diff options
author | Matías Lang <yo@matiaslang.me> | 2019-01-13 23:27:43 -0300 |
---|---|---|
committer | Matías Lang <yo@matiaslang.me> | 2019-01-13 23:39:50 -0300 |
commit | d027891cec67e190403fc4fa73f17d7a74f02720 (patch) | |
tree | 1a7f5f420ac1785d407032f0d3dcd51fb4060725 /mitmproxy | |
parent | 889987aa0a7f4852758ed09f70fe5d30f733a6d3 (diff) | |
download | mitmproxy-d027891cec67e190403fc4fa73f17d7a74f02720.tar.gz mitmproxy-d027891cec67e190403fc4fa73f17d7a74f02720.tar.bz2 mitmproxy-d027891cec67e190403fc4fa73f17d7a74f02720.zip |
Fix command injection when exporting to curl
The command generated by `export.clip curl @focus` or `export.file curl
@focus /path/to/file` wasn't being properly escaped so it could contain
a malicious command instead of just a simple curl.
Diffstat (limited to 'mitmproxy')
-rw-r--r-- | mitmproxy/addons/export.py | 25 |
1 files changed, 16 insertions, 9 deletions
diff --git a/mitmproxy/addons/export.py b/mitmproxy/addons/export.py index 90e95d3e..271fc49d 100644 --- a/mitmproxy/addons/export.py +++ b/mitmproxy/addons/export.py @@ -1,4 +1,5 @@ import typing +import shlex from mitmproxy import ctx from mitmproxy import command @@ -18,20 +19,26 @@ def raise_if_missing_request(f: flow.Flow) -> None: def curl_command(f: flow.Flow) -> str: raise_if_missing_request(f) - data = "curl " + args = ["curl"] request = f.request.copy() # type: ignore request.decode(strict=False) for k, v in request.headers.items(multi=True): - data += "-H '%s:%s' " % (k, v) + args += ["-H", shlex.quote("%s:%s" % (k, v))] if request.method != "GET": - data += "-X %s " % request.method - data += "'%s'" % request.url + args += ["-X", shlex.quote(request.method)] + args.append(shlex.quote(request.url)) if request.content: - data += " --data-binary '%s'" % strutils.bytes_to_escaped_str( - request.content, - escape_single_quotes=True - ) - return data + try: + content = strutils.always_str(request.content) + except UnicodeDecodeError: + # shlex.quote doesn't support a bytes object + # see https://github.com/python/cpython/pull/10871 + raise exceptions.CommandError("Request content must be valid unicode") + args += [ + "--data-binary", + shlex.quote(strutils.always_str(request.content)) + ] + return ' '.join(args) def httpie_command(f: flow.Flow) -> str: |