diff --git a/ChangeLog b/ChangeLog index 6b728a8..c0f2bc7 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,13 @@ +Version 1.69b: +-------------- + + - Minor improvements to parameter encoding, User-Agent controls. + +Version 1.68b: +-------------- + + - Password detector improvement. + Version 1.67b: -------------- diff --git a/Makefile b/Makefile index ba443f2..11b169d 100644 --- a/Makefile +++ b/Makefile @@ -20,7 +20,7 @@ # PROGNAME = skipfish -VERSION = 1.67b +VERSION = 1.69b OBJFILES = http_client.c database.c crawler.c analysis.c report.c INCFILES = alloc-inl.h string-inl.h debug.h types.h http_client.h \ diff --git a/analysis.c b/analysis.c index 6ea6097..49daf78 100644 --- a/analysis.c +++ b/analysis.c @@ -2354,11 +2354,12 @@ static void check_for_stuff(struct http_request* req, (x - sniffbuf) < 64) x++; if (x != sniffbuf && *x == ':' && x[1] != '/' && x[1] != '.') { - x++; + u8* start_x = ++x; + while (*x && (isalnum(*x) || strchr("./*!+=$", *x)) && (x - sniffbuf) < 128) x++; - if (*x == ':' || !*x || *x == '\r' || *x == '\n') + if (*x == ':' || ((start_x != x) && (!*x || *x == '\r' || *x == '\n'))) problem(PROB_FILE_POI, req, res, (u8*) "Possible password file", req->pivot, 0); diff --git a/config.h b/config.h index 09ebca3..99f94b9 100644 --- a/config.h +++ b/config.h @@ -34,7 +34,7 @@ /* Various default settings for HTTP client (cmdline override): */ -#define MAX_CONNECTIONS 50 /* Simultaneous connection cap */ +#define MAX_CONNECTIONS 40 /* Simultaneous connection cap */ #define MAX_CONN_HOST 10 /* Per-host connction cap */ #define MAX_REQUESTS 1e8 /* Total request count cap */ #define MAX_FAIL 100 /* Max consecutive failed requests */ diff --git a/http_client.c b/http_client.c index 073fae9..2a9338a 100644 --- a/http_client.c +++ b/http_client.c @@ -440,7 +440,7 @@ u8* url_decode_token(u8* str, u32 len, u8 plus) { tokens. We otherwise let pretty much everything else go through, as it may help with the exploitation of certain vulnerabilities. */ -u8* url_encode_token(u8* str, u32 len) { +u8* url_encode_token(u8* str, u32 len, u8 also_slash) { u8 *ret = ck_alloc(len * 3 + 1); u8 *src = str, *dst = ret; @@ -448,7 +448,8 @@ u8* url_encode_token(u8* str, u32 len) { while (len--) { u8 c = *(src++); - if (c <= 0x20 || c >= 0x80 || strchr("#%&=/+;,!$?", c)) { + if (c <= 0x20 || c >= 0x80 || strchr("#%&=+;,!$?", c) || + (also_slash && c == '/')) { if (c == 0xFF) c = 0; sprintf((char*)dst, "%%%02X", c); dst += 3; @@ -666,13 +667,13 @@ u8* serialize_path(struct http_request* req, u8 with_host, u8 with_post) { if (req->par.n[i]) { u32 len = strlen((char*)req->par.n[i]); - u8* str = url_encode_token(req->par.n[i], len); + u8* str = url_encode_token(req->par.n[i], len, 1); ASD(str); ASD("="); ck_free(str); } if (req->par.v[i]) { u32 len = strlen((char*)req->par.v[i]); - u8* str = url_encode_token(req->par.v[i], len); + u8* str = url_encode_token(req->par.v[i], len, 1); ASD(str); ck_free(str); } @@ -699,13 +700,13 @@ u8* serialize_path(struct http_request* req, u8 with_host, u8 with_post) { if (req->par.n[i]) { u32 len = strlen((char*)req->par.n[i]); - u8* str = url_encode_token(req->par.n[i], len); + u8* str = url_encode_token(req->par.n[i], len, 0); ASD(str); ASD("="); ck_free(str); } if (req->par.v[i]) { u32 len = strlen((char*)req->par.v[i]); - u8* str = url_encode_token(req->par.v[i], len); + u8* str = url_encode_token(req->par.v[i], len, 0); ASD(str); ck_free(str); } @@ -725,13 +726,13 @@ u8* serialize_path(struct http_request* req, u8 with_host, u8 with_post) { if (req->par.n[i]) { u32 len = strlen((char*)req->par.n[i]); - u8* str = url_encode_token(req->par.n[i], len); + u8* str = url_encode_token(req->par.n[i], len, 0); ASD(str); ASD("="); ck_free(str); } if (req->par.v[i]) { u32 len = strlen((char*)req->par.v[i]); - u8* str = url_encode_token(req->par.v[i], len); + u8* str = url_encode_token(req->par.v[i], len, 0); ASD(str); ck_free(str); } @@ -869,7 +870,9 @@ u8* build_request_data(struct http_request* req) { ASD("Accept-Encoding: gzip\r\n"); ASD("Connection: keep-alive\r\n"); - ASD("User-Agent: Mozilla/5.0 SF/" VERSION "\r\n"); + + if (!GET_HDR((u8*)"User-Agent", &req->par)) + ASD("User-Agent: Mozilla/5.0 SF/" VERSION "\r\n"); /* Some servers will reject to gzip responses unless "Mozilla/..." is seen in User-Agent. Bleh. */ @@ -1017,14 +1020,14 @@ u8* build_request_data(struct http_request* req) { if (pay_pos) ADD_STR_DATA(pay_buf, pay_pos, "&"); if (req->par.n[i]) { u32 len = strlen((char*)req->par.n[i]); - u8* str = url_encode_token(req->par.n[i], len); + u8* str = url_encode_token(req->par.n[i], len, 0); ADD_STR_DATA(pay_buf, pay_pos, str); ADD_STR_DATA(pay_buf, pay_pos, "="); ck_free(str); } if (req->par.v[i]) { u32 len = strlen((char*)req->par.v[i]); - u8* str = url_encode_token(req->par.v[i], len); + u8* str = url_encode_token(req->par.v[i], len, 0); ADD_STR_DATA(pay_buf, pay_pos, str); ck_free(str); } diff --git a/http_client.h b/http_client.h index 5f1ec67..cf93926 100644 --- a/http_client.h +++ b/http_client.h @@ -285,7 +285,7 @@ u8* url_decode_token(u8* str, u32 len, u8 plus); otherwise let pretty much everything else go through, as it may help with the exploitation of certain vulnerabilities. */ -u8* url_encode_token(u8* str, u32 len); +u8* url_encode_token(u8* str, u32 len, u8 also_slash); /* Reconstructs URI from http_request data. Includes protocol and host if with_host is non-zero. */