From 4543d60570e67c427b350f9347f156503d7bb36a Mon Sep 17 00:00:00 2001 From: bcoles Date: Sat, 24 Dec 2011 13:37:14 +1030 Subject: [PATCH] Added allowCrossDomain functionality to `beef.net.requester.send` --- core/main/client/net.js | 178 +++++++++--------------------- core/main/client/net/requester.js | 3 +- 2 files changed, 53 insertions(+), 128 deletions(-) diff --git a/core/main/client/net.js b/core/main/client/net.js index ac8b03a33..c4aa02152 100644 --- a/core/main/client/net.js +++ b/core/main/client/net.js @@ -222,63 +222,71 @@ beef.net = { }, /* - * Similar to this.request, with one extra paramater needed when dealing with requester requests: - * - requestid parameter: needed on the callback + * Similar to this.request, except from a few things that are needed when dealing with forged requests: + * - requestid: needed on the callback + * - allowCrossDomain: set cross-domain requests as allowed or blocked */ - forgerequest: function(scheme, method, domain, port, path, anchor, headers, data, timeout, dataType, requestid, callback) { - //check if same domain or cross domain + forge_request: function(scheme, method, domain, port, path, anchor, headers, data, timeout, dataType, allowCrossDomain, requestid, callback) { + + // check if same domain or cross domain var cross_domain = true; - if (document.domain == domain){ + if (document.domain == domain) { if(document.location.port == "" || document.location.port == null){ cross_domain = !(port == "80" || port == "443"); } } - //build the url + // build the url var url = ""; - - if(path.indexOf("http://") != -1 || path.indexOf("https://") != -1){ + if (path.indexOf("http://") != -1 || path.indexOf("https://") != -1) { url = path; - }else{ + } else { url = scheme + "://" + domain; url = (port != null) ? url + ":" + port : url; url = (path != null) ? url + path : url; url = (anchor != null) ? url + "#" + anchor : url; } - //define response object + // define response object var response = new this.response; response.was_cross_domain = cross_domain; var start_time = new Date().getTime(); - // if the request is crossdomain, don't proceed and return - if (cross_domain && callback != null) { + // if cross-domain requests are not allowed and the request is cross-domain + // don't proceed and return + if (!allowCrossDomain && cross_domain && callback != null) { response.status_code = -1; response.status_text = "crossdomain"; - response.response_body = "ERROR: Cross Domain Request\n"; + response.port_status = "crossdomain"; + response.response_body = "ERROR: Cross Domain Request. The request was not sent.\n"; + response.headers = "ERROR: Cross Domain Request. The request was not sent.\n"; callback(response, requestid); return response; } - if(method == "POST"){ + // build and execute the request + if (method == "POST"){ $j.ajaxSetup({ data: data }); } - //build and execute the request $j.ajax({type: method, dataType: 'script', // this is required for bugs in IE so data can be transfered back to the server url: url, headers: headers, timeout: (timeout * 1000), - //needed otherwise jQuery always add Content-type: application/xml, even if data is populated + // needed otherwise jQuery always adds: + // Content-type: application/xml + // even if data is populated beforeSend: function(xhr) { - if(method == "POST"){ + if (method == "POST") { xhr.setRequestHeader("Content-type", "application/x-www-form-urlencoded; charset=utf-8"); } }, + + // http server responded successfully success: function(data, textStatus, xhr) { var end_time = new Date().getTime(); response.status_code = xhr.status; @@ -287,6 +295,9 @@ beef.net = { response.was_timedout = false; response.duration = (end_time - start_time); }, + + // server responded with a http error (403, 404, 500, etc) + // or server is not a http server error: function(xhr, textStatus, errorThrown) { var end_time = new Date().getTime(); response.response_body = xhr.responseText; @@ -294,119 +305,32 @@ beef.net = { response.status_text = textStatus; response.duration = (end_time - start_time); }, + complete: function(xhr, textStatus) { - response.status_code = xhr.status; - response.status_text = textStatus; - response.headers = xhr.getAllResponseHeaders(); - // determine if TCP port is open/closed/not-http - if (textStatus == "timeout") { - response.was_timedout = true; - response.response_body = "ERROR: Timed out\n"; - response.port_status = "closed"; - } else if (textStatus == "parsererror") { - response.port_status = "not-http"; + // cross-domain request + if (cross_domain) { + response.status_code = -1; + response.status_text = "crossdomain"; + response.port_status = "crossdomain"; + response.response_body = "ERROR: Cross Domain Request. The request was sent however it is impossible to view the response.\n"; + response.headers = "ERROR: Cross Domain Request. The request was sent however it is impossible to view the response.\n"; } else { - response.port_status = "open"; + // same-domain request + response.status_code = xhr.status; + response.status_text = textStatus; + response.headers = xhr.getAllResponseHeaders(); + + // determine if TCP port is open/closed/not-http + if (textStatus == "timeout") { + response.was_timedout = true; + response.response_body = "ERROR: Timed out\n"; + response.port_status = "closed"; + } else if (textStatus == "parsererror") { + response.port_status = "not-http"; + } else { + response.port_status = "open"; + } } - - callback(response, requestid); - } - }); - return response; - }, - - /* - * Similar to this.request, except from a few things that are needed when dealing with proxy requests: - * - requestid parameter: needed on the callback, - * - crossdomain checks: if crossdomain requests are tunneled through the proxy, they must be not issued because - * they will always throw error for SoP. This can happen when tunneling a browser: for example - * Firefox and Chrome automatically requests /safebrowsing/downloads (XHR) - */ - proxyrequest: function(scheme, method, domain, port, path, anchor, headers, data, timeout, dataType, requestid, callback) { - //check if same domain or cross domain - var cross_domain = true; - if (document.domain == domain){ - if(document.location.port == "" || document.location.port == null){ - cross_domain = !(port == "80" || port == "443"); - } - } - - //build the url - var url = ""; - - if(path.indexOf("http://") != -1 || path.indexOf("https://") != -1){ - url = path; - }else{ - url = scheme + "://" + domain; - url = (port != null) ? url + ":" + port : url; - url = (path != null) ? url + path : url; - url = (anchor != null) ? url + "#" + anchor : url; - } - - //define response object - var response = new this.response; - response.was_cross_domain = cross_domain; - var start_time = new Date().getTime(); - - // if the request is crossdomain, don't proceed and return - if (cross_domain && callback != null) { - response.status_code = -1; - response.status_text = "crossdomain"; - response.response_body = "ERROR: Cross Domain Request\n"; - callback(response, requestid); - return response; - } - - if(method == "POST"){ - $j.ajaxSetup({ - data: data - }); - } - - //build and execute the request - $j.ajax({type: method, - dataType: 'script', // this is required for bugs in IE so data can be transfered back to the server - url: url, - headers: headers, - timeout: (timeout * 1000), - - //needed otherwise jQuery always add Content-type: application/xml, even if data is populated - beforeSend: function(xhr) { - if(method == "POST"){ - xhr.setRequestHeader("Content-type", "application/x-www-form-urlencoded; charset=utf-8"); - } - }, - - success: function(data, textStatus, xhr) { - var end_time = new Date().getTime(); - response.status_code = xhr.status; - response.status_text = textStatus; - response.response_body = data; - response.was_timedout = false; - response.duration = (end_time - start_time); - }, - error: function(xhr, textStatus, errorThrown) { - var end_time = new Date().getTime(); - response.response_body = xhr.responseText; - response.status_code = xhr.status; - response.status_text = textStatus; - response.duration = (end_time - start_time); - }, - complete: function(xhr, textStatus) { - response.status_code = xhr.status; - response.status_text = textStatus; - response.headers = xhr.getAllResponseHeaders(); - // determine if TCP port is open/closed/not-http - if (textStatus == "timeout") { - response.was_timedout = true; - response.response_body = "ERROR: Timed out\n"; - response.port_status = "closed"; - } else if (textStatus == "parsererror") { - response.port_status = "not-http"; - } else { - response.port_status = "open"; - } - callback(response, requestid); } }); diff --git a/core/main/client/net/requester.js b/core/main/client/net/requester.js index 5fb68d55a..5740f5d2c 100644 --- a/core/main/client/net/requester.js +++ b/core/main/client/net/requester.js @@ -28,10 +28,11 @@ beef.net.requester = { handler: "requester", send: function(requests_array) { + for (i in requests_array) { request = requests_array[i]; - beef.net.forgerequest('http', request.method, request.host, request.port, request.uri, null, request.headers, request.data, 10, null, request.id, + beef.net.forge_request('http', request.method, request.host, request.port, request.uri, null, request.headers, request.data, 10, null, request.allowCrossDomain, request.id, function(res, requestid) { beef.net.send('/requester', requestid, { response_data: res.response_body, response_status_code: res.status_code,