Add cookie management to HttpClient and improve standards compliance (Content-Type and PRG pattern)

[wvu]

Superseded by #14831

Synopsis

Set opts['keep_cookies'] in send_request_cgi(!) to keep cookies from HTTP responses for reuse in HTTP requests.

Usage

This is an example from #14126:

res = send_request_cgi!({
  'method' => 'POST',
  'uri' => normalize_uri(target_uri.path, '/owa/auth.owa'),
  'vars_post' => {
    'username' => username,
    'password' => password,
    'flags' => '',
    'destination' => full_uri('/owa/', vhost_uri: true)
  },
  'keep_cookies' => true
}, datastore['HttpClientTimeout'], 2) # timeout and redirect_depth

Subsequent send_request_cgi(!) calls will use the cookies in the "cookie jar."

Reviewing

The abridged diff might be useful.

Testing

You may test against #14126.

References

Required by #14126. Fixes #12281, #12510, and #12916. See also: #13092.

[wvu]

Jenkins, test this, please.

[smcintyre-r7]

I noticed in commit a946bdb you added a datastore option to configure whether or not cookies are kept. I'm concerned that a user may change that setting to a value that the module author hasn't accounted for and thus break the module. It seems like logic would need to be used to handle this setting and thus it should be left up to the module author.

Is there a particular use case you have in mind where that should be left up to the user?

[wvu]

That's fair. I was thinking of removing HttpPartialResponses, too. I'm not sure either of these options are good for the user to see, since they're mostly for the module dev.

[wvu]

Feels good to remove them! You're right, you can trust users to break things. (:

[wvu]

Jenkins, test this, please. Again.

[smcintyre-r7]

I tested this in conjunction with the Exchange ECP DLP exploit (CVE-2020-16875 / PR #14126). Everything is working as intended and my comments have been addressed so I'm going to merge this in. Thanks!

[wvu]

FWIW, there were no consumers of HttpPartialResponses, so I was okay removing it in this PR. Might make a sensible default in the future, since it's typically expected behavior in modules. Keeping cookies isn't necessarily, though.

[smcintyre-r7]

Release Notes

Updated the HTTP client library that is used by many Metasploit modules to be more compliant across standards in regards to redirection handling. Also added a new feature to more easily manage cookies.

[wvu]

Hope I didn't break master, lol. 🤞

[adfoster-r7]

For future travellers, this implementation was superseded by
#14831