Implemented support for plain , chars too (Issue #267)

This commit is contained in:
Miroslav Stampar 2012-12-10 12:58:17 +01:00
parent d0ea4c65c5
commit 96df0ba061

View File

@ -628,9 +628,10 @@ class Connect(object):
if place in (PLACE.GET, PLACE.POST): if place in (PLACE.GET, PLACE.POST):
_ = re.escape(PAYLOAD_DELIMITER) _ = re.escape(PAYLOAD_DELIMITER)
match = re.search("(?P<name>\w+)=%s(?P<value>.+?)%s" % (_, _), value) match = re.search("(?P<name>\w+)=%s(?P<value>.+?)%s" % (_, _), value)
payload = match.group("value")
if match: if match:
for splitter in (urlencode(' '), ' '): for splitter in (urlencode(' '), ' '):
if splitter in match.group("value"): if splitter in payload:
prefix, suffix = ("*/", "/*") if splitter == ' ' else (urlencode(_) for _ in ("*/", "/*")) prefix, suffix = ("*/", "/*") if splitter == ' ' else (urlencode(_) for _ in ("*/", "/*"))
parts = match.group("value").split(splitter) parts = match.group("value").split(splitter)
parts[0] = "%s%s" % (parts[0], suffix) parts[0] = "%s%s" % (parts[0], suffix)
@ -638,8 +639,11 @@ class Connect(object):
for i in xrange(1, len(parts) - 1): for i in xrange(1, len(parts) - 1):
parts[i] = "%s%s=%s%s%s" % (DEFAULT_GET_POST_DELIMITER, match.group("name"), prefix, parts[i], suffix) parts[i] = "%s%s=%s%s%s" % (DEFAULT_GET_POST_DELIMITER, match.group("name"), prefix, parts[i], suffix)
payload = "".join(parts) payload = "".join(parts)
value = agent.replacePayload(value, payload)
break break
for splitter in (urlencode(','), ','):
payload = payload.replace(splitter, "%s%s=" % (DEFAULT_GET_POST_DELIMITER, match.group("name")))
if payload:
value = agent.replacePayload(value, payload)
else: else:
warnMsg = "HTTP parameter pollution works only with regular " warnMsg = "HTTP parameter pollution works only with regular "
warnMsg += "GET and POST parameters" warnMsg += "GET and POST parameters"