Nmap Development mailing list archives
RE: [NSE] NSE HTTP library
From: "Thomas Buchanan" <TBuchanan () thecompassgrp net>
Date: Thu, 31 Jan 2008 09:58:44 -0600
-----Original Message----- From: Sven Klemm [mailto:sven () c3d2 de] Sent: Thursday, January 31, 2008 9:43 AM To: Fyodor Cc: nmap-dev () insecure org; Thomas Buchanan Subject: Re: [NSE] NSE HTTP library Fyodor wrote:My only lingering concern is the issue of multiple header fields of the same name. Sven had a pretty convincing rationale for using the comma separated list as described in the HTTP 1.1 RFC at http://tools.ietf.org/html/rfc2616#section-4.2 . While parsing the WWW-Authenticate fields returned by IIS may be harder using the comma-separated list approach, I worry that putting in our hack just for that may lead to other problems if/when we find behavior which depends on the CSL handling. Maybe we can just make the HTTP Auth script a bit smarter with its parsing--even if that means special casing some auth typekeywords andthe like. Or am I missing a good reason for dumping the CSL behavior?You are right. As some servers might send the header comma-separated the script would have to handle both situations to work under all circumstances. I changed the code to separate them by comma again. I've also adjusted the HTTP Auth script to handle this. I adjusted the header handling so that multiline headers are now properly handled. Earlier versions ignored those lines. You can now also set arbitrary headers for the http.get() function e.g.: http.get(host, port, '/', {header={Authorization="Basic YWRtaW46C"}}) This way you can also overwrite the User-Agent or the Host used in the GET request. Cheers, Sven
Sounds good to me. I'll try and get some testing on your changes in the next day or so, but one thing I noticed in your patch is that the get_url() function in http.lua doesn't pass the options variable along to get(). I've got some other ideas on how to improve the HTTP Auth script that I hope to get implemented in the near future, but this looks like a step in the right direction. Thomas _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- Re: [NSE] NSE HTTP library, (continued)
- Re: [NSE] NSE HTTP library Sven Klemm (Jan 17)
- Re: [NSE] NSE HTTP library Sven Klemm (Jan 18)
- Re: [NSE] NSE HTTP library Sven Klemm (Jan 18)
- RE: [NSE] NSE HTTP library Thomas Buchanan (Jan 18)
- Re: [NSE] NSE HTTP library Sven Klemm (Jan 18)
- Re: [NSE] NSE HTTP library Thomas Buchanan (Jan 19)
- RE: [NSE] NSE HTTP library Thomas Buchanan (Jan 19)
- Re: [NSE] NSE HTTP library Sven Klemm (Jan 20)
- Re: [NSE] NSE HTTP library Fyodor (Jan 31)
- Re: [NSE] NSE HTTP library Sven Klemm (Jan 31)
- RE: [NSE] NSE HTTP library Thomas Buchanan (Jan 31)
- Re: [NSE] NSE HTTP library Kris Katterjohn (Jan 31)
- Re: [NSE] NSE HTTP library Sven Klemm (Jan 31)
- Re: [NSE] NSE HTTP library Fyodor (Jan 31)
- Re: [NSE] NSE HTTP library Kris Katterjohn (Jan 31)
- Re: [NSE] NSE HTTP library Sven Klemm (Feb 01)
- Re: [NSE] NSE HTTP library Fyodor (Feb 01)
- Re: [NSE] NSE HTTP library Sven Klemm (Jan 17)