Home page logo

nmap-dev logo Nmap Development mailing list archives

Re: parsing of script-args is broken
From: Patrick Donnelly <batrick () batbytes com>
Date: Sun, 10 May 2009 07:23:17 -0600

On Fri, May 1, 2009 at 6:02 AM, Patrick Donnelly <batrick () batbytes com> wrote:
Hi David,

On Thu, Apr 30, 2009 at 6:16 PM, David Fifield <david () bamsoftware com> wrote:
On Mon, Apr 27, 2009 at 04:38:20PM -0600, Patrick Donnelly wrote:
On Mon, Apr 27, 2009 at 7:53 AM, jah <jah () zadkiel plus com> wrote:
This patch looks good to me.  Do you think we should allow lists too:
Your patch will pass that example to loadstring() as:
whereas it is intented as:
["vhost"]={"domain.co.uk", "domain.com"}
supplying the arguments with quoted list-members works fine by the way:
--script-args vhost={'domain.co.uk','domain.com'}
=> ["vhost"]={'domain.co.uk','domain.com'}

A list seems to me to be a reasonable thing to be able to supply to a
script and with this patch, the user will have to quote the list items
themselves which isn't very intuitive given that we can quote key/value
pairs on their behalf.

I don't think array were originally intended but I have updated the
patch to allow this. Correctly implementing this with Lua's limited
regular expressions can be tricky to get correct so if you find any
more bugs (or have suggestions) let us know.

This patch looks fine to me too. Check it in, just please be sure to
give examples of any new syntax in scripting.xml. (Something like the
"domain.co.uk" above is fine.)

I'm not yet convinced this patch is ready to be merged. Because we
eventually have Lua compile these rules so we can obtain the argument
table, strings are thus subject to escape sequences. I believe this
may be a bad "gotcha" in the future; I would like to remove the
possibility for future problems. What should happen if the user passes
these arguments:

--script-args "script-tag=C:\Nmap\SomeFile"

This won't do what is expected. We get the table:

nmap.registry.args = {
       [script-tag] = C:NmapSomeFile

I'm fairly certain we can expect files to be used in --script-args
sometime in the future. To correct this, we could escape each
backslash; however, this would also limit adding arbitrary byte
sequences (without the help of something like the UNIX command echo).
What do you guys think the policy should be?

Also, neither patch works with illegal characters (e.g. commas) in
quoted values:

--script-args "smbpass=\"P455,0rd\""

will error for both patches. I had though this was right but it does
not work. This patch does need some more development.

What are your guys' thoughts on the appropriate policy for the above problems?

Ok I've taken another attempt at getting this correct. This patch is
unfortunately much larger than previously. Alas, Lua's pattern
matching facilities are far too weak to come up with an appropriate
grammar. I have created a semi-complex state machine to work instead.

Here are the rules for --script-args definitively:

--script-args <string>

<string> may contain a sequence of key=value pairs and array entries
separated by commas. All whitespace except where noted below is

A key, value, or array value may be a sequence of characters except
'{', '}', ',', '=', and all space characters. You may overcome this
restriction by using quotes (single or double) to allow all characters
within the quotation marks. You may also use the quote delimiter
inside the sequence so long as it is escaped by a backslash.

A value is allowed to be a nested table delimited by '{' and '}'.

A string (for a key, value, or array value) may have arbitrary byte
sequences using "\ddd" where ddd is a decimal number up to 255
signifying its corresponding byte. You may avoid this translation by
escaping the backslash with another (e.g. \\123).

-Patrick Donnelly

"Let all men know thee, but no man know thee thoroughly: Men freely
ford that see the shallows."

- Benjamin Franklin

Attachment: sargs3.patch

Sent through the nmap-dev mailing list
Archived at http://SecLists.Org

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]