Merge pull request #37 from Vasco-jofra/bug-fixes
Fixes the "origin reflected" check and the extractHeaders function
This commit is contained in:
Somdev Sangwan
@@ -10,10 +10,11 @@ urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
|
|||||||
def requester(url, scheme, headers, origin):
|
def requester(url, scheme, headers, origin):
|
||||||
headers['Origin'] = origin
|
headers['Origin'] = origin
|
||||||
try:
|
try:
|
||||||
response = requests.get(url, headers=headers, verify=False).headers
|
response = requests.get(url, headers=headers, verify=False)
|
||||||
for key, value in response.items():
|
headers = response.headers
|
||||||
|
for key, value in headers.items():
|
||||||
if key.lower() == 'access-control-allow-origin':
|
if key.lower() == 'access-control-allow-origin':
|
||||||
return response
|
return headers
|
||||||
except requests.exceptions.RequestException as e:
|
except requests.exceptions.RequestException as e:
|
||||||
if 'Failed to establish a new connection' in str(e):
|
if 'Failed to establish a new connection' in str(e):
|
||||||
print ('%s %s is unreachable' % (bad, url))
|
print ('%s %s is unreachable' % (bad, url))
|
||||||
|
|||||||
@@ -25,16 +25,18 @@ def passive_tests(url, headers):
|
|||||||
def active_tests(url, root, scheme, header_dict, delay):
|
def active_tests(url, root, scheme, header_dict, delay):
|
||||||
origin = scheme + '://' + root
|
origin = scheme + '://' + root
|
||||||
headers = requester(url, scheme, header_dict, origin)
|
headers = requester(url, scheme, header_dict, origin)
|
||||||
if headers:
|
acao_header, acac_header = headers.get('access-control-allow-origin', None), headers.get('access-control-allow-credentials', None)
|
||||||
origin = root + '://' + 'example.com'
|
if acao_header is None:
|
||||||
|
return
|
||||||
|
|
||||||
|
origin = scheme + '://' + 'example.com'
|
||||||
|
headers = requester(url, scheme, header_dict, origin)
|
||||||
acao_header, acac_header = headers.get('access-control-allow-origin', None), headers.get('access-control-allow-credentials', None)
|
acao_header, acac_header = headers.get('access-control-allow-origin', None), headers.get('access-control-allow-credentials', None)
|
||||||
if acao_header and acao_header == (origin):
|
if acao_header and acao_header == (origin):
|
||||||
info = details['origin reflected']
|
info = details['origin reflected']
|
||||||
info['acao header'] = acao_header
|
info['acao header'] = acao_header
|
||||||
info['acac header'] = acac_header
|
info['acac header'] = acac_header
|
||||||
return {url : info}
|
return {url : info}
|
||||||
elif not acao_header:
|
|
||||||
return
|
|
||||||
time.sleep(delay)
|
time.sleep(delay)
|
||||||
|
|
||||||
origin = scheme + '://' + root + '.example.com'
|
origin = scheme + '://' + root + '.example.com'
|
||||||
|
|||||||
@@ -64,17 +64,13 @@ def prompt(default=None):
|
|||||||
return tmpfile.read().strip()
|
return tmpfile.read().strip()
|
||||||
|
|
||||||
|
|
||||||
def extractHeaders(headers):
|
def extractHeaders(headers: str):
|
||||||
headers = headers.replace('\\n', '\n')
|
|
||||||
sorted_headers = {}
|
sorted_headers = {}
|
||||||
matches = re.findall(r'^?(.*?):\s(.*?)[\n$]', headers)
|
for header in headers.split('\\n'):
|
||||||
for match in matches:
|
name, value = header.split(":", 1)
|
||||||
header = match[0]
|
name = name.strip()
|
||||||
value = match[1]
|
value = value.strip()
|
||||||
try:
|
if len(value) >= 1 and value[-1] == ',':
|
||||||
if value[-1] == ',':
|
|
||||||
value = value[:-1]
|
value = value[:-1]
|
||||||
sorted_headers[header] = value
|
sorted_headers[name] = value
|
||||||
except IndexError:
|
|
||||||
pass
|
|
||||||
return sorted_headers
|
return sorted_headers
|
||||||
Reference in New Issue
Block a user