Merge pull request #192 from epi052/190-fix-double-fslash

fixed url parsing issue when word starts with 2 or more /
2026-05-30 19:41:12 -03:00 · 2021-01-15 07:04:40 -06:00 · 2021-01-15 06:56:44 -06:00 · 2021-01-13 16:44:41 -06:00
2 changed files with 32 additions and 2 deletions
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "feroxbuster"
-version = "1.12.1"
+version = "1.12.2"
 authors = ["Ben 'epi' Risher <epibar052@gmail.com>"]
 license = "MIT"
 edition = "2018"
@@ -41,7 +41,7 @@ regex = "1"
 crossterm = "0.19"
 rlimit = "0.5"
 ctrlc = "3.1"
-fuzzyhash = "0.2"
+fuzzyhash = "0.2.1"

 [dev-dependencies]
 tempfile = "3.1"
--- a/src/utils.rs
+++ b/src/utils.rs
@@ -242,6 +242,15 @@ pub fn format_url(
    } else if add_slash && !word.ends_with('/') {
        // -f used, and word doesn't already end with a /
        format!("{}/", word)
+    } else if word.starts_with("//") {
+        // bug ID'd by @Sicks3c, when a wordlist contains words that begin with 2 forward slashes
+        // i.e. //1_40_0/static/js, it gets joined onto the base url in a surprising way
+        // ex: https://localhost/ + //1_40_0/static/js -> https://1_40_0/static/js
+        // this is due to the fact that //... is a valid url. The fix is introduced here in 1.12.2
+        // and simply removes prefixed forward slashes if there are two of them. Additionally,
+        // trim_start_matches will trim the pattern until it's gone, so even if there are more than
+        // 2 /'s, they'll still be trimmed
+        word.trim_start_matches('/').to_string()
    } else {
        String::from(word)
    };
@@ -585,6 +594,27 @@ mod tests {
        );
    }

+    #[test]
+    /// word with two prepended slashes doesn't discard the entire domain
+    fn format_url_word_with_two_prepended_slashes() {
+        let (tx, _): FeroxChannel<StatCommand> = mpsc::unbounded_channel();
+
+        let result = format_url(
+            "http://localhost",
+            "//upload/img",
+            false,
+            &Vec::new(),
+            None,
+            tx,
+        )
+        .unwrap();
+
+        assert_eq!(
+            result,
+            reqwest::Url::parse("http://localhost/upload/img").unwrap()
+        );
+    }
+
    #[test]
    /// word that is a fully formed url, should return an error
    fn format_url_word_that_is_a_url() {
Author	SHA1	Message	Date
epi	db25ddfcf3	Merge pull request #192 from epi052/190-fix-double-fslash fixed url parsing issue when word starts with 2 or more /	2021-01-15 07:04:40 -06:00
epi	02fb4a9cf6	fixed url parsing issue when word starts with 2 or more /	2021-01-15 06:56:44 -06:00
epi	5299fb0aa8	bumped fuzzyhash version to 0.2.1	2021-01-13 16:44:41 -06:00