This commit fixes GHSA-gcx2-gvj7-pxv3 by making mitmproxy
reject header names that contain whitespace characters by default.
A new `validate_inbound_headers` option is provided to turn this behavior
off at the expense of allowing HTTP smuggling vulnerabilities.
* Example addon for saving streamed data including a small bug fix to make it work.
* Revert "Example addon for saving streamed data including a small bug fix to make it work."
This reverts commit 02ab78def9a52eaca1a89d0757cd9475ce250eaa.
* Add support for rotating stream files every hour or day
* Added tests
* Modified to change the stream file every time the formating string changes as time moves on.
* Update to more compact version
* simplify save addon logic
* make mypy happy
* fix compatibility with Python 3.8
Co-authored-by: Maximilian Hils <git@maximilianhils.com>
* changes for custom port number
* indent correction
* test coverage
* coverage correction
* simplify LDAP auth
* make mypy hapy
Co-authored-by: Maximilian Hils <git@maximilianhils.com>
We previously relied on the state of `Flow.reply` to check if a flow can be killed,
but this doesn't work anymore with `Flow.reply` being removed. Instead, we now
reintroduce the `Flow.live` attribute, which signals if we are on a live connection.
Killing still is not ideal (see comment in `Flow.killable`), but this paves the way.
The major, breaking change is that it is no longer possible to "take" a reply in
order to block the effect of a later addon hook.
This is patch 4/4 of the reply-ectomy.
In principle, a flow is killable as long as the connection handler is still
checking the error status of the flow.
This is patch 2/4 of the reply-ectomy.
This should improve behaviour, since calls to @concurrent will now be serialized
relative to other hooks on the same flow (but will still run in parallel with
hooks on different flows). Unlike a plain async hook, @concurrent allows blocking
sync APIs to run concurrently (e.g. requests).
This is patch 1/4 of the reply-ectomy.
Previously, it was throwing the following error:
File mitmproxy/addons/dumper.py, line 133, in _echo_request_line
elif flow.client_conn.peername:
AttributeError: 'bool' object has no attribute 'peername'
* Replays via upstream also need to comply with upstream handling
* Adjusted test for HTTP upstream replay which should NOT do a CONNECT
* Added Changelog
* Test for replay https pver upstream with CONNECT
* Proxy requests use full URL with host & port
* Finally remove some prints
* lint!
Co-authored-by: Maximilian Hils <github@maximilianhils.com>
* Replaced Kaitai protobuf parser with custom implementation, to prepare packed data handling
* Clamp varint size for bool conversion to 64bit, to satify tests
* moved WireParser into ProtoParser
* preserve work state
* Full packed support
* noc changes to example addon
* Adjusted test regex for ValueError
* Do not try to unpack fields twice
