major bug fix reported by Ahmed Shawky (there was a possibility of double url encoding of parameter values)

2025-06-06 22:23:14 +03:00 · 2011-01-27 18:36:28 +00:00 · 2011-01-27 18:36:28 +00:00 · 81722b6881
commit 81722b6881
parent 03413bd5e0
4 changed files with 11 additions and 6 deletions
--- a/doc/THANKS
+++ b/doc/THANKS
@ -335,6 +335,9 @@ Sven Schluter <sschlueter@netzwerk.cc>
 Uemit Seren <uemit.seren@gmail.com>
    for reporting a minor adjustment when running with python 2.6
 Ahmed Shawky <ahmed@isecur1ty.org>
    for reporting a major bug with improper handling of parameter values
 Brian Shura <bshura@appsecconsulting.com>
    for reporting a bug
--- a/lib/core/common.py
+++ b/lib/core/common.py
@ -45,6 +45,7 @@ from lib.core.data import logger
 from lib.core.data import paths
 from lib.core.data import queries
 from lib.core.convert import htmlunescape
 from lib.core.convert import urldecode
 from lib.core.convert import urlencode
 from lib.core.enums import DBMS
 from lib.core.enums import PLACE
@ -704,7 +705,7 @@ def parseTargetUrl():
        conf.port = 80
    if __urlSplit[3]:
-        conf.parameters[PLACE.GET] = __urlSplit[3]
+        conf.parameters[PLACE.GET] = urldecode(__urlSplit[3])
    conf.url = "%s://%s:%d%s" % (conf.scheme, conf.hostname, conf.port, conf.path)
--- a/lib/core/target.py
+++ b/lib/core/target.py
@ -16,6 +16,7 @@ import time
 from lib.core.common import dataToSessionFile
 from lib.core.common import paramToDict
 from lib.core.common import readInput
 from lib.core.convert import urldecode
 from lib.core.data import cmdLineOptions
 from lib.core.data import conf
 from lib.core.data import kb
@ -61,7 +62,7 @@ def __setRequestParams():
    if conf.data:
        conf.data = conf.data.replace("\n", " ")
-        conf.parameters[PLACE.POST] = conf.data
+        conf.parameters[PLACE.POST] = urldecode(conf.data)
        # Check if POST data is in xml syntax
        if re.match("[\n]*<(\?xml |soap\:|ns).*>", conf.data):
@ -104,7 +105,7 @@ def __setRequestParams():
        for httpHeader, headerValue in conf.httpHeaders:
            if httpHeader == PLACE.UA:
                # No need for url encoding/decoding the user agent
-                conf.parameters[PLACE.UA] = headerValue
+                conf.parameters[PLACE.UA] = urldecode(headerValue)
                condition  = not conf.testParameter
                condition |= PLACE.UA in conf.testParameter
--- a/lib/request/connect.py
+++ b/lib/request/connect.py
@ -409,16 +409,16 @@ class Connect:
            checkPayload(value)
        if PLACE.GET in conf.parameters:
-            get = conf.parameters[PLACE.GET] if place != PLACE.GET or not value else value
+            get = urlencode(conf.parameters[PLACE.GET]) if place != PLACE.GET or not value else value
        if PLACE.POST in conf.parameters:
-            post = conf.parameters[PLACE.POST] if place != PLACE.POST or not value else value
+            post = urlencode(conf.parameters[PLACE.POST]) if place != PLACE.POST or not value else value
        if PLACE.COOKIE in conf.parameters:
            cookie = conf.parameters[PLACE.COOKIE] if place != PLACE.COOKIE or not value else value
        if PLACE.UA in conf.parameters:
-            ua = conf.parameters[PLACE.UA] if place != PLACE.UA or not value else value
+            ua = urlencode(conf.parameters[PLACE.UA]) if place != PLACE.UA or not value else value
        if PLACE.URI in conf.parameters:
            uri = conf.url if place != PLACE.URI or not value else value