Describe the bug
In owtf/shell/base.py, shell_exec_monitor() decodes subprocess output as UTF-8 with no error handling:
# lines 196–205
logging.info(line.decode("utf-8").strip())
output += line.decode("utf-8")
# ...
logging.warn(out.decode("utf-8"))
output += out.decode("utf-8")Security tools (nmap, sqlmap, nikto, etc.) routinely emit binary sequences, Latin-1 encoded strings, and other non-UTF-8 bytes in their output. Any such byte sequence causes an unhandled UnicodeDecodeError that propagates up through the plugin runner, silently terminating the plugin without saving captured output.
Root Cause
bytes.decode("utf-8") raises UnicodeDecodeError on invalid byte sequences. The errors= parameter is not specified, so it defaults to 'strict'.
Expected behavior
Decoding should use errors='replace' (substitutes U+FFFD for invalid bytes) so that plugin output is always captured even when tools emit non-UTF-8 data:
line.decode("utf-8", errors="replace")Impact
Plugin execution silently fails on any tool that produces binary or mixed-encoding output. No error is surfaced to the user and no output is saved.
Describe the bug
In
owtf/shell/base.py,shell_exec_monitor()decodes subprocess output as UTF-8 with no error handling:Security tools (nmap, sqlmap, nikto, etc.) routinely emit binary sequences, Latin-1 encoded strings, and other non-UTF-8 bytes in their output. Any such byte sequence causes an unhandled
UnicodeDecodeErrorthat propagates up through the plugin runner, silently terminating the plugin without saving captured output.Root Cause
bytes.decode("utf-8")raisesUnicodeDecodeErroron invalid byte sequences. Theerrors=parameter is not specified, so it defaults to'strict'.Expected behavior
Decoding should use
errors='replace'(substitutesU+FFFDfor invalid bytes) so that plugin output is always captured even when tools emit non-UTF-8 data:Impact
Plugin execution silently fails on any tool that produces binary or mixed-encoding output. No error is surfaced to the user and no output is saved.