Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: [NSE][patch] Fix bugs in http.lua and sslcert.lua
From: Patrik Karlsson <patrik () cqure net>
Date: Fri, 15 Jun 2012 12:08:05 +0200

On Mon, Jun 11, 2012 at 6:19 PM, Daniel Miller <bonsaiviking () gmail com>wrote:

Hey List,

2 more bugs, with patches this time. First, parse_redirect in http.lua
sometimes returns a url table without a path attribute, especially when
parsing headers like this:

Location: http://google.com

The exceptions happened in several different scripts:

 ./nselib/http.lua:952: attempt to concatenate local 'path' (a nil value)
stack traceback:
       ./nselib/http.lua:952: in function 'lookup_cache'
       ./nselib/http.lua:1395: in function 'get'
       ./scripts/http-auth.nse:54: in function
<./scripts/http-auth.nse:49>
       (...tail calls...)
./nselib/http.lua:952: attempt to concatenate local 'path' (a nil value)
stack traceback:
       ./nselib/http.lua:952: in function 'lookup_cache'
       ./nselib/http.lua:1395: in function 'get'
       ./scripts/http-title.nse:51: in function
<./scripts/http-title.nse:47>
       (...tail calls...)
./nselib/http.lua:952: attempt to concatenate local 'path' (a nil value)
stack traceback:
       ./nselib/http.lua:952: in function 'lookup_cache'
       ./nselib/http.lua:1395: in function 'get'
       ./scripts/http-title.nse:51: in function
<./scripts/http-title.nse:47>
       (...tail calls...)


Here is the fix: If u.path is not set, assume the root path ("/")

Index: nselib/http.lua
==============================**==============================**=======
--- nselib/http.lua     (revision 28903)
+++ nselib/http.lua     (working copy)
@@ -1334,6 +1334,9 @@
    u.host, u.port = stdnse.get_hostname(host), port.number
    u.path = ((u.path:sub(1,1) == "/" and "" ) or "/" ) .. u.path --
ensuring leading slash
  end
+  if ( not(u.path) ) then
+    u.path = "/"
+  end
  if ( u.query ) then
    u.path = ("%s?%s"):format( u.path, u.query )
  end

The other bug was in sslcert.lua, and resulted in this exception:

 ./scripts/ssl-cert.nse:135: attempt to index local 'cert' (a nil value)
stack traceback:
       ./scripts/ssl-cert.nse:135: in function 'parseCertificate'
       ./scripts/ssl-cert.nse:168: in function
<./scripts/ssl-cert.nse:162>
       (...tail calls...)


The cert is returned a few lines earlier from sslcert.getCertificate(),
which is supposed to return a false status on failure. I added a check for
a nil certificate to that function, and returned false in that case:

Index: nselib/sslcert.lua
==============================**==============================**=======
--- nselib/sslcert.lua  (revision 28903)
+++ nselib/sslcert.lua  (working copy)
@@ -200,7 +200,10 @@
               end
    end
    local cert = socket:get_ssl_certificate()
-
+  if cert == nil then
+    return false, "Unable to get cert"
+  end
+
       host.registry["ssl-cert"] = host.registry["ssl-cert"] or {}
       host.registry["ssl-cert"][**port.number] =
host.registry["ssl-cert"][**port.number] or {}
       host.registry["ssl-cert"][**port.number] = cert

This should be the last of my bugfixes for today! Sorry for the flood of
messages.

Dan


______________________________**_________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/**mailman/listinfo/nmap-dev<http://cgi.insecure.org/mailman/listinfo/nmap-dev>
Archived at http://seclists.org/nmap-dev/


Thanks for the fixes!
Commited as r28943.

//Patrik

-- 
Patrik Karlsson
http://www.cqure.net
http://twitter.com/nevdull77
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault