Merge pull request #178 from xmendez/fix_http_parsing

ignore crlf until request line
xmendez · Dec 31, 2019 · a6539a7 · a6539a7
2 parents be4cb98 + d15912a
commit a6539a7
Show file tree

Hide file tree

Showing 4 changed files with 59 additions and 3 deletions.
diff --git a/src/wfuzz/__init__.py b/src/wfuzz/__init__.py
@@ -1,5 +1,5 @@
 __title__ = 'wfuzz'
-__version__ = "2.4.3"
+__version__ = "2.4.4"
 __build__ = 0x023000
 __author__ = 'Xavier Mendez'
 __license__ = 'GPL 2.0'

diff --git a/src/wfuzz/externals/reqresp/Request.py b/src/wfuzz/externals/reqresp/Request.py
@@ -447,8 +447,15 @@ def parseRequest(self, rawRequest, prot="http"):
 
         self.setUrl(prot + "://" + self._headers["Host"] + pathTMP)
 
-        pd = ""
+        # ignore CRLFs until request line
+        while tp.lastline == '' and tp.readLine():
+            pass
+
         # TODO: hacky, might need to change tp.readline returning read bytes instead
+        pd = ""
+        if tp.lastFull_line:
+            pd += tp.lastFull_line
+
         while tp.readLine():
             pd += tp.lastFull_line
 

diff --git a/src/wfuzz/externals/reqresp/Response.py b/src/wfuzz/externals/reqresp/Response.py
@@ -175,7 +175,11 @@ def parseResponse(self, rawheader, rawbody=None, type="curl"):
             else:
                 self._headers = []
 
-        # TODO: this might add to rawbody not directly to __content
+        # ignore CRLFs until request line
+        while tp.lastline == '' and tp.readLine():
+            pass
+
+        # TODO: this should be added to rawbody not directly to __content
         if tp.lastFull_line:
             self.addContent(tp.lastFull_line)
 

diff --git a/tests/test_req_parse.py b/tests/test_req_parse.py
@@ -2,6 +2,37 @@
 
 from wfuzz.fuzzobjects import FuzzRequest
 
+
+http_post_request = '''POST /slipstream/view HTTP/1.1
+Host: www
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:70.0) Gecko/20100101 Firefox/70.0
+Accept: */*
+Accept-Language: en-GB,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: https://www
+Content-Type: text/plain;charset=UTF-8
+Origin: https://www
+Content-Length: 3387
+Connection: close
+
+
+
+a=1'''
+
+
+http_get_request = '''GET /sttc/bpk-fonts/55b577a1.woff2 HTTP/1.1
+Host: js.skyscnr.com
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:70.0) Gecko/20100101 Firefox/70.0
+Accept: application/font-woff2;q=1.0,application/font-woff;q=0.9,*/*;q=0.8
+Accept-Language: en-GB,en;q=0.5
+Accept-Encoding: gzip, deflate
+Origin: https://www.skyscanner.es
+Connection: close
+Referer: https://js.skyscnr.com/sttc/oc-registry/components/base-stylesheet/0.1.33/build//static/css/main.e09b44e2.css
+
+
+'''
+
 http_response = '''HTTP/1.1 201 Created
 Content-Type: application/json
 Content-Length: 51
@@ -113,3 +144,17 @@ def test_parse_raw_multi_response(self):
 
         self.assertEqual(fr.content, "LINE_1")
         self.assertEqual(fr.code, 200)
+
+    def test_parse_get_crlf_request(self):
+        fr = FuzzRequest()
+        fr.update_from_raw_http(http_get_request, "https", "\n\n\n")
+
+        self.assertEqual(fr.method, "GET")
+        self.assertEqual(fr.params.raw_post, None)
+
+    def test_parse_crlf_post_request(self):
+        fr = FuzzRequest()
+        fr.update_from_raw_http(http_post_request, "https", "\n\n\n")
+
+        self.assertEqual(fr.method, "POST")
+        self.assertEqual(fr.params.post, {'a': '1'})