fix for URI based injections

2024-11-22 09:36:35 +03:00 · 2011-01-22 16:23:33 +00:00 · 2011-01-22 16:23:33 +00:00 · 30cd877c4a
commit 30cd877c4a
parent 7bf05bf2cb
1 changed files with 5 additions and 1 deletions
--- a/lib/core/agent.py
+++ b/lib/core/agent.py
@ -75,6 +75,10 @@ class Agent:
        paramDict = conf.paramDict[place]
        origValue = paramDict[parameter]

+        if place == PLACE.URI:
+            origValue = origValue.split('*')[0]
+            origValue = origValue[origValue.rfind('/') + 1:]
+
        if value is None:
            if where == 1:
                value = origValue
@ -101,7 +105,7 @@ class Agent:

            retValue = ET.tostring(root)
        elif place in (PLACE.UA, PLACE.URI):
-            retValue = paramString.replace("*", self.addPayloadDelimiters(newValue))
+            retValue = paramString.replace("%s*" % origValue, self.addPayloadDelimiters(newValue))
        else:
            retValue = paramString.replace("%s=%s" % (parameter, origValue),
                                           "%s=%s" % (parameter, self.addPayloadDelimiters(newValue)))