crt0mega
/
skipfish
1
0
Fork 0
Code Issues 1 Pull Requests Projects Releases Wiki Activity

1.32b - A minor fix for embedded URL auth detection

This commit is contained in:
Steve Pinkham 2010-04-19 20:27:39 -04:00
parent a4a2b9130c
commit 23205f4600
3 changed files with 17 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
ChangeLog
View File

@ -1,3 +1,8 @@
Version 1.32b:
--------------
- A minor fix for embedded URL auth detection.
Version 1.31b:
--------------

2
config.h
View File

@ -23,7 +23,7 @@
#ifndef _HAVE_CONFIG_H
#define _HAVE_CONFIG_H
#define VERSION "1.31b"
#define VERSION "1.32b"
#define USE_COLOR 1 /* Use terminal colors */

14
http_client.c
View File

@ -205,7 +205,10 @@ u8 parse_url(u8* url, struct http_request* req, struct http_request* ref) {
/* Interpret, skip //[login[:pass@](\[ipv4\]|\[ipv6\]|host)[:port] part of the
URL, if present. Note that "http:blarg" is a valid relative URL to most
browsers, and "//example.com/blarg" is a valid non-FQDN absolute one.
We need to mimick this, which complicates the code a bit. */
We need to mimick this, which complicates the code a bit.
We only accept /, ?, #, and : to mark the end of a host name. Some browsers
also allow \ or ;, but it's unlikely that we need to obey this. */
if (cur[0] == '/' && cur[1] == '/') {
@ -216,10 +219,13 @@ u8 parse_url(u8* url, struct http_request* req, struct http_request* ref) {
cur += 2;
/* Detect, skip login[:pass]@; we only use cmdline-supplied credentials or
wordlists into account. Be sure to report any embedded auth, though. */
wordlists into account. Be sure to report any embedded auth, though.
Trivia: Firefox takes the rightmost, not the leftmost @ char into
account. Not very important, but amusing. */
at_sign = (u8*)strchr((char*)cur, '@');
path_st = strcspn((char*)cur, ":/?#");
path_st = strcspn((char*)cur, "/?#");
if (at_sign && path_st > (at_sign - cur)) {
cur = at_sign + 1;
@ -227,6 +233,8 @@ u8 parse_url(u8* url, struct http_request* req, struct http_request* ref) {
problem(PROB_URL_AUTH, ref, 0, url, req->pivot, 0);
}
path_st = strcspn((char*)cur, ":/?#");
/* No support for IPv6 or [ip] notation for now, so let's just refuse to
parse the URL. Also, refuse excessively long domain names for sanity. */