Home page logo
/

nmap-dev logo Nmap Development mailing list archives

[NSE] Tweaks for buildCookies() in nselib/http.lua
From: nnposter () users sourceforge net
Date: Sat, 10 Aug 2013 21:19:25 +0000

The following patch modifies interpretation of the cookie path in
nselib/http.lua to make it more compliant with RFC 6265, Section 5.1.4.
The current behavior is problematic in the following situations:

* LUA regular expression meta-characters can get accidentally
  interpreted, as opposed to being matched literally. False-positive
  match:
  - cookie path: "/foo"
  - request path: "/fo.html"
  
* The matching is done against any location within a path, as opposed
  to just the beginning. False-positive match:
  - cookie path: "/bar"
  - request path: "/foo/bar/baz"

* The match end is not forced to be on a subdirectory boundary.
  False-positive match:
  - cookie path: "/foo"
  - request path: "/foobar"

In addition the patch allows use of path-less cookies. The assumption
is that if a cookie does not have any path then the script wants them
to be used. (If the original intent of the library has been the exact
opposite, i.e. turning them into NOOPs, then it is trivial adjust the
"if" condition in the patch accordingly.)


Patch against revision 31721 follows:

--- http.lua.orig       2013-08-10 09:29:55.445500000 -0600
+++ http.lua    2013-08-10 12:42:16.383000000 -0600
@@ -893,7 +893,12 @@
   local cookie = ""
   if type(cookies) == 'string' then return cookies end
   for i, ck in ipairs(cookies or {}) do
-    if not path or string.match(ck["path"],".*" .. path .. ".*") then
+    local ckpath = ck["path"]
+    if not path or not ckpath
+       or ckpath == path
+       or ckpath:sub(-1) == "/" and ckpath == path:sub(1, ckpath:len())
+       or ckpath .. "/" == path:sub(1, ckpath:len()+1)
+       then
       if i ~= 1 then cookie = cookie .. " " end
       cookie = cookie .. ck["name"] .. "=" .. ck["value"] .. ";"
     end


The following patch trivially modifies the cookie header assembling
logic to make it more compliant with RFC 6265, Section 4.2.1, which
does not allow the trailing semicolon.


Patch against revision 31721 (+ the patch above) follows:


--- http.lua    2013-08-10 12:42:16.383000000 -0600
+++ http.lua.new        2013-08-10 12:46:59.304875000 -0600
@@ -892,18 +892,17 @@
 local function buildCookies(cookies, path)
   local cookie = ""
   if type(cookies) == 'string' then return cookies end
-  for i, ck in ipairs(cookies or {}) do
+  for _, ck in ipairs(cookies or {}) do
     local ckpath = ck["path"]
     if not path or not ckpath
        or ckpath == path
        or ckpath:sub(-1) == "/" and ckpath == path:sub(1, ckpath:len())
        or ckpath .. "/" == path:sub(1, ckpath:len()+1)
        then
-      if i ~= 1 then cookie = cookie .. " " end
-      cookie = cookie .. ck["name"] .. "=" .. ck["value"] .. ";"
+      cookie = cookie .. ck["name"] .. "=" .. ck["value"] .. "; "
     end
   end
-  return cookie
+  return cookie:gsub("; $","")
 end
 
 -- HTTP cache.



Cheers,
nnposter
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault