From f7eda07d92891ed5a02c60db60389b307d479547 Mon Sep 17 00:00:00 2001
From: Miroslav Stampar <miroslav.stampar@gmail.com>
Date: Thu, 17 Jan 2013 15:30:14 +0100
Subject: [PATCH] Patch for an Issue #347

---
 lib/core/common.py     | 8 ++++++++
 lib/core/settings.py   | 1 +
 lib/request/connect.py | 4 ++--
 3 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/lib/core/common.py b/lib/core/common.py
index 96eb25297..0b79346e6 100644
--- a/lib/core/common.py
+++ b/lib/core/common.py
@@ -86,6 +86,7 @@ from lib.core.settings import DEFAULT_GET_POST_DELIMITER
 from lib.core.settings import DEFAULT_MSSQL_SCHEMA
 from lib.core.settings import DEPRECATED_OPTIONS
 from lib.core.settings import DESCRIPTION
+from lib.core.settings import DOLLAR_MARKER
 from lib.core.settings import DUMMY_SQL_INJECTION_CHARS
 from lib.core.settings import DUMMY_USER_INJECTION
 from lib.core.settings import DYNAMICITY_MARK_LENGTH
@@ -2041,6 +2042,10 @@ def urlencode(value, safe="%&=", convall=False, limit=False):
         if all(map(lambda x: '%' in x, [safe, value])) and not kb.tamperFunctions:
             value = re.sub("%(?![0-9a-fA-F]{2})", "%25", value)
 
+        if '$' in value and '$' not in safe:
+            for match in re.finditer(r"\b([\w$]*\$[\w$]*)=", value):
+                value = value.replace(match.group(1), match.group(1).replace('$', DOLLAR_MARKER))
+
         while True:
             result = urllib.quote(utf8encode(value), safe)
 
@@ -2056,6 +2061,9 @@ def urlencode(value, safe="%&=", convall=False, limit=False):
             else:
                 break
 
+    if result:
+        result = result.replace(DOLLAR_MARKER, '$')
+
     return result
 
 def runningAsAdmin():
diff --git a/lib/core/settings.py b/lib/core/settings.py
index e6c075e6e..a0b98858a 100644
--- a/lib/core/settings.py
+++ b/lib/core/settings.py
@@ -37,6 +37,7 @@ UPPER_RATIO_BOUND = 0.98
 PARAMETER_AMP_MARKER = "__AMP__"
 PARAMETER_SEMICOLON_MARKER = "__SEMICOLON__"
 PARTIAL_VALUE_MARKER = "__PARTIAL__"
+DOLLAR_MARKER = "__DOLLAR_MARK__"
 URI_QUESTION_MARKER = "__QUESTION_MARK__"
 ASTERISK_MARKER = "__ASTERISK_MARK__"
 
diff --git a/lib/request/connect.py b/lib/request/connect.py
index a0919c63c..009bbfb83 100644
--- a/lib/request/connect.py
+++ b/lib/request/connect.py
@@ -620,8 +620,8 @@ class Connect(object):
                         payload = json.dumps(payload)[1:-1]
                 value = agent.replacePayload(value, payload)
             else:
-                if not skipUrlEncode and place in (PLACE.GET, PLACE.COOKIE, PLACE.URI):
-                    # GET, URI and Cookie need to be throughly URL encoded (POST is encoded down below)
+                if not skipUrlEncode and place in (PLACE.GET, PLACE.POST, PLACE.COOKIE, PLACE.URI):
+                    # GET, POST, URI and Cookie payload needs to be throughly URL encoded
                     payload = urlencode(payload, '%', False, place != PLACE.URI)
                     value = agent.replacePayload(value, payload)