From 4d36699dc25b553f04068abb4ed7c75c4ae08669 Mon Sep 17 00:00:00 2001 From: aliowka-fornova Date: Wed, 23 May 2018 19:22:20 +0300 Subject: [PATCH 1/3] BUG FIX: proxy credentials leak --- .../src/main/java/net/lightbody/bmp/BrowserMobProxyServer.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/browsermob-core/src/main/java/net/lightbody/bmp/BrowserMobProxyServer.java b/browsermob-core/src/main/java/net/lightbody/bmp/BrowserMobProxyServer.java index d4ddc5543..10e59aef7 100644 --- a/browsermob-core/src/main/java/net/lightbody/bmp/BrowserMobProxyServer.java +++ b/browsermob-core/src/main/java/net/lightbody/bmp/BrowserMobProxyServer.java @@ -352,7 +352,7 @@ public InetSocketAddress getChainedProxyAddress() { public void filterRequest(HttpObject httpObject) { String chainedProxyAuth = chainedProxyCredentials; if (chainedProxyAuth != null) { - if (httpObject instanceof HttpRequest) { + if (httpObject instanceof HttpRequest && ((HttpRequest) httpObject).method().toString().equals("CONNECT")) { HttpHeaders.addHeader((HttpRequest)httpObject, HttpHeaders.Names.PROXY_AUTHORIZATION, "Basic " + chainedProxyAuth); } } From c974ed8b2f81b0033c0ecb18c1e289984e438df6 Mon Sep 17 00:00:00 2001 From: aliowka-fornova Date: Wed, 23 May 2018 19:22:20 +0300 Subject: [PATCH 2/3] BUG FIX: proxy credentials leak --- .../main/java/net/lightbody/bmp/BrowserMobProxyServer.java | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/browsermob-core/src/main/java/net/lightbody/bmp/BrowserMobProxyServer.java b/browsermob-core/src/main/java/net/lightbody/bmp/BrowserMobProxyServer.java index d4ddc5543..be4fa40de 100644 --- a/browsermob-core/src/main/java/net/lightbody/bmp/BrowserMobProxyServer.java +++ b/browsermob-core/src/main/java/net/lightbody/bmp/BrowserMobProxyServer.java @@ -352,7 +352,9 @@ public InetSocketAddress getChainedProxyAddress() { public void filterRequest(HttpObject httpObject) { String chainedProxyAuth = chainedProxyCredentials; if (chainedProxyAuth != null) { - if (httpObject instanceof HttpRequest) { + if (httpObject instanceof HttpRequest && ( + ((HttpRequest) httpObject).method().toString().equals("CONNECT") || + !((HttpRequest) httpObject).uri().toString().startsWith("/"))) { HttpHeaders.addHeader((HttpRequest)httpObject, HttpHeaders.Names.PROXY_AUTHORIZATION, "Basic " + chainedProxyAuth); } } From 5cc27f15b66e5e9ed2976e68a3955e98dc9befd0 Mon Sep 17 00:00:00 2001 From: aliowka-fornova Date: Fri, 25 May 2018 14:07:04 +0300 Subject: [PATCH 3/3] Fixing credentials leak --- .../main/java/net/lightbody/bmp/BrowserMobProxyServer.java | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/browsermob-core/src/main/java/net/lightbody/bmp/BrowserMobProxyServer.java b/browsermob-core/src/main/java/net/lightbody/bmp/BrowserMobProxyServer.java index d4ddc5543..1b87ffa2c 100644 --- a/browsermob-core/src/main/java/net/lightbody/bmp/BrowserMobProxyServer.java +++ b/browsermob-core/src/main/java/net/lightbody/bmp/BrowserMobProxyServer.java @@ -352,8 +352,10 @@ public InetSocketAddress getChainedProxyAddress() { public void filterRequest(HttpObject httpObject) { String chainedProxyAuth = chainedProxyCredentials; if (chainedProxyAuth != null) { - if (httpObject instanceof HttpRequest) { - HttpHeaders.addHeader((HttpRequest)httpObject, HttpHeaders.Names.PROXY_AUTHORIZATION, "Basic " + chainedProxyAuth); + if (httpObject instanceof HttpRequest && ( + ProxyUtils.isCONNECT(httpObject) || + !((HttpRequest) httpObject).getUri().startsWith("/"))) { + HttpHeaders.addHeader((HttpRequest) httpObject, HttpHeaders.Names.PROXY_AUTHORIZATION, "Basic " + chainedProxyAuth); } } }