Nmap Development mailing list archives
Re: parsing of script-args is broken
From: Patrick Donnelly <batrick () batbytes com>
Date: Fri, 1 May 2009 06:02:02 -0600
Hi David, On Thu, Apr 30, 2009 at 6:16 PM, David Fifield <david () bamsoftware com> wrote:
On Mon, Apr 27, 2009 at 04:38:20PM -0600, Patrick Donnelly wrote:On Mon, Apr 27, 2009 at 7:53 AM, jah <jah () zadkiel plus com> wrote:This patch looks good to me. Do you think we should allow lists too: vhost={domain.co.uk,domain.com}? Your patch will pass that example to loadstring() as: ["vhost"]={domain.co.uk,domain.com} whereas it is intented as: ["vhost"]={"domain.co.uk", "domain.com"} supplying the arguments with quoted list-members works fine by the way: --script-args vhost={'domain.co.uk','domain.com'} => ["vhost"]={'domain.co.uk','domain.com'} A list seems to me to be a reasonable thing to be able to supply to a script and with this patch, the user will have to quote the list items themselves which isn't very intuitive given that we can quote key/value pairs on their behalf.I don't think array were originally intended but I have updated the patch to allow this. Correctly implementing this with Lua's limited regular expressions can be tricky to get correct so if you find any more bugs (or have suggestions) let us know.This patch looks fine to me too. Check it in, just please be sure to give examples of any new syntax in scripting.xml. (Something like the "domain.co.uk" above is fine.)
I'm not yet convinced this patch is ready to be merged. Because we eventually have Lua compile these rules so we can obtain the argument table, strings are thus subject to escape sequences. I believe this may be a bad "gotcha" in the future; I would like to remove the possibility for future problems. What should happen if the user passes these arguments: --script-args "script-tag=C:\Nmap\SomeFile" This won't do what is expected. We get the table: nmap.registry.args = { [script-tag] = C:NmapSomeFile } I'm fairly certain we can expect files to be used in --script-args sometime in the future. To correct this, we could escape each backslash; however, this would also limit adding arbitrary byte sequences (without the help of something like the UNIX command echo). What do you guys think the policy should be? Also, neither patch works with illegal characters (e.g. commas) in quoted values: --script-args "smbpass=\"P455,0rd\"" will error for both patches. I had though this was right but it does not work. This patch does need some more development. What are your guys' thoughts on the appropriate policy for the above problems? -- -Patrick Donnelly "Let all men know thee, but no man know thee thoroughly: Men freely ford that see the shallows." - Benjamin Franklin _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- parsing of script-args is broken jah (Apr 26)
- Re: parsing of script-args is broken Patrick Donnelly (Apr 27)
- Re: parsing of script-args is broken jah (Apr 27)
- Re: parsing of script-args is broken Patrick Donnelly (Apr 27)
- patch looks good jah (Apr 27)
- Re: parsing of script-args is broken David Fifield (Apr 30)
- Re: parsing of script-args is broken Patrick Donnelly (May 01)
- Re: parsing of script-args is broken Patrick Donnelly (May 10)
- Re: parsing of script-args is broken Patrick Donnelly (May 15)
- Re: parsing of script-args is broken Ron (May 17)
- Re: parsing of script-args is broken jah (May 17)
- Re: parsing of script-args is broken Patrick Donnelly (May 17)
- Re: parsing of script-args is broken jah (May 18)
- Re: parsing of script-args is broken jah (Apr 27)
- Re: parsing of script-args is broken Patrick Donnelly (Apr 27)