* few cleanups plus addition of self referring directories (eg: /././././)
git-svn-id: file:///home/svn/incoming/trunk@3437 4d416f70-5f16-0410-b530-b9f4589650daunstable
bmc
parent
52fa0da439
commit
55ba865f30
|
|
@ -97,22 +97,33 @@ class Request < Packet
|
|||
# Puts a URI back together based on the URI parts
|
||||
def uri
|
||||
uri = self.uri_parts['Resource'] || '/'
|
||||
|
||||
# /././././
|
||||
if self.junk_self_referring_directories
|
||||
uri.gsub!(/\//) {
|
||||
'/.' * (rand(3) + 1) + '/'
|
||||
}
|
||||
end
|
||||
|
||||
# /RAND/../RAND../
|
||||
if self.junk_directories
|
||||
uri.gsub!(/\//) {
|
||||
dirs = ''
|
||||
rand(10)+5.times {
|
||||
dirs += '/' + Rex::Text.rand_text_alpha(rand(64) + 5) + '/..'
|
||||
rand(5)+5.times {
|
||||
dirs += '/' + Rex::Text.rand_text_alpha(rand(5) + 1) + '/..'
|
||||
}
|
||||
dirs + '/'
|
||||
}
|
||||
end
|
||||
|
||||
# ////
|
||||
#
|
||||
# NOTE: this must be done after junk directories, since junk_directories would cancel this out
|
||||
if self.junk_slashes
|
||||
uri.gsub!(/\//) {
|
||||
'/' * (rand(5) + 2)
|
||||
'/' * (rand(3) + 1)
|
||||
}
|
||||
uri.gsub!(/^[\/]+/, '/') # only one beginning slash!
|
||||
end
|
||||
|
||||
if self.method != 'POST'
|
||||
|
|
@ -151,10 +162,6 @@ class Request < Packet
|
|||
update_uri_parts
|
||||
end
|
||||
|
||||
def inject_directories(uri)
|
||||
|
||||
end
|
||||
|
||||
# Returns a URI escaped version of the provided string, by providing an additional argument, all characters are escaped
|
||||
def escape(str, all = nil)
|
||||
if all
|
||||
|
|
@ -232,7 +239,9 @@ class Request < Packet
|
|||
|
||||
# add junk slashes
|
||||
attr_accessor :junk_slashes
|
||||
|
||||
|
||||
# add junk self referring directories (aka /././././
|
||||
attr_accessor :junk_self_referring_directories
|
||||
|
||||
# add junk params
|
||||
attr_accessor :junk_params
|
||||
|
|
|
|||
|
|
@ -67,16 +67,19 @@ class Rex::Proto::Http::Request::UnitTest < Test::Unit::TestCase
|
|||
|
||||
srand(0)
|
||||
h.junk_directories = 1
|
||||
assert_equal('/DDnJT/../ykXGYYMBmnXuYRlZNIJUzQzFPv/../SjYxz/../TTOngBJgfKXjLyciAAkFmoRPEpqfBBnpjm/../LuSbAOjMqULEGEvDMkoOPUjXPNVwxFpjAfFeAxykiwdDiqNwnVJAKyrXCije/../foo?a=1&b=2&c=3&d=%3d', h.uri, 'uri with junk directories')
|
||||
assert_equal('/D/../DnJT/../kXG/../Y/../BmnXu/../foo?a=1&b=2&c=3&d=%3d', h.uri, 'uri with junk directories')
|
||||
|
||||
srand(0)
|
||||
h.junk_slashes = 1
|
||||
assert_equal('//////DDnJT////..////ykXGYYMBmnXuYRlZNIJUzQzFPv////..//////SjYxz////..//////TTOngBJgfKXjLyciAAkFmoRPEpqfBBnpjm/////..//////LuSbAOjMqULEGEvDMkoOPUjXPNVwxFpjAfFeAxykiwdDiqNwnVJAKyrXCije///..//DDnJT//ujURybOpBkKWroLCzQgAmTu///..//////zoNeYCDeirNwoITfIaCDsOgEDtLWNtLQYdVuZQThogkGVfN//..///YPpSoPLmvdBf////..///sYYDSvDqMmjWFXrgLoUKrlcvoCbTZXzuUdDjnJJpXDuaysDfJKbtHnVhsii//..//////hFokALiFQIBRwjbokwZDnjyedxhSR//////..//////..//CFlMsCvbVnnLWeRGHScrTxpduVJZygbJcrRpAWQqkeYDzIbduXgTIHXNRALckZgqOW////..//////USEWjTHINFAIPPLEnctaKuxbzjpSizerS/////..////XBGqweQajxqJsNGmnINHQWPZIjGRHUZCQytXYEksxXeZUhlXbd///../////zzWHpxJATkRUwDqBUkEQwvKtoebrfUGJbvjTMS////..//KihrDMkBxAnYkjFGDiohcEagtzJFhHeIUHDVbsDmUHTfAFbreJTHVl/////..////ykXGYYMBmnXuYRlZNIJUzQzFPv////uAozmZKziXgTaOgzGhsytpEdbRjCUtPkpExyNetXijJaaWMP////..////azmuQvoAKLNHeGtePpmrSHcBpCycOlbkfdyudyh//////../////gpQCIzKwabBAFYiPD////..///ulrTYGUGczGCccmlFtJkNVfRjtzIZVtlWQZulBFGMaKOIHtFvqDKybZDOSFERFeYD////..//////okxYhShOxH/////../////..////uwhRdMugizXZuyrpuAMJSEHDwMltwtSzxHaxudDKUqBUQqyc////..///XwCmJCspZkaEpKMohlnghajZyYSUecI/////../////ZYnqcYSDsTtAKDGbjGTiyym/////..//rAktpChMPhXMFmBKGGmmLyVyy/////../////CMdJzIFrBrPMvMVSZNecspVGkwoaeFPllxfgwQgKMdAdanWTFkTkFcMa///..///SjYxz//////MmHQdAXPKDDQwJUlwRJsPmOh///../////QkHXbuHWi/////../////QbvvyLXOneaiRjHtwlENlTrIgRFkBdFQmoW///..////TEUqKDWldpoRzoqedheulYQjndBXIAXlvaZ//..//////GYPlpRQwruFTvWtLLhHawHvgkSXVCI////..//..///mkBkFFmjYxPUyJExYeCTDNLNkRaGviVUqRlZVkEviLi//////..//////uTwLhZhftGZYtmzQXaDaudCFHPOjnHzmzdxLDN///..////YEzWdmLOSZsDlHdOLJLQnBScAVYJISLczRPDqYVcVOvBMLZnLatiBQBQhhsmoIN//../////TygXEfWAlfPTPzMtKpQGVeDQABygrSSWPPcHbYYMNSOOUHs/////..//bsPXLNdfuSEcBxxXQpawCvRUmAGsWPKiomVigqsjpnbwKERD/////..////TTOngBJgfKXjLyciAAkFmoRPEpqfBBnpjm///XdmeLCdHzJXAwRozVeaPwRKRDnJdDHQiEak/////..///gRlbzOWfIdc/////../////iRcvQIsHMgUrLdoAUtcNlvnyEuMlwEpkQSle//////../////ujwAxJyhwxMGzkjmkeyTmsjOdzRDdbDhzbkVnqKdxdYyQAkiNBCCTMenVN//////..//azMxABkKqgcCcBNTvRkHGJPSdqSCdRjTQXMjtCUDRsmqKlqovbEzWl/////../////../////HYYvPKTNnlnSHYgsnovkqQaoQugeUXPsTib//////../////iRXbNwXeFnhxicBEVIyhjwjZFBjHBBHZkNsybgrTitkQwqrDIT////..//AUgirFVYCHsLzcfBQySOVvvFhqCboTPHsdjhwxQYFzqTRtgWhmJ///..///MqQREZOtRd//////..//cKFkkUyyWKr//..///LuSbAOjMqULEGEvDMkoOPUjXPNVwxFpjAfFeAxykiwdDiqNwnVJAKyrXCije//////BoHFPpgXOidzZEAaUFYREgxRIJkfeJswjgOXgcrhyusIlCRPDVwyd////..//WSHxaEtZazvTOSgbkmUsDSNzxfhSMvbniHetQBYQtb///..////yYwMEwzuoOxKbOmNEWPdOqZLfbWurUCZAfuGSWuZNM////..////lTfcTooZvdcqKURAnmiBwWtxWncBVCgyGmjkXzSmZuPxbVBJzRLADkUTvFUEpQQFgWD/////..////cpKmcfsLibxHn////..///..//////FJYMohOtPEWCHtIFnPPpZWZZTdJLjanSIBjyxuKKYfrbNOFXqnxlmLrYRVeS/////..///ZdlxoxqfnLOgBBkZMIyMYTDKHcOIujjRXMtHvuneTqtyBrSOZlIyiaLsLokxMRfKwKLd///..////KMxnwKCvLuzpbDQANmEDTRQHYLWbCIIZmhYVEfz/////..//////lHWqfJzzSXTZFZtv//////..///zsargeOHgBvtraPEKVnqreWARMbrv/////..///foo?a=1&b=2&c=3&d=%3d', h.uri, 'uri with junk directories')
|
||||
assert_equal('/lZ//..//J//../zQzFP///..///S/..//Yxzd//../D/OngB/..///gf//..///XjL//..///ciA/..///k/..//..//RPEpq//../fBB/../jm/../uSbA/..//MqUL/..///DnJT///vDMko//..//jXPNV//..///x//..//jA/..//x///..//..//iwdDi/../Nwn//..//AK///..//rXC///..///ij//..///kXG///SujU/..//yb//..//Bk///..//Wro//..//CzQg///../..//uqzo/..//C//..///eirN/..///o/..///T/..///Y/CDs/../E/..//tLWN///../tL/..//Q///..//../QT/../og/../GVfNH//../Y///..///So///../BmnXu/Bf///../YYDSv///..///qMmj/..//gLoU//..//rlc/../..//bTZ/../uUdD//..///nJJp///../uays///..//fJKb//..///foo?a=1&b=2&c=3&d=%3d', h.uri, 'uri with junk directories')
|
||||
|
||||
h = Klass.new
|
||||
h.from_s("GET /foo?a=1&b=2 HTTP/1.0\r\n" + "Foo: Bar\r\n\r\n")
|
||||
h.junk_params = 1
|
||||
assert_equal("/foo?sZHlUi=t&nhhBJXEYGhyYK=cYDSVGUVb&ZAuDlHQLLsCFROF=pu&eiDAdssszARdbiyzk=elRmPB&pWtRsWNyvCLJyozvEKxG=sIIIslS&a=1&dlkqdbRLxI=DwLyPDknV&DLPtaPhLFeEglrtdbn=LhOmLKZgy&GeWLjUEExdbvT=aaJyfeRHz&JcvwHDHI=Fhcumx&BCQCLfKUkOHdF=uPz&b=2&bGJBLXGokMjFMSABUNawrVONoDpR=abrtpNtwRW&ZcNHaRErvecIbGHaLldxUdcXJAmTHymDelpF=QafGZLRffUanyKmEnPNjmLnLwkSLziQcJlIRwscZeleSMBbKDQbGAHZDksVxIvmq&kEbNNp=GeMiDoQFodWlX&kriGGYMRfwlAKxsEfKdhpwNTpMszrQyl=kyEyvAxlLsFouQQKFXv&mwSeQfqv=hKsfTCTfyTnnhssenMQQGEtUeM",h.uri, 'junk params')
|
||||
assert_equal("/foo?zerStXB=qweQajx&JsNGmnINHQWPZIj=RHUZCQy&XYEksxXeZUhlXbdhzz=HpxJATk&UwDqBU=EQwvK&oebrfUGJbvjTMSxKih=MkBx&a=1&YkjFGDiohcEa=t&JFhHeIUH=VbsD&UHTfAFbreJT=VlcIruAo&mZKziXgT=z&hsytpEdbRjC=tPkpE&b=2&NetXijJaaWMPiazmuQvoAKL=HeGtePpmrSHcBpCycO&bkfdyudyhM=pQCIzKwabBAFYiPDulrTYGUGczGCccmlFtJkN&fRjtzIZVtlWQZulBFGMaKOIHtF=qDKybZDOSFERFeYDFokxYhShOxHruwhRdMugizXZuyrpuAMJSEHD&MltwtSzxHaxudDKUqBUQq=caXwCmJCspZkaEpKMohlnghajZyYSUecISZYnqcYSDsTtAKDGbjGTiy&mUrAktpChMPhXMFmBKGGmmL=VyyzCMdJzIFrBrPMvMVSZNecspVGkwoaeFPllxfgwQgKMdAdanWTFkT" ,h.uri, 'junk params')
|
||||
|
||||
h = Klass.new
|
||||
h.from_s("GET /foo?a=1&b=2 HTTP/1.0\r\n" + "Foo: Bar\r\n\r\n")
|
||||
h.junk_self_referring_directories = 1
|
||||
assert_equal("/./foo?a=1&b=2", h.uri, 'junk self referring directories')
|
||||
end
|
||||
end
|
||||
|
|
|
|||
Loading…
Reference in New Issue