From 94fcd4336ac0b9e70117bb775a95468e54fd9f1f Mon Sep 17 00:00:00 2001 From: Fabian Keil Date: Sun, 10 Jan 2021 04:37:16 +0100 Subject: [PATCH] Add tests for rewrite behind the client's back with https Sponsored by: Privoxy project funds collected at SPI --- .../data/test1 | 48 ++++++++++++++++ .../data/test2 | 54 ++++++++++++++++++ .../data/test3 | 55 +++++++++++++++++++ .../data/test4 | 54 ++++++++++++++++++ .../data/test5 | 47 ++++++++++++++++ .../privoxy.conf | 26 +++++++++ .../rewrites.action | 17 ++++++ .../rewrites.filter | 16 ++++++ 8 files changed, 317 insertions(+) create mode 100644 tests/cts/rewrite-behind-client-back-https/data/test1 create mode 100644 tests/cts/rewrite-behind-client-back-https/data/test2 create mode 100644 tests/cts/rewrite-behind-client-back-https/data/test3 create mode 100644 tests/cts/rewrite-behind-client-back-https/data/test4 create mode 100644 tests/cts/rewrite-behind-client-back-https/data/test5 create mode 100644 tests/cts/rewrite-behind-client-back-https/privoxy.conf create mode 100644 tests/cts/rewrite-behind-client-back-https/rewrites.action create mode 100644 tests/cts/rewrite-behind-client-back-https/rewrites.filter diff --git a/tests/cts/rewrite-behind-client-back-https/data/test1 b/tests/cts/rewrite-behind-client-back-https/data/test1 new file mode 100644 index 00000000..53ee6789 --- /dev/null +++ b/tests/cts/rewrite-behind-client-back-https/data/test1 @@ -0,0 +1,48 @@ + + + +HTTPS +HTTP GET + + + + + +HTTP/1.1 200 OK +Connection: close +Content-Type: text/html +Content-Length: 18 + +Here's your data. + + + + + +HTTP/1.1 200 Connection established + +HTTP/1.1 200 OK +Connection: close +Content-Type: text/html +Content-Length: 18 + +Here's your data. + + + + + + +http + + +Rewrite behind the client's back: Downgrade from https to http + + +--insecure https://%HOSTIP/%TESTNUMBER-downgrade-to-http-%HOSTIP:%HTTPPORT + + + + + + diff --git a/tests/cts/rewrite-behind-client-back-https/data/test2 b/tests/cts/rewrite-behind-client-back-https/data/test2 new file mode 100644 index 00000000..a8f10943 --- /dev/null +++ b/tests/cts/rewrite-behind-client-back-https/data/test2 @@ -0,0 +1,54 @@ + + + +HTTPS +HTTP GET + + + + + +HTTP/1.1 200 OK +Connection: close +Content-Type: text/html +Content-Length: 18 + +Here's your data. + + + + + +HTTP/1.1 200 Connection established + +HTTP/1.1 200 OK +Connection: close +Content-Type: text/html +Content-Length: 18 + +Here's your data. + + + + + +https + + +Rewrite path behind the client's back + + +--insecure https://%HOSTIP:%HTTPSPORT/%TESTNUMBER-remove-this + + + + + +GET /%TESTNUMBER HTTP/1.1 +Host: %HOSTIP:%HTTPSPORT +User-Agent: curl/%VERSION +Accept: */* + + + + diff --git a/tests/cts/rewrite-behind-client-back-https/data/test3 b/tests/cts/rewrite-behind-client-back-https/data/test3 new file mode 100644 index 00000000..6c49f64e --- /dev/null +++ b/tests/cts/rewrite-behind-client-back-https/data/test3 @@ -0,0 +1,55 @@ + + + +HTTPS +HTTP GET + + + + + +HTTP/1.1 200 OK +Connection: close +Content-Type: text/html +Content-Length: 18 + +Here's your data. + + + + + +HTTP/1.1 200 Connection established + +HTTP/1.1 200 OK +Connection: close +Content-Type: text/html +Content-Length: 18 + +Here's your data. + + + + + + +https + + +Rewrite host behind the client's back + + +--insecure https://www.example.org/%TESTNUMBER-%HOSTIP:%HTTPSPORT + + + + + +GET /%TESTNUMBER HTTP/1.1 +Host: www.example.org +User-Agent: curl/%VERSION +Accept: */* + + + + diff --git a/tests/cts/rewrite-behind-client-back-https/data/test4 b/tests/cts/rewrite-behind-client-back-https/data/test4 new file mode 100644 index 00000000..23752718 --- /dev/null +++ b/tests/cts/rewrite-behind-client-back-https/data/test4 @@ -0,0 +1,54 @@ + + + +HTTPS +HTTP GET + + + + + +HTTP/1.1 200 OK +Connection: close +Content-Type: text/html +Content-Length: 18 + +Here's your data. + + + + + +HTTP/1.1 200 Connection established + +HTTP/1.1 200 OK +Connection: close +Content-Type: text/html +Content-Length: 18 + +Here's your data. + + + + + +https + + +Client header filter that doesn't match anything. According to Valgrind it triggers a "Conditional jump or move depends on uninitialised value(s)" + + +--insecure https:///%HOSTIP:%HTTPSPORT/%TESTNUMBER + + + + + +GET /%TESTNUMBER HTTP/1.1 +Host: %HOSTIP:%HTTPSPORT +User-Agent: curl/%VERSION +Accept: */* + + + + diff --git a/tests/cts/rewrite-behind-client-back-https/data/test5 b/tests/cts/rewrite-behind-client-back-https/data/test5 new file mode 100644 index 00000000..2e6bd11b --- /dev/null +++ b/tests/cts/rewrite-behind-client-back-https/data/test5 @@ -0,0 +1,47 @@ + + + +HTTPS +HTTP GET + + + + + +HTTP/1.1 200 OK +Connection: close +Content-Type: text/html +Content-Length: 18 + +Here's your data. + + + + + +HTTP/1.1 200 Connection established + +HTTP/1.1 400 Malformed request after rewriting +Content-Type: text/plain +Connection: close + +Bad request. Messed up with header filters. + + + + + + +none + + +Rewrite behind the client's back: unsupporte http version + + +--insecure https://%HOSTIP/%TESTNUMBER + + + + + + diff --git a/tests/cts/rewrite-behind-client-back-https/privoxy.conf b/tests/cts/rewrite-behind-client-back-https/privoxy.conf new file mode 100644 index 00000000..8fb261e9 --- /dev/null +++ b/tests/cts/rewrite-behind-client-back-https/privoxy.conf @@ -0,0 +1,26 @@ +listen-address 127.0.0.1:9119 + +ca-directory ../ca-directory +ca-cert-file privoxy-test-cacert.crt +ca-key-file privoxy-test-cakey.pem +ca-password blafasel +# We don't check certificate anyway +trusted-cas-file privoxy-test-cacert.crt + +certificate-directory ../certs + +debug 1 # Log the destination for each request Privoxy let through. See also debug 1024. +debug 2 # show each connection status +debug 4 # show tagging-related messages +debug 8 # show header parsing +debug 32 # debug force feature +debug 64 # debug regular expression filters +debug 128 # debug redirects +debug 256 # debug GIF de-animation +debug 512 # Common Log Format +debug 1024 # Log the destination for requests Privoxy didn't let through, and the reason why. +debug 4096 # Startup banner and warnings. +debug 8192 # Non-fatal errors + +actionsfile rewrites.action +filterfile rewrites.filter diff --git a/tests/cts/rewrite-behind-client-back-https/rewrites.action b/tests/cts/rewrite-behind-client-back-https/rewrites.action new file mode 100644 index 00000000..26235521 --- /dev/null +++ b/tests/cts/rewrite-behind-client-back-https/rewrites.action @@ -0,0 +1,17 @@ +{+https-inspection +ignore-certificate-errors} +/ + +{+client-header-filter{https-to-http}} +/1-downgrade-to-http + +{+client-header-filter{truncate-path}} +/2-remove-this + +{+client-header-filter{rewrite-host}} +/3 + +{+client-header-filter{non-matching-rewriter}} +/4 + +{+client-header-filter{invalid-http-version}} +/5 diff --git a/tests/cts/rewrite-behind-client-back-https/rewrites.filter b/tests/cts/rewrite-behind-client-back-https/rewrites.filter new file mode 100644 index 00000000..a6442551 --- /dev/null +++ b/tests/cts/rewrite-behind-client-back-https/rewrites.filter @@ -0,0 +1,16 @@ +CLIENT-HEADER-FILTER: https-to-http Downgrade protocol to http +s@^(\w+) (/\d-downgrade-to-http)-(\d+\.\d+\.\d+\.\d+\:\d+)@$1 http://$3$2@i + +CLIENT-HEADER-FILTER: truncate-path Removes '-remove-this' from the path +s@(/\d)-remove-this (HTTP/1.1)@$1 $2@i + +CLIENT-HEADER-FILTER: rewrite-host Replaces the host with the one specified in the path +s@GET /(\d)-(\d+\.\d+\.\d+\.\d+\:\d+) (HTTP/1.1)@GET https://$2/$1 $3@i + +# Results in Conditional jump or move depends on uninitialised value(s)? +CLIENT-HEADER-FILTER: non-matching-rewriter Does not actually match +s@/-@@ + +CLIENT-HEADER-FILTER: invalid-http-version Rewrites the request line with an invalid HTTP version +s@HTTP/1.1@HTTP/9000@ + -- 2.39.2