From 7fa453a3b77f472b24bafac438a6add09bab51b5 Mon Sep 17 00:00:00 2001
From: Postmodern <postmodern.mod3@gmail.com>
Date: Fri, 24 May 2024 22:27:51 -0700
Subject: [PATCH] Fix Open Redirect meta refresh regex for when `url=` is not
 quoted (closes #74).

---
 lib/ronin/vulns/open_redirect.rb |  6 +--
 spec/open_redirect_spec.rb       | 63 ++++++++++++++++++++++++++++++++
 2 files changed, 66 insertions(+), 3 deletions(-)

diff --git a/lib/ronin/vulns/open_redirect.rb b/lib/ronin/vulns/open_redirect.rb
index 7c8a3dc..816a083 100644
--- a/lib/ronin/vulns/open_redirect.rb
+++ b/lib/ronin/vulns/open_redirect.rb
@@ -95,9 +95,9 @@ def vulnerable?
                 http-equiv\s*=\s*(?: "refresh" | 'refresh' | refresh )\s+
                 content\s*=\s*
                 (?:
-                 "\s*\d+\s*;\s*url\s*=\s*'\s*#{escaped_test_url}\s*'\s*"|
-                 '\s*\d+\s*;\s*url\s*=\s*"\s*#{escaped_test_url}\s*"\s*'|
-                 \s*\d+;url=(?: "#{escaped_test_url}" | '#{escaped_test_url}' )
+                 "\s*\d+\s*;\s*url\s*=\s*(?: '\s*#{escaped_test_url}\s*' | #{escaped_test_url} )\s*"|
+                 '\s*\d+\s*;\s*url\s*=\s*(?: "\s*#{escaped_test_url}\s*" | #{escaped_test_url} )\s*'|
+                 \s*\d+;url=(?: "#{escaped_test_url}" | '#{escaped_test_url}' | #{escaped_test_url} )
                 )\s*
                 (?:/\s*)?>
             }xi
diff --git a/spec/open_redirect_spec.rb b/spec/open_redirect_spec.rb
index bb672c6..2d39014 100644
--- a/spec/open_redirect_spec.rb
+++ b/spec/open_redirect_spec.rb
@@ -437,6 +437,27 @@
                 expect(subject.vulnerable?).to be_truthy
               end
             end
+
+            context "and the url value is not quoted" do
+              let(:response_body) do
+                <<~HTML
+                  <html>
+                    <head>
+                      <meta http-equiv="refresh" content='0;url=#{subject.test_url}'/>
+                    </head>
+                    <body>
+                      <p>example content</p>
+                      <p>included content</p>
+                      <p>more content</p>
+                    </body>
+                  </html>
+                HTML
+              end
+
+              it "must return true" do
+                expect(subject.vulnerable?).to be_truthy
+              end
+            end
           end
 
           context "when the content attribute is double quoted" do
@@ -460,6 +481,27 @@
                 expect(subject.vulnerable?).to be_truthy
               end
             end
+
+            context "and the url value is not quoted" do
+              let(:response_body) do
+                <<~HTML
+                  <html>
+                    <head>
+                      <meta http-equiv="refresh" content="0;url=#{subject.test_url}"/>
+                    </head>
+                    <body>
+                      <p>example content</p>
+                      <p>included content</p>
+                      <p>more content</p>
+                    </body>
+                  </html>
+                HTML
+              end
+
+              it "must return true" do
+                expect(subject.vulnerable?).to be_truthy
+              end
+            end
           end
 
           context "when the content attribute is not quoted" do
@@ -504,6 +546,27 @@
                 expect(subject.vulnerable?).to be_truthy
               end
             end
+
+            context "and the url value is not quoted" do
+              let(:response_body) do
+                <<~HTML
+                  <html>
+                    <head>
+                      <meta http-equiv="refresh" content=0;url=#{subject.test_url}/>
+                    </head>
+                    <body>
+                      <p>example content</p>
+                      <p>included content</p>
+                      <p>more content</p>
+                    </body>
+                  </html>
+                HTML
+              end
+
+              it "must return true" do
+                expect(subject.vulnerable?).to be_truthy
+              end
+            end
           end
 
           context "when there is a space after the content attribute name" do