Re: parsing of script-args is broken

[Patrick Donnelly <batrick () batbytes com>]

On Fri, May 1, 2009 at 6:02 AM, Patrick Donnelly <batrick () batbytes com> wrote:
> Hi David,
>
> On Thu, Apr 30, 2009 at 6:16 PM, David Fifield <david () bamsoftware com> wrote:
> > On Mon, Apr 27, 2009 at 04:38:20PM -0600, Patrick Donnelly wrote:
> > > On Mon, Apr 27, 2009 at 7:53 AM, jah <jah () zadkiel plus com> wrote:
> > > > This patch looks good to me.  Do you think we should allow lists too:
> > > > vhost={domain.co.uk,domain.com}?
> > > > Your patch will pass that example to loadstring() as:
> > > > ["vhost"]={domain.co.uk,domain.com}
> > > > whereas it is intented as:
> > > > ["vhost"]={"domain.co.uk", "domain.com"}
> > > > supplying the arguments with quoted list-members works fine by the way:
> > > > --script-args vhost={'domain.co.uk','domain.com'}
> > > > => ["vhost"]={'domain.co.uk','domain.com'}
> > > >
> > > > A list seems to me to be a reasonable thing to be able to supply to a
> > > > script and with this patch, the user will have to quote the list items
> > > > themselves which isn't very intuitive given that we can quote key/value
> > > > pairs on their behalf.
> > >
> > > I don't think array were originally intended but I have updated the
> > > patch to allow this. Correctly implementing this with Lua's limited
> > > regular expressions can be tricky to get correct so if you find any
> > > more bugs (or have suggestions) let us know.
> >
> > This patch looks fine to me too. Check it in, just please be sure to
> > give examples of any new syntax in scripting.xml. (Something like the
> > "domain.co.uk" above is fine.)
>
> I'm not yet convinced this patch is ready to be merged. Because we
> eventually have Lua compile these rules so we can obtain the argument
> table, strings are thus subject to escape sequences. I believe this
> may be a bad "gotcha" in the future; I would like to remove the
> possibility for future problems. What should happen if the user passes
> these arguments:
>
> --script-args "script-tag=C:\Nmap\SomeFile"
>
> This won't do what is expected. We get the table:
>
> nmap.registry.args = {
>        [script-tag] = C:NmapSomeFile
> }
>
>
> I'm fairly certain we can expect files to be used in --script-args
> sometime in the future. To correct this, we could escape each
> backslash; however, this would also limit adding arbitrary byte
> sequences (without the help of something like the UNIX command echo).
> What do you guys think the policy should be?
>
> Also, neither patch works with illegal characters (e.g. commas) in
> quoted values:
>
> --script-args "smbpass=\"P455,0rd\""
>
> will error for both patches. I had though this was right but it does
> not work. This patch does need some more development.
>
> What are your guys' thoughts on the appropriate policy for the above problems?

Ok I've taken another attempt at getting this correct. This patch is
unfortunately much larger than previously. Alas, Lua's pattern
matching facilities are far too weak to come up with an appropriate
grammar. I have created a semi-complex state machine to work instead.

Here are the rules for --script-args definitively:

--script-args <string>

<string> may contain a sequence of key=value pairs and array entries
separated by commas. All whitespace except where noted below is
ignored.

A key, value, or array value may be a sequence of characters except
'{', '}', ',', '=', and all space characters. You may overcome this
restriction by using quotes (single or double) to allow all characters
within the quotation marks. You may also use the quote delimiter
inside the sequence so long as it is escaped by a backslash.

A value is allowed to be a nested table delimited by '{' and '}'.

A string (for a key, value, or array value) may have arbitrary byte
sequences using "\ddd" where ddd is a decimal number up to 255
signifying its corresponding byte. You may avoid this translation by
escaping the backslash with another (e.g. \\123).

-- 
-Patrick Donnelly

"Let all men know thee, but no man know thee thoroughly: Men freely
ford that see the shallows."

- Benjamin Franklin

Attachment: sargs3.patch
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org