Nmap Development mailing list archives
Re: [NSE] Adding mkdir support
From: Patrik Karlsson <patrik () cqure net>
Date: Sat, 31 Mar 2012 22:20:09 +0200
Hi Djalal, Your comment got me thinking and while working on the luadoc documentation I went through all of the functionality the fs library provides. To be honest, I don't think it should be a problem including any of the functions. I don't think that we need to export all the lfs functions (I don't like
the rmdir...), just the ones we need, beside that before we include this we should probably define how scripts will create dirs/files and where...
We already have NSE scripts creating files on the filesystem using the io library, the additional functionality provided by the lfs library doesn't change anything here. In regards to rmdir, I agree, it might be scary at first look, but on the other hand, it wont remove a directory unless the directory is empty. The lfs library does not provide a function to delete files, and I don't see that in the io library either?
Just to avoid the unix tricks and to avoid situations where scripts create lot of dirs/files according to network input ... (if a script contains a bug...) and to keep Nmap's spirit about files.
A poorly implemented script could unfortunately endup overwriting system files in case Nmap is being run in privileged mode, but again, this won't change with the addition of the lfs library. To be honest, everything added by the lfs module is actually already feasible using os.execute function. This was unfortunately my first idea when implementing the http-mirror script, which I very quickly realized was an extremely BAD one. In my opinion providing this functionality through the fs module is the safer alternative. I think we should be on the watch for scripts making use of potentially troublesome functions such as eg. fs.rmdir, os.execute, loadstring and make sure they are thoroughly reviewed before committed. Could we trigger something searching for this when new code is committed as an additional check maybe? //Patrik -- Patrik Karlsson http://www.cqure.net http://twitter.com/nevdull77 _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] Adding mkdir support Patrik Karlsson (Mar 29)
- Re: [NSE] Adding mkdir support Patrick Donnelly (Mar 29)
- Re: [NSE] Adding mkdir support Patrik Karlsson (Mar 29)
- Re: [NSE] Adding mkdir support Patrick Donnelly (Mar 29)
- Re: [NSE] Adding mkdir support Patrik Karlsson (Mar 29)
- Re: [NSE] Adding mkdir support Patrick Donnelly (Mar 29)
- Re: [NSE] Adding mkdir support Patrik Karlsson (Mar 30)
- Re: [NSE] Adding mkdir support Patrick Donnelly (Mar 30)
- Re: [NSE] Adding mkdir support Djalal Harouni (Mar 30)
- Re: [NSE] Adding mkdir support Patrik Karlsson (Mar 31)
- Re: [NSE] Adding mkdir support Patrik Karlsson (Mar 31)
- Re: [NSE] Adding mkdir support Patrik Karlsson (Mar 29)
- Re: [NSE] Adding mkdir support Patrick Donnelly (Mar 29)