wglodek
commented
9 years ago Thank you for the pull request. The code is cleaner and takes care of #56. I agree there is still an issue with extracting content from both a request and a response that still needs to be addressed.
One aspect of POSTHandler() that is still useful is the parsing of the "filename" from the server response header "Content-Disposition". For example, take a look at this pcap: http://www.malware-traffic-analysis.net/2015/01/21/2015-01-21-Upatre-Dyre-infection-traffic.pcap
Here is a request/response header:
Start: 2015-01-21 15:46:28.668786 UTC
End: 2015-01-21 15:46:31.529464 UTC
192.168.221.134:49169 -> 89.42.216.133:80 (375 bytes)
89.42.216.133:80 -> 192.168.221.134:49169 (9925 bytes)
GET /js/jquery-1.41.15.js?get_message=3290013886 HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: http://ep.nelsonmandelabay.gov.za/DOCUMENT~STORAGE_DATA/get.last_invoice.html
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: crts.ro
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Wed, 21 Jan 2015 15:46:31 GMT
Server: LiteSpeed
Connection: close
X-Powered-By: PHP/5.2.17
Pragma: public
Expires: 0
Cache-Control: must-revalidate, post-check=0, pre-check=0
Cache-Control: private
Content-Type: $ctype
Content-Disposition: attachment; filename= invoice_pdf69301.zip ;
Content-Transfer-Encoding: binary
Content-Length: 9548When written to disk, I think "invoice_pdf69301.zip" is a better or more accurate filename than "jquery-1.41.15.js". Would you agree?
volkjohn
This is a fix for issue #56. Request and response now share the same extraction code. While I would say this is a fix, I believe there still might be an issue with extracting a file from only the request or response. There may be situations where a file may want to be extracted from both. I encountered this with the OCSP protocol.