Home page logo

nmap-dev logo Nmap Development mailing list archives

Re: [NSE] Tweaks for buildCookies() in nselib/http.lua
From: George Chatzisofroniou <sophron () latthi com>
Date: Sun, 11 Aug 2013 02:11:40 +0300

Hi nnposter,

On Sat, Aug 10, 2013 at 09:19:25PM +0000, nnposter () users sourceforge net wrote:
The following patch modifies interpretation of the cookie path in
nselib/http.lua to make it more compliant with RFC 6265, Section 5.1.4.
The current behavior is problematic in the following situations:

* LUA regular expression meta-characters can get accidentally
  interpreted, as opposed to being matched literally. False-positive
  - cookie path: "/foo"
  - request path: "/fo.html"
* The matching is done against any location within a path, as opposed
  to just the beginning. False-positive match:
  - cookie path: "/bar"
  - request path: "/foo/bar/baz"

* The match end is not forced to be on a subdirectory boundary.
  False-positive match:
  - cookie path: "/foo"
  - request path: "/foobar"

These changes look right. They were commited as revision 31735.

In addition the patch allows use of path-less cookies. The assumption
is that if a cookie does not have any path then the script wants them
to be used. (If the original intent of the library has been the exact
opposite, i.e. turning them into NOOPs, then it is trivial adjust the
"if" condition in the patch accordingly.)

Correct me if i'm wrong but I don't think there is a reason for turning them
into NOOPs. I believe that *only* the 'name' and 'value' fields should be
required. I modified the documentation accordingly.
The following patch trivially modifies the cookie header assembling
logic to make it more compliant with RFC 6265, Section 4.2.1, which
does not allow the trailing semicolon.

This also looks right. Applied as revision 31736.


George Chatzisofroniou
Sent through the dev mailing list
Archived at http://seclists.org/nmap-dev/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]