parsing of script-args is broken

[jah <jah () zadkiel plus com>]

Greetings,

I haven't been able to pay as much attention lately as I would have
liked, so apologies if this has in fact been addressed despite my
efforts to find any mention of the problem.

--script-args vhost=domain.co.uk is, I believe a perfectly legitimate
argument for a script.  The intention is that the script can access the
string assigned to vhost in the nmap.registry.args table.

However, run this argument through loadstring() to check that the
arguments are valid lua and to return a lua table like so:

loadstring( 'return {vhost=domain.co.uk}' ) and what you would get back
is: attempt to index global 'domain' (a nil value)

instead of seeing the string "domain.co.uk" loadstring would see a lua
value named "domain" and try to index the value with a lua value named "co".

To prevent this in nse_main.lua, the script arguments string is passed
through gsub() to place double-quotes around portions of it so that
loadfile will instead interpret those portions as strings instead of
global variables.  Trouble is, the pattern looks for "=([%w_]+)" which
matches alphanumeric characters and the underscore and replaces them
with "=\"%1\"".  So my vhost argument becomes vhost="domain".co.uk
which, when passed to loadstring() as
'return {vhost="domain".co.uk}'
 results in the error:  : '}' expected near '.'

Hopefully it's clear that "=([%w_]+)" is insufficient to deal with all
possible script arguments which, as I understand it, could be one or
more name=value pairs where the value may be a string or a table [1].
Either this method has to be made much more robust, or that replacement
should be removed entirely and force users to ensure that, when
providing script-args, each literal string in a name=value pair is quoted:

--script-args " vhost='domain.co.uk' "
--script-args " vhost={'domain.co.uk','domain.com'} "

as long as the arguments are valid lua and the strings are quoted, then
loadstring() will not error.

I've made an attempt at improving the "stringification" of the string
passed to loadstring() with the aim of allowing both the above examples
and those in [1].  The attached patch:
replaces any commas found within quoted (on windows: a single quote
only) string literals in the script-args with the string "Ncomma".
splits the resultant string, comma delimited
quotes any trimmed, unquoted value if that value is not the key to
another value (=> foo={bar="foobar"} )
joins the resultant table and replaces any "Ncomma"s with their original
comma.

So, on windows, supplying --script-args:
smbuser=admin,smbpass='P455,0rd',whois={whodb=nofollow+ripe},vhost={domain.co.uk,domain.com}
the following will be passed to loadstring() :
smbuser="admin",smbpass='P455,0rd',whois={whodb="nofollow+ripe"},vhost={"domain.co.uk","domain.com"}

which I hope covers at least as many uses as --script-args currently gets.

jah

[1] - http://nmap.org/book/nse-usage.html#nse-args



--- nse_main.lua.orig   2009-04-26 23:45:28.984461600 +0100
+++ nse_main.lua        2009-04-26 23:44:25.287586800 +0100
@@ -459,7 +459,23 @@
 end
 
 do -- Load script arguments
-  local args = gsub((cnse.scriptargs or ""), "=([%w_]+)", "=\"%1\"");
+  local args = {};
+  local temp_args = gsub((cnse.scriptargs or ""), "([\"'][^,\"']*)[,]([^,\"']*)([\"'])", "%1Ncomma%2%3") or 
cnse.scriptargs
+  for kvpair in string.gmatch((temp_args or ""), "[^=]+[^,]+") do
+    if kvpair:sub(1,1) == ',' then
+      args[#args+1] = ',';
+      kvpair = kvpair:sub(2,-1)
+    end
+    kvpair = kvpair:match("^%s*(.*)%s*$");
+    for s in string.gmatch( kvpair, "[^=]+" ) do
+      args[#args+1] = s;
+      args[#args+1] = '=';
+    end
+    table.remove(args, #args);
+    args[#args] = gsub( args[#args], "^([{]?)([^'\"{}]*)([}]?)$", "%1\"%2\"%3" );
+  end
+  local args = table.concat(args) or "";
+  args = gsub(args, "Ncomma", ",") or args;
   local argsf, err = loadstring("return {"..args.."}", "Script Arguments");
   if not argsf then
     error("failed to parse --script-args:\n"..args.."\n"..err);


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org