diff options
author | Matías Lang <yo@matiaslang.me> | 2019-01-13 23:45:28 -0300 |
---|---|---|
committer | Matías Lang <yo@matiaslang.me> | 2019-01-13 23:45:28 -0300 |
commit | eab4174b87c7ba0b7dab2c8d7e0b13253833abe8 (patch) | |
tree | 26cc596af11c4b471a1f021a5e1819f1368a10f7 /mitmproxy/addons | |
parent | d027891cec67e190403fc4fa73f17d7a74f02720 (diff) | |
download | mitmproxy-eab4174b87c7ba0b7dab2c8d7e0b13253833abe8.tar.gz mitmproxy-eab4174b87c7ba0b7dab2c8d7e0b13253833abe8.tar.bz2 mitmproxy-eab4174b87c7ba0b7dab2c8d7e0b13253833abe8.zip |
Fix command injection when exporting to httpie
The command generated by `export.clip httpie @focus` or `export.file
httpie @focus /path/to/file` wasn't being properly escaped so it could
contain a malicious command instead of just a simple httpie call.
Diffstat (limited to 'mitmproxy/addons')
-rw-r--r-- | mitmproxy/addons/export.py | 20 |
1 files changed, 12 insertions, 8 deletions
diff --git a/mitmproxy/addons/export.py b/mitmproxy/addons/export.py index 271fc49d..761b3915 100644 --- a/mitmproxy/addons/export.py +++ b/mitmproxy/addons/export.py @@ -44,17 +44,21 @@ def curl_command(f: flow.Flow) -> str: def httpie_command(f: flow.Flow) -> str: raise_if_missing_request(f) request = f.request.copy() # type: ignore - data = "http %s " % request.method + args = ["http"] + args.append(shlex.quote(request.method)) request.decode(strict=False) - data += "%s" % request.url + args.append(shlex.quote(request.url)) for k, v in request.headers.items(multi=True): - data += " '%s:%s'" % (k, v) + args.append(shlex.quote("%s:%s" % (k, v))) if request.content: - data += " <<< '%s'" % strutils.bytes_to_escaped_str( - request.content, - escape_single_quotes=True - ) - return data + try: + content = strutils.always_str(request.content) + except UnicodeDecodeError: + # shlex.quote doesn't support a bytes object + # see https://github.com/python/cpython/pull/10871 + raise exceptions.CommandError("Request content must be valid unicode") + args += ["<<<", shlex.quote(content)] + return ' '.join(args) def raw(f: flow.Flow) -> bytes: |