Nmap Development mailing list archives
Re: [NSE] Changes to http-auth
From: Patrik Karlsson <patrik () cqure net>
Date: Mon, 19 Dec 2011 19:44:16 +0100
On Mon, Dec 19, 2011 at 3:47 PM, Rob Nicholls <robert () robnicholls co uk>wrote:
I've taken a slightly closer look and I think the existing http.lua can cope without the quotes. But I get the impression that http.lua is struggling to deal with more than one scheme in the WWW-Authenticate header. I think something's not quite right with the parsing, probably some kind of off-by-one problem. I briefly tried playing around with the code, which got it sort of working for the header Patrik supplied, but then I was off-by-one in another place (I don't think the comma is being properly taken into account after the name of the scheme, but if you try to increment it there then other tokens can get screwed up later on). It's not my code, so I'm finding it hard to follow exactly what's going on. I might take another stab later, but I can't spend any more time on it right now. Rob
Thanks for looking into this Rob. I figured out what the problem was and it had to do with authentication schemes that did not contain any parameters. The read_auth_challenge would fail if no params were present. As my servers supported both Kerberos and NTLM, which both don't have any parameters in addition to the scheme, parsing would fail. I'm hoping the patch I committed in r27560 solves this problem. I've also committed a new version of http-auth r27561 that takes this fact into account and contains some other cosmetic changes, and Duarte's path addition. Cheers, Patrik -- Patrik Karlsson http://www.cqure.net http://twitter.com/nevdull77 _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] Changes to http-auth Patrik Karlsson (Dec 17)
- Re: [NSE] Changes to http-auth David Fifield (Dec 18)
- Re: [NSE] Changes to http-auth Patrik Karlsson (Dec 18)
- RE: [NSE] Changes to http-auth Rob Nicholls (Dec 18)
- RE: [NSE] Changes to http-auth Rob Nicholls (Dec 19)
- Re: [NSE] Changes to http-auth Patrik Karlsson (Dec 19)
- Re: [NSE] Changes to http-auth David Fifield (Dec 19)
- Re: [NSE] Changes to http-auth Patrik Karlsson (Dec 18)
- Re: [NSE] Changes to http-auth David Fifield (Dec 18)