Re: [W3af-develop] Question of the proxy

Thu, 28 Jan 2010 06:45:02 -0800 

DDT,

    Please read inline,

On Thu, Jan 28, 2010 at 9:54 AM, DDT <dtillem...@gmail.com> wrote:
> Hi Andreas,
> In the release candidate code, in the file
> core/controllers/deamons/proxy.py, in the class SSLConnectionFile, i found
> that the buffer to read was fixed on 4096 instead of the amount given as a
> parameter.
> We use it to transport signed SAML requests which are bigger then 4096.
> shouldn't it be the amount parameter?

    Possibly, yes. Lets see the code.

>     def read( self, amount ):
>         if self._readBuf == '':
> -            self._readBuf = self._sslCon.recv(4096)
> +            self._readBuf = self._sslCon.recv(amount)
>         result, self._readBuf = self._readBuf[0:amount],
> self._readBuf[amount:]
>         return result

    Actually... at first I thought about removing the "_readBuf"
attribute completely, but I think that would be an error because the
readline() method would be slower.

    More related to your patch, I think that there are some edge cases
to take care of... What if:

- self._readBuf == 'abc'
- amount == 4

    You would never go past the "if self._readBuf == '':", and at the
same time you'll never read the next letter (lets suppose its a "d").
The code I think would work is:

    def read( self, amount ):
        if len(self._read_buffer) < amount:
            #   We actually want to read ahead in order to have more
data in the buffer.
            if amount <= 4096:
                to_read = 4096
            else:
                to_read = amount
            self._read_buffer = self._sslCon.recv( to_read )

        result, self._read_buffer = self._read_buffer[0:amount],
self._read_buffer[amount:]
        return result

    I just tested it in my installation and it works fine. Could you
please test it with your large requests to see if they work ok? After
your confirmation I'll commit it to the trunk. Thanks!

Cheers,

> Greetz,
> David
>



-- 
Andrés Riancho
Founder, Bonsai - Information Security
http://www.bonsai-sec.com/
http://w3af.sf.net/

------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop

Reply via email to