bumped version to 1.5.1

Merge pull request #117 from epi052/114-fix-extract-links-reporting
Fix handling of urls found in wordlists
2026-06-04 15:51:12 -03:00 · 2020-11-07 11:35:06 -06:00 · 2020-11-07 11:33:59 -06:00 · 2020-11-07 11:24:49 -06:00 · 2020-11-07 11:24:11 -06:00
2 changed files with 36 additions and 2 deletions
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "feroxbuster"
-version = "1.5.0"
+version = "1.5.1"
 authors = ["Ben 'epi' Risher <epibar052@gmail.com>"]
 license = "MIT"
 edition = "2018"
--- a/src/utils.rs
+++ b/src/utils.rs
@@ -1,4 +1,4 @@
-use crate::FeroxResult;
+use crate::{FeroxError, FeroxResult};
 use console::{strip_ansi_codes, style, user_attended};
 use indicatif::ProgressBar;
 use reqwest::Url;
@@ -153,6 +153,27 @@ pub fn format_url(
        extension
    );

+    if Url::parse(&word).is_ok() {
+        // when a full url is passed in as a word to be joined to a base url using
+        // reqwest::Url::join, the result is that the word (url) completely overwrites the base
+        // url, potentially resulting in requests to places that aren't actually the target
+        // specified.
+        //
+        // in order to resolve the issue, we check if the word from the wordlist is a parsable URL
+        // and if so, don't do any further processing
+        let message = format!(
+            "word ({}) from the wordlist is actually a URL, skipping...",
+            word
+        );
+        log::warn!("{}", message);
+
+        let mut err = FeroxError::default();
+        err.message = message;
+
+        log::trace!("exit: format_url -> {}", err);
+        return Err(Box::new(err));
+    }
+
    // from reqwest::Url::join
    //   Note: a trailing slash is significant. Without it, the last path component
    //   is considered to be a “file” name to be removed to get at the “directory”
@@ -352,6 +373,19 @@ mod tests {
        );
    }

+    #[test]
+    /// word that is a fully formed url, should return an error
+    fn format_url_word_that_is_a_url() {
+        let url = format_url(
+            "http://localhost",
+            "http://schmocalhost",
+            false,
+            &Vec::new(),
+            None,
+        );
+        assert!(url.is_err());
+    }
+
    #[test]
    /// status colorizer uses red for 500s
    fn status_colorizer_uses_red_for_500s() {
Author	SHA1	Message	Date
epi	9e143d9f19	bumped version to 1.5.1	2020-11-07 11:35:06 -06:00
epi	bd2bd2035c	Merge pull request #117 from epi052/114-fix-extract-links-reporting Fix handling of urls found in wordlists	2020-11-07 11:33:59 -06:00
epi	6e71f4e039	fixed issue with 2 urls being joined	2020-11-07 11:24:49 -06:00
epi	f5229a1ddd	fixed issue with 2 urls being joined	2020-11-07 11:24:11 -06:00