Re: parsing of script-args is broken

[Patrick Donnelly <batrick () batbytes com>]

Hi David,

On Thu, Apr 30, 2009 at 6:16 PM, David Fifield <david () bamsoftware com> wrote:
> On Mon, Apr 27, 2009 at 04:38:20PM -0600, Patrick Donnelly wrote:
> > On Mon, Apr 27, 2009 at 7:53 AM, jah <jah () zadkiel plus com> wrote:
> > > This patch looks good to me.  Do you think we should allow lists too:
> > > vhost={domain.co.uk,domain.com}?
> > > Your patch will pass that example to loadstring() as:
> > > ["vhost"]={domain.co.uk,domain.com}
> > > whereas it is intented as:
> > > ["vhost"]={"domain.co.uk", "domain.com"}
> > > supplying the arguments with quoted list-members works fine by the way:
> > > --script-args vhost={'domain.co.uk','domain.com'}
> > > => ["vhost"]={'domain.co.uk','domain.com'}
> > >
> > > A list seems to me to be a reasonable thing to be able to supply to a
> > > script and with this patch, the user will have to quote the list items
> > > themselves which isn't very intuitive given that we can quote key/value
> > > pairs on their behalf.
> >
> > I don't think array were originally intended but I have updated the
> > patch to allow this. Correctly implementing this with Lua's limited
> > regular expressions can be tricky to get correct so if you find any
> > more bugs (or have suggestions) let us know.
>
> This patch looks fine to me too. Check it in, just please be sure to
> give examples of any new syntax in scripting.xml. (Something like the
> "domain.co.uk" above is fine.)

I'm not yet convinced this patch is ready to be merged. Because we
eventually have Lua compile these rules so we can obtain the argument
table, strings are thus subject to escape sequences. I believe this
may be a bad "gotcha" in the future; I would like to remove the
possibility for future problems. What should happen if the user passes
these arguments:

--script-args "script-tag=C:\Nmap\SomeFile"

This won't do what is expected. We get the table:

nmap.registry.args = {
        [script-tag] = C:NmapSomeFile
}


I'm fairly certain we can expect files to be used in --script-args
sometime in the future. To correct this, we could escape each
backslash; however, this would also limit adding arbitrary byte
sequences (without the help of something like the UNIX command echo).
What do you guys think the policy should be?

Also, neither patch works with illegal characters (e.g. commas) in
quoted values:

--script-args "smbpass=\"P455,0rd\""

will error for both patches. I had though this was right but it does
not work. This patch does need some more development.

What are your guys' thoughts on the appropriate policy for the above problems?

-- 
-Patrick Donnelly

"Let all men know thee, but no man know thee thoroughly: Men freely
ford that see the shallows."

- Benjamin Franklin

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org