Restricting evaluated code variable names to Python valid characters ([_0-9a-zA-Z])

stamparm · stamparm · commit 6bcc95a20d41 · 2015-02-24T15:05:44.000+01:00
diff --git a/lib/request/connect.py b/lib/request/connect.py
@@ -848,7 +848,7 @@ def _randomizeParameter(paramString, randomParameter):
                 for part in item.split(delimiter):
                     if '=' in part:
                         name, value = part.split('=', 1)
-                        name = name.strip()
+                        name = re.sub(r"[^\w]", "", name.strip())
                         if name in keywords:
                             name = "%s%s" % (name, EVALCODE_KEYWORD_SUFFIX)
                         value = urldecode(value, convall=True, plusspace=(item==post and kb.postSpaceToPlus))
@@ -858,7 +858,7 @@ def _randomizeParameter(paramString, randomParameter):
                 for part in cookie.split(conf.cookieDel or DEFAULT_COOKIE_DELIMITER):
                     if '=' in part:
                         name, value = part.split('=', 1)
-                        name = name.strip()
+                        name = re.sub(r"[^\w]", "", name.strip())
                         if name in keywords:
                             name = "%s%s" % (name, EVALCODE_KEYWORD_SUFFIX)
                         value = urldecode(value, convall=True)
