Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: error semantics of faulty dependencies
From: David Fifield <david () bamsoftware com>
Date: Thu, 3 Feb 2011 12:20:10 -0800

On Thu, Feb 03, 2011 at 02:14:50PM -0500, Patrick Donnelly wrote:
On Thu, Feb 3, 2011 at 12:23 PM, Ron <ron () skullsecurity net> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Mon, 31 Jan 2011 02:31:20 -0800 David Fifield <david () bamsoftware com> wrote:
On Thu, Jan 27, 2011 at 04:38:54PM +0200, Toni Ruottu wrote:
We just had a case on nmap-dev where a programmer accidentally
stated dependencies = {"script-name.nse"}
which is wrong. The correct way is to leave out the file extension.
So dependencies = {"script-name"}
would have been correct.

I have done the same error myself, and I can tell you it is really
hard to debug. Could nmap be modified to include some sort of check
that would catch these errors and give a clear error message when
run with debugging flags?

I think we could either 1) show a warning when a dependency ends in
".nse", or 2) allow dependencies to end in ".nse". If someone has a
patch for either one I'll apply it.

David Fifield
I think an even better option is to print a warning (or halt with an error) if a dependency doesn't exist.

This was part of the initial design for dependencies [1]. We
eventually decided to not have strong dependencies because of
questionable usefulness.

[1] http://seclists.org/nmap-dev/2009/q4/295

I think what Ron is suggesting is something different. The proposal for
strong dependencies would either have implicitly selected (existing)
scripts, or refused to run unless they were manually selected. What Ron
is saying, on the other hand, is that NSE should check that a dependency
exists (in script.db or otherwise), just as a guard against typos, but
still allow you to run dependent scripts without their dependencies.

I can summarize it thus:
Strong dependencies: dependencies must exist and be run.
Ron: dependencies must exist, whether or not they are run.
Current situation: dependencies need not exist nor be run.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]