Path: blob/master/thirdparty/multipart/multipartpost.py
2992 views
#!/usr/bin/env python12"""302/2006 Will Holcomb <[email protected]>45Reference: http://odin.himinbi.org/MultipartPostHandler.py67This library is free software; you can redistribute it and/or8modify it under the terms of the GNU Lesser General Public9License as published by the Free Software Foundation; either10version 2.1 of the License, or (at your option) any later version.1112This library is distributed in the hope that it will be useful,13but WITHOUT ANY WARRANTY; without even the implied warranty of14MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU15Lesser General Public License for more details.1617You should have received a copy of the GNU Lesser General Public18License along with this library; if not, write to the Free Software19Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA20"""2122import io23import mimetypes24import os25import re26import stat27import sys2829from lib.core.compat import choose_boundary30from lib.core.convert import getBytes31from lib.core.exception import SqlmapDataException32from thirdparty.six.moves import urllib as _urllib3334# Controls how sequences are uncoded. If true, elements may be given35# multiple values by assigning a sequence.36doseq = True373839class MultipartPostHandler(_urllib.request.BaseHandler):40handler_order = _urllib.request.HTTPHandler.handler_order - 10 # needs to run first4142def http_request(self, request):43data = request.data4445if isinstance(data, dict):46v_files = []47v_vars = []4849try:50for(key, value) in data.items():51if hasattr(value, "fileno") or hasattr(value, "file") or isinstance(value, io.IOBase):52v_files.append((key, value))53else:54v_vars.append((key, value))55except TypeError:56systype, value, traceback = sys.exc_info()57raise SqlmapDataException("not a valid non-string sequence or mapping object '%s'" % traceback)5859if len(v_files) == 0:60data = _urllib.parse.urlencode(v_vars, doseq)61else:62boundary, data = self.multipart_encode(v_vars, v_files)63contenttype = "multipart/form-data; boundary=%s" % boundary64#if (request.has_header("Content-Type") and request.get_header("Content-Type").find("multipart/form-data") != 0):65# print "Replacing %s with %s" % (request.get_header("content-type"), "multipart/form-data")66request.add_unredirected_header("Content-Type", contenttype)6768request.data = data6970# NOTE: https://github.com/sqlmapproject/sqlmap/issues/423571if request.data:72for match in re.finditer(b"(?i)\\s*-{20,}\\w+(\\s+Content-Disposition[^\\n]+\\s+|\\-\\-\\s*)", request.data):73part = match.group(0)74if b'\r' not in part:75request.data = request.data.replace(part, part.replace(b'\n', b"\r\n"))7677return request7879def multipart_encode(self, vars, files, boundary=None, buf=None):80if boundary is None:81boundary = choose_boundary()8283if buf is None:84buf = b""8586for (key, value) in vars:87if key is not None and value is not None:88buf += b"--%s\r\n" % getBytes(boundary)89buf += b"Content-Disposition: form-data; name=\"%s\"" % getBytes(key)90buf += b"\r\n\r\n" + getBytes(value) + b"\r\n"9192for (key, fd) in files:93file_size = fd.len if hasattr(fd, "len") else os.fstat(fd.fileno())[stat.ST_SIZE]94filename = fd.name.split("/")[-1] if "/" in fd.name else fd.name.split("\\")[-1]95try:96contenttype = mimetypes.guess_type(filename)[0] or b"application/octet-stream"97except:98# Reference: http://bugs.python.org/issue929199contenttype = b"application/octet-stream"100buf += b"--%s\r\n" % getBytes(boundary)101buf += b"Content-Disposition: form-data; name=\"%s\"; filename=\"%s\"\r\n" % (getBytes(key), getBytes(filename))102buf += b"Content-Type: %s\r\n" % getBytes(contenttype)103# buf += b"Content-Length: %s\r\n" % file_size104fd.seek(0)105106buf += b"\r\n%s\r\n" % fd.read()107108buf += b"--%s--\r\n\r\n" % getBytes(boundary)109buf = getBytes(buf)110111return boundary, buf112113https_request = http_request114115116