line termination in headers. ie \n instead of \r\n
* add junk headers (X-rand: rand)
* add header folding (for evasion)
* add parse_header_re (still leaving parse_header around, though its dead code ATM) that does the right thing on non-standard line endings
* move 'gzip' to a 'compression' option
* add 'deflate' compression option (really, just raw zlib, and only firefox does deflate right)
* fix a bunch of TE:chunked decoding bugs based based on the fact that Apache doesn't always close chunks appropriately
* modify parse_body to not return state, since it doesn't always do that, and the return isn't used... self.state is.
* add TE:chunked request support
* normalize URIs in requests before saving them
* Move params out of the URI, but when the uri is requested, and the method is GET, and there are params, return a URI that has the params that are approrpiately encoded (needed for junk_params, see below)
* move request.to_s support of params to use the request params array when a POST, allows use of junk params support (see below). NOTE: If the body is provided, use the body instead of params, in case you want to hardcode the params in a POST request, eg: php_xmlrpc_eval.rb
* Add junk params when building a param list, eg: a=b becomes asdfasdf=asdrt32a&asdfad=okhgasd&a=b&hjklasdf=hkasgd
* add URI junk slash support (eg: /////foo.html)
* param splitting now supports both '&', and ';', which CGI.pm and PHP both allow
* add URI junk directory support, eg: /asdf/../foo.html
* add param encoding support, eg: param A with value '=' is A=%3d
* add URI junk self referring directory support, eg: /././foo.html
git-svn-id: file:///home/svn/incoming/trunk@3457 4d416f70-5f16-0410-b530-b9f4589650da
2006-01-27 21:57:44 +00:00
|
|
|
# put the non-standard line terminations back to normal
|
|
|
|
# gah. not having look behinds suck,
|
|
|
|
header.gsub!(/([^\r])\n/,'\1' + "\r\n")
|
|
|
|
|
|
|
|
# undo folding, kinda ugly but works for now.
|
|
|
|
header.gsub!(/:\s*\r\n\s+/smi,': ')
|
|
|
|
|
2005-07-24 20:53:54 +00:00
|
|
|
# Extract the command string
|
* add junk pipelined request support
* fix socket creation on pipelined requests
* when a server says that the connection should be closed (Connection: closed), then close the connection, since its going to regardless, and we don't want to loose our state
* support non-standard line termination in headers. ie \n instead of \r\n
* add junk headers (X-rand: rand)
* add header folding (for evasion)
* add parse_header_re (still leaving parse_header around, though its dead code ATM) that does the right thing on non-standard line endings
* move 'gzip' to a 'compression' option
* add 'deflate' compression option (really, just raw zlib, and only firefox does deflate right)
* fix a bunch of TE:chunked decoding bugs based based on the fact that Apache doesn't always close chunks appropriately
* modify parse_body to not return state, since it doesn't always do that, and the return isn't used... self.state is.
* add TE:chunked request support
* normalize URIs in requests before saving them
* Move params out of the URI, but when the uri is requested, and the method is GET, and there are params, return a URI that has the params that are approrpiately encoded (needed for junk_params, see below)
* move request.to_s support of params to use the request params array when a POST, allows use of junk params support (see below). NOTE: If the body is provided, use the body instead of params, in case you want to hardcode the params in a POST request, eg: php_xmlrpc_eval.rb
* Add junk params when building a param list, eg: a=b becomes asdfasdf=asdrt32a&asdfad=okhgasd&a=b&hjklasdf=hkasgd
* add URI junk slash support (eg: /////foo.html)
* param splitting now supports both '&', and ';', which CGI.pm and PHP both allow
* add URI junk directory support, eg: /asdf/../foo.html
* add param encoding support, eg: param A with value '=' is A=%3d
* add URI junk self referring directory support, eg: /././foo.html
git-svn-id: file:///home/svn/incoming/trunk@3457 4d416f70-5f16-0410-b530-b9f4589650da
2006-01-27 21:57:44 +00:00
|
|
|
self.cmd_string = header.slice!(/.+\r\n/)
|
2005-07-24 20:53:54 +00:00
|
|
|
|
|
|
|
# Extract each header value pair
|
|
|
|
header.split(/\r\n/m).each { |str|
|
|
|
|
if (md = str.match(/^(.+?): (.+?)$/))
|
2008-01-06 20:11:02 +00:00
|
|
|
if (self[md[1]])
|
|
|
|
self[md[1]] += ", " + md[2]
|
|
|
|
else
|
|
|
|
self[md[1]] = md[2]
|
|
|
|
end
|
2005-07-24 20:53:54 +00:00
|
|
|
end
|
|
|
|
}
|
|
|
|
end
|
|
|
|
|
|
|
|
#
|
|
|
|
# More advanced [] that does downcase comparison.
|
|
|
|
#
|
|
|
|
def [](key)
|
|
|
|
begin
|
2008-01-06 20:06:39 +00:00
|
|
|
rv = self.fetch(key)
|
2005-07-24 20:53:54 +00:00
|
|
|
rescue IndexError
|
|
|
|
rv = nil
|
|
|
|
end
|
2008-01-06 20:06:39 +00:00
|
|
|
if (rv == nil)
|
|
|
|
begin
|
|
|
|
rv = self.dcase_hash[key.downcase]
|
|
|
|
rescue IndexError
|
|
|
|
rv = nil
|
|
|
|
end
|
|
|
|
end
|
2005-07-24 20:53:54 +00:00
|
|
|
|
|
|
|
return rv
|
|
|
|
end
|
|
|
|
|
|
|
|
#
|
|
|
|
# More advanced []= that does downcase storage.
|
|
|
|
#
|
|
|
|
def []=(key, value)
|
|
|
|
stored = false
|
|
|
|
|
|
|
|
self.each_key { |k|
|
|
|
|
if (k.downcase == key.downcase)
|
|
|
|
self.store(k, value)
|
|
|
|
stored = true
|
|
|
|
end
|
|
|
|
}
|
|
|
|
|
|
|
|
self.store(key, value) if (stored == false)
|
|
|
|
self.dcase_hash[key.downcase] = value
|
|
|
|
end
|
|
|
|
|
|
|
|
#
|
|
|
|
# Converts the header to a string.
|
|
|
|
#
|
|
|
|
def to_s(prefix = '')
|
|
|
|
str = prefix
|
* add junk pipelined request support
* fix socket creation on pipelined requests
* when a server says that the connection should be closed (Connection: closed), then close the connection, since its going to regardless, and we don't want to loose our state
* support non-standard line termination in headers. ie \n instead of \r\n
* add junk headers (X-rand: rand)
* add header folding (for evasion)
* add parse_header_re (still leaving parse_header around, though its dead code ATM) that does the right thing on non-standard line endings
* move 'gzip' to a 'compression' option
* add 'deflate' compression option (really, just raw zlib, and only firefox does deflate right)
* fix a bunch of TE:chunked decoding bugs based based on the fact that Apache doesn't always close chunks appropriately
* modify parse_body to not return state, since it doesn't always do that, and the return isn't used... self.state is.
* add TE:chunked request support
* normalize URIs in requests before saving them
* Move params out of the URI, but when the uri is requested, and the method is GET, and there are params, return a URI that has the params that are approrpiately encoded (needed for junk_params, see below)
* move request.to_s support of params to use the request params array when a POST, allows use of junk params support (see below). NOTE: If the body is provided, use the body instead of params, in case you want to hardcode the params in a POST request, eg: php_xmlrpc_eval.rb
* Add junk params when building a param list, eg: a=b becomes asdfasdf=asdrt32a&asdfad=okhgasd&a=b&hjklasdf=hkasgd
* add URI junk slash support (eg: /////foo.html)
* param splitting now supports both '&', and ';', which CGI.pm and PHP both allow
* add URI junk directory support, eg: /asdf/../foo.html
* add param encoding support, eg: param A with value '=' is A=%3d
* add URI junk self referring directory support, eg: /././foo.html
git-svn-id: file:///home/svn/incoming/trunk@3457 4d416f70-5f16-0410-b530-b9f4589650da
2006-01-27 21:57:44 +00:00
|
|
|
|
|
|
|
if self.junk_headers
|
|
|
|
while str.length < 4096
|
|
|
|
if self.fold
|
|
|
|
str += "X-#{Rex::Text.rand_text_alphanumeric(rand(30) + 5)}:\r\n\t#{Rex::Text.rand_text_alphanumeric(rand(1024) + 1)}\r\n"
|
|
|
|
else
|
|
|
|
str += "X-#{Rex::Text.rand_text_alphanumeric(rand(30) + 5)}: #{Rex::Text.rand_text_alphanumeric(rand(1024) + 1)}\r\n"
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
2005-07-24 20:53:54 +00:00
|
|
|
|
|
|
|
each_pair { |var, val|
|
* add junk pipelined request support
* fix socket creation on pipelined requests
* when a server says that the connection should be closed (Connection: closed), then close the connection, since its going to regardless, and we don't want to loose our state
* support non-standard line termination in headers. ie \n instead of \r\n
* add junk headers (X-rand: rand)
* add header folding (for evasion)
* add parse_header_re (still leaving parse_header around, though its dead code ATM) that does the right thing on non-standard line endings
* move 'gzip' to a 'compression' option
* add 'deflate' compression option (really, just raw zlib, and only firefox does deflate right)
* fix a bunch of TE:chunked decoding bugs based based on the fact that Apache doesn't always close chunks appropriately
* modify parse_body to not return state, since it doesn't always do that, and the return isn't used... self.state is.
* add TE:chunked request support
* normalize URIs in requests before saving them
* Move params out of the URI, but when the uri is requested, and the method is GET, and there are params, return a URI that has the params that are approrpiately encoded (needed for junk_params, see below)
* move request.to_s support of params to use the request params array when a POST, allows use of junk params support (see below). NOTE: If the body is provided, use the body instead of params, in case you want to hardcode the params in a POST request, eg: php_xmlrpc_eval.rb
* Add junk params when building a param list, eg: a=b becomes asdfasdf=asdrt32a&asdfad=okhgasd&a=b&hjklasdf=hkasgd
* add URI junk slash support (eg: /////foo.html)
* param splitting now supports both '&', and ';', which CGI.pm and PHP both allow
* add URI junk directory support, eg: /asdf/../foo.html
* add param encoding support, eg: param A with value '=' is A=%3d
* add URI junk self referring directory support, eg: /././foo.html
git-svn-id: file:///home/svn/incoming/trunk@3457 4d416f70-5f16-0410-b530-b9f4589650da
2006-01-27 21:57:44 +00:00
|
|
|
if self.fold
|
|
|
|
str += "#{var.to_s}:\r\n\t#{val.to_s}\r\n"
|
|
|
|
else
|
|
|
|
str += "#{var.to_s}: #{val.to_s}\r\n"
|
|
|
|
end
|
2005-07-24 20:53:54 +00:00
|
|
|
}
|
* add junk pipelined request support
* fix socket creation on pipelined requests
* when a server says that the connection should be closed (Connection: closed), then close the connection, since its going to regardless, and we don't want to loose our state
* support non-standard line termination in headers. ie \n instead of \r\n
* add junk headers (X-rand: rand)
* add header folding (for evasion)
* add parse_header_re (still leaving parse_header around, though its dead code ATM) that does the right thing on non-standard line endings
* move 'gzip' to a 'compression' option
* add 'deflate' compression option (really, just raw zlib, and only firefox does deflate right)
* fix a bunch of TE:chunked decoding bugs based based on the fact that Apache doesn't always close chunks appropriately
* modify parse_body to not return state, since it doesn't always do that, and the return isn't used... self.state is.
* add TE:chunked request support
* normalize URIs in requests before saving them
* Move params out of the URI, but when the uri is requested, and the method is GET, and there are params, return a URI that has the params that are approrpiately encoded (needed for junk_params, see below)
* move request.to_s support of params to use the request params array when a POST, allows use of junk params support (see below). NOTE: If the body is provided, use the body instead of params, in case you want to hardcode the params in a POST request, eg: php_xmlrpc_eval.rb
* Add junk params when building a param list, eg: a=b becomes asdfasdf=asdrt32a&asdfad=okhgasd&a=b&hjklasdf=hkasgd
* add URI junk slash support (eg: /////foo.html)
* param splitting now supports both '&', and ';', which CGI.pm and PHP both allow
* add URI junk directory support, eg: /asdf/../foo.html
* add param encoding support, eg: param A with value '=' is A=%3d
* add URI junk self referring directory support, eg: /././foo.html
git-svn-id: file:///home/svn/incoming/trunk@3457 4d416f70-5f16-0410-b530-b9f4589650da
2006-01-27 21:57:44 +00:00
|
|
|
|
2005-07-24 20:53:54 +00:00
|
|
|
str += "\r\n"
|
|
|
|
|
|
|
|
return str
|
|
|
|
end
|
|
|
|
|
|
|
|
#
|
|
|
|
# Brings in from an array like yo.
|
|
|
|
#
|
|
|
|
def from_a(ary)
|
|
|
|
ary.each { |e|
|
|
|
|
self[e[0]] = e[1]
|
|
|
|
}
|
|
|
|
end
|
|
|
|
|
|
|
|
#
|
|
|
|
# Flushes all header pairs.
|
|
|
|
#
|
|
|
|
def reset
|
|
|
|
self.cmd_string = ''
|
|
|
|
self.clear
|
|
|
|
self.dcase_hash.clear
|
|
|
|
end
|
|
|
|
|
2005-11-15 05:22:13 +00:00
|
|
|
#
|
|
|
|
# The raw command string associated with the header which will vary between
|
|
|
|
# requests and responses.
|
|
|
|
#
|
* add junk pipelined request support
* fix socket creation on pipelined requests
* when a server says that the connection should be closed (Connection: closed), then close the connection, since its going to regardless, and we don't want to loose our state
* support non-standard line termination in headers. ie \n instead of \r\n
* add junk headers (X-rand: rand)
* add header folding (for evasion)
* add parse_header_re (still leaving parse_header around, though its dead code ATM) that does the right thing on non-standard line endings
* move 'gzip' to a 'compression' option
* add 'deflate' compression option (really, just raw zlib, and only firefox does deflate right)
* fix a bunch of TE:chunked decoding bugs based based on the fact that Apache doesn't always close chunks appropriately
* modify parse_body to not return state, since it doesn't always do that, and the return isn't used... self.state is.
* add TE:chunked request support
* normalize URIs in requests before saving them
* Move params out of the URI, but when the uri is requested, and the method is GET, and there are params, return a URI that has the params that are approrpiately encoded (needed for junk_params, see below)
* move request.to_s support of params to use the request params array when a POST, allows use of junk params support (see below). NOTE: If the body is provided, use the body instead of params, in case you want to hardcode the params in a POST request, eg: php_xmlrpc_eval.rb
* Add junk params when building a param list, eg: a=b becomes asdfasdf=asdrt32a&asdfad=okhgasd&a=b&hjklasdf=hkasgd
* add URI junk slash support (eg: /////foo.html)
* param splitting now supports both '&', and ';', which CGI.pm and PHP both allow
* add URI junk directory support, eg: /asdf/../foo.html
* add param encoding support, eg: param A with value '=' is A=%3d
* add URI junk self referring directory support, eg: /././foo.html
git-svn-id: file:///home/svn/incoming/trunk@3457 4d416f70-5f16-0410-b530-b9f4589650da
2006-01-27 21:57:44 +00:00
|
|
|
attr_accessor :junk_headers
|
2005-11-15 05:22:13 +00:00
|
|
|
attr_accessor :cmd_string
|
* add junk pipelined request support
* fix socket creation on pipelined requests
* when a server says that the connection should be closed (Connection: closed), then close the connection, since its going to regardless, and we don't want to loose our state
* support non-standard line termination in headers. ie \n instead of \r\n
* add junk headers (X-rand: rand)
* add header folding (for evasion)
* add parse_header_re (still leaving parse_header around, though its dead code ATM) that does the right thing on non-standard line endings
* move 'gzip' to a 'compression' option
* add 'deflate' compression option (really, just raw zlib, and only firefox does deflate right)
* fix a bunch of TE:chunked decoding bugs based based on the fact that Apache doesn't always close chunks appropriately
* modify parse_body to not return state, since it doesn't always do that, and the return isn't used... self.state is.
* add TE:chunked request support
* normalize URIs in requests before saving them
* Move params out of the URI, but when the uri is requested, and the method is GET, and there are params, return a URI that has the params that are approrpiately encoded (needed for junk_params, see below)
* move request.to_s support of params to use the request params array when a POST, allows use of junk params support (see below). NOTE: If the body is provided, use the body instead of params, in case you want to hardcode the params in a POST request, eg: php_xmlrpc_eval.rb
* Add junk params when building a param list, eg: a=b becomes asdfasdf=asdrt32a&asdfad=okhgasd&a=b&hjklasdf=hkasgd
* add URI junk slash support (eg: /////foo.html)
* param splitting now supports both '&', and ';', which CGI.pm and PHP both allow
* add URI junk directory support, eg: /asdf/../foo.html
* add param encoding support, eg: param A with value '=' is A=%3d
* add URI junk self referring directory support, eg: /././foo.html
git-svn-id: file:///home/svn/incoming/trunk@3457 4d416f70-5f16-0410-b530-b9f4589650da
2006-01-27 21:57:44 +00:00
|
|
|
attr_accessor :fold
|
2005-07-24 20:53:54 +00:00
|
|
|
|
|
|
|
protected
|
|
|
|
|
2005-11-15 05:22:13 +00:00
|
|
|
attr_accessor :dcase_hash # :nodoc:
|
2005-07-24 20:53:54 +00:00
|
|
|
|
|
|
|
end
|
|
|
|
|
|
|
|
end
|
|
|
|
end
|
2008-10-19 21:03:39 +00:00
|
|
|
end
|