Re: [nmap-svn] r36162 - nmap/nselib/data

[Daniel Miller <bonsaiviking () gmail com>]

On Mon, Aug 22, 2016 at 12:33 PM, nnposter <nnposter () users sourceforge net>
wrote:

> > The other option you mentioned directly to me was: local _, openssl =
> > pcall(require, "openssl"); This option should not be used, since "_" is
> > considered a throwaway variable name; It could easily be overwritten,
> > and code that tests it doesn't make sense. So it would open us up to
> > crashes when someone writes unconditional code that tries to index the
> > nonexistent openssl library.
>
> I do not believe that my example...
>
>     local _, openssl = pcall(require, 'openssl')
>     ...
>     if openssl and openssl.md5 then
>
> ...had any dependency on "_", namely there was no explicit or implicit
> "code that tests it", so I am not quite sure that I understand your point.
>
> To satisfy my curiosity, could you please point out what specifically
> would be wrong with the example? (To make it clear, I am not opposed to
> option #3; I have used it in the original commit after all. I am just
> trying to understand the pitfalls with option #4.)

Sure. Since any of these will work if openssl is present, we'll ignore that
case. If it is *not* present, pcall will hide any error, instead returning
false and an error message, so that _ is false and openssl is a string. The
code will happily cruise along, executing requests or otherwise using
resources until it reaches a line containing openssl.somefunction(), at
which it will give the error "attempt to call a nil value (field
'somefunction')".

Our intention in writing the script should either be to fail early and
produce no output, or to skip some portion of execution and produce some
usable output. If the first is what we want, stdnse.silent_require fits the
bill. If the second, we need some way to know whether openssl is actually
present. Beyond just good identifier naming practices, we should
specifically avoid the single underscore variable name, because there is a
convention in Lua that that variable name may be used in any code as a
throwaway. So you get things like:

for _, item in ipairs(list_of_items) do end

when the index of the item does not matter. Within that loop's scope, you
cannot meaningfully test _ to determine if you have openssl or not. Even
worse, it can be used other places like discarding the position after an
unpack operation:

local _, value = bin.unpack("I", data)

So from this point forward, _ contains some number, not a boolean value
related to the presence of openssl.

Dan

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/