Potential bug fix (escaping formatted regular expressions)

2025-01-23 15:54:24 +03:00 · 2014-10-28 14:02:55 +01:00 · 2014-10-28 14:02:55 +01:00 · 3b3b8d4ef2
commit 3b3b8d4ef2
parent 268e774087
6 changed files with 15 additions and 15 deletions
--- a/lib/core/common.py
+++ b/lib/core/common.py
@ -1286,7 +1286,7 @@ def expandAsteriskForColumns(expression):
            if expression != conf.query:
                conf.db = db
            else:
-                expression = re.sub(r"([^\w])%s" % conf.tbl, "\g<1>%s.%s" % (conf.db, conf.tbl), expression)
+                expression = re.sub(r"([^\w])%s" % re.escape(conf.tbl), "\g<1>%s.%s" % (conf.db, conf.tbl), expression)
        else:
            conf.db = db
        conf.db = safeSQLIdentificatorNaming(conf.db)
@ -2503,11 +2503,11 @@ def removeDynamicContent(page):
            if prefix is None and suffix is None:
                continue
            elif prefix is None:
-                page = re.sub(r'(?s)^.+%s' % suffix, suffix, page)
+                page = re.sub(r'(?s)^.+%s' % re.escape(suffix), suffix, page)
            elif suffix is None:
-                page = re.sub(r'(?s)%s.+$' % prefix, prefix, page)
+                page = re.sub(r'(?s)%s.+$' % re.escape(prefix), prefix, page)
            else:
-                page = re.sub(r'(?s)%s.+%s' % (prefix, suffix), '%s%s' % (prefix, suffix), page)
+                page = re.sub(r'(?s)%s.+%s' % (re.escape(prefix), re.escape(suffix)), '%s%s' % (prefix, suffix), page)

    return page

--- a/lib/core/option.py
+++ b/lib/core/option.py
@ -233,7 +233,7 @@ def _feedTargetsDict(reqFile, addedTargetUrls):
                for match in re.finditer(BURP_XML_HISTORY_REGEX, content, re.I | re.S):
                    port, request = match.groups()
                    request = request.decode("base64")
-                    _ = re.search(r"%s:.+" % HTTP_HEADER.HOST, request)
+                    _ = re.search(r"%s:.+" % re.escape(HTTP_HEADER.HOST), request)
                    if _:
                        host = _.group(0).strip()
                        if not re.search(r":\d+\Z", host):
--- a/lib/parse/banner.py
+++ b/lib/parse/banner.py
@ -63,7 +63,7 @@ class MSSQLBannerHandler(ContentHandler):
    def endElement(self, name):
        if name == "signature":
            for version in (self._version, self._versionAlt):
-                if version and re.search(r" %s[\.\ ]+" % version, self._banner):
+                if version and re.search(r" %s[\.\ ]+" % re.escape(version), self._banner):
                    self._feedInfo("dbmsRelease", self._release)
                    self._feedInfo("dbmsVersion", self._version)
                    self._feedInfo("dbmsServicePack", self._servicePack)
--- a/lib/request/connect.py
+++ b/lib/request/connect.py
@ -752,14 +752,14 @@ class Connect(object):
        if conf.csrfToken:
            def _adjustParameter(paramString, parameter, newValue):
                retVal = paramString
-                match = re.search("%s=(?P<value>[^&]*)" % parameter, paramString)
+                match = re.search("%s=(?P<value>[^&]*)" % re.escape(parameter), paramString)
                if match:
                    origValue = match.group("value")
-                    retVal = re.sub("%s=[^&]*" % parameter, "%s=%s" % (parameter, newValue), paramString)
+                    retVal = re.sub("%s=[^&]*" % re.escape(parameter), "%s=%s" % (parameter, newValue), paramString)
                return retVal

            page, headers, code = Connect.getPage(url=conf.csrfUrl or conf.url, cookie=conf.parameters.get(PLACE.COOKIE), direct=True, silent=True, ua=conf.parameters.get(PLACE.USER_AGENT), referer=conf.parameters.get(PLACE.REFERER), host=conf.parameters.get(PLACE.HOST))
-            match = re.search(r"<input[^>]+name=[\"']?%s[\"']?\s[^>]*value=(\"([^\"]+)|'([^']+)|([^ >]+))" % conf.csrfToken, page or "")
+            match = re.search(r"<input[^>]+name=[\"']?%s[\"']?\s[^>]*value=(\"([^\"]+)|'([^']+)|([^ >]+))" % re.escape(conf.csrfToken), page or "")
            token = (match.group(2) or match.group(3) or match.group(4)) if match else None

            if not token:
@ -802,10 +802,10 @@ class Connect(object):
        if conf.rParam:
            def _randomizeParameter(paramString, randomParameter):
                retVal = paramString
-                match = re.search("%s=(?P<value>[^&;]+)" % randomParameter, paramString)
+                match = re.search("%s=(?P<value>[^&;]+)" % re.escape(randomParameter), paramString)
                if match:
                    origValue = match.group("value")
-                    retVal = re.sub("%s=[^&;]+" % randomParameter, "%s=%s" % (randomParameter, randomizeParameterValue(origValue)), paramString)
+                    retVal = re.sub("%s=[^&;]+" % re.escape(randomParameter), "%s=%s" % (randomParameter, randomizeParameterValue(origValue)), paramString)
                return retVal

            for randomParameter in conf.rParam:
@ -847,7 +847,7 @@ class Connect(object):
                        found = False
                        value = unicode(value)

-                        regex = r"((\A|%s)%s=).+?(%s|\Z)" % (re.escape(delimiter), name, re.escape(delimiter))
+                        regex = r"((\A|%s)%s=).+?(%s|\Z)" % (re.escape(delimiter), re.escape(name), re.escape(delimiter))
                        if re.search(regex, (get or "")):
                            found = True
                            get = re.sub(regex, "\g<1>%s\g<3>" % value, get)
--- a/lib/utils/pivotdumptable.py
+++ b/lib/utils/pivotdumptable.py
@ -64,7 +64,7 @@ def pivotDumpTable(table, colList, count=None, blind=True):
    colList = filter(None, sorted(colList, key=lambda x: len(x) if x else MAX_INT))

    if conf.pivotColumn:
-        if any(re.search(r"(.+\.)?%s" % conf.pivotColumn, _, re.I) for _ in colList):
+        if any(re.search(r"(.+\.)?%s" % re.escape(conf.pivotColumn), _, re.I) for _ in colList):
            infoMsg = "using column '%s' as a pivot " % conf.pivotColumn
            infoMsg += "for retrieving row data"
            logger.info(infoMsg)
@ -173,7 +173,7 @@ def whereQuery(query):
        prefix, suffix = query.split(" ORDER BY ") if " ORDER BY " in query else (query, "")

        if "%s)" % conf.tbl.upper() in prefix.upper():
-            prefix = re.sub(r"(?i)%s\)" % conf.tbl, "%s WHERE %s)" % (conf.tbl, conf.dumpWhere), prefix)
+            prefix = re.sub(r"(?i)%s\)" % re.escape(conf.tbl), "%s WHERE %s)" % (conf.tbl, conf.dumpWhere), prefix)
        elif re.search(r"(?i)\bWHERE\b", prefix):
            prefix += " AND %s" % conf.dumpWhere
        else:
--- a/plugins/generic/entries.py
+++ b/plugins/generic/entries.py
@ -147,7 +147,7 @@ class Entries:
                for column in colList:
                    _ = agent.preprocessField(tbl, column)
                    if _ != column:
-                        colString = re.sub(r"\b%s\b" % column, _, colString)
+                        colString = re.sub(r"\b%s\b" % re.escape(column), _, colString)

                entriesCount = 0