Re: Script force

[Martin Holst Swende <martin () swende se>]

On 12/07/2011 09:40 AM, Patrick Donnelly wrote:
> On Wed, Dec 7, 2011 at 3:18 AM, Martin Holst Swende <martin () swende se> wrote:
> > Hi,
> >
> > On 12/04/2011 10:00 AM, Patrick Donnelly wrote:
> > > With that said, I have a suggestion. The '+' should be a prefix to a
> > > pattern. It should not be a prefix to a filename, category, or boolean
> > > expression. It should change the meaning of the entire expression:
> > > "any script chosen as a result of this expression is forced to run".
> > > So, you might have: --script '+not intrusive and not discovery'. This
> > > would mean, "forcibly run all scripts that are not in the intrusive
> > > and not in the discovery categories". [As an aside with respect to the
> > > implementation: note that most script filenames are usually matched
> > > and loaded via the Entry function. The code that runs after this
> > > comment "-- Now load any scripts listed by name rather than by
> > > category." loads files and directories that are not found in the
> > > script database (the script database is a series of calls to the Entry
> > > function). For example, that fallback code would load scripts
> > > specified by "my-scripts/foo.nse" or a directory "my-scripts".
> > >
> > > With that changed, I think the patch would be much nicer. However...
> > I agree with your reasoning here, but perhaps I misread you a bit. I think
> > the '+' should be a prefix to an expression.
> There is no established terminology here and I was winging it in my
> post. [There is no real benefit for getting pedantic about command
> line syntax in user documentation.] To be clear, the proposed change
> would result in this sort of syntax:
>
> --script <outer-expression>
>
> <outer-expression> := [prefix] specification { <comma> [prefix] specification }
> specification := filepath | directory | expression
> expression := filename-pattern | category | expression binop
> expression | unop expression
> binop := and or
> unop := not
>
> filename-pattern only matches files in the script database. Note the
> pattern can actually be a literal filename.
>
> > +safe and http-*,+http-title => +(default and http-*), +(http-verb-tamper)
> > => "Ignore the return value of the portrule for any script selected
> > matching (safe and http-*) and any script matching (http-verb-tamper),
> > unless already loaded"
> Assuming your example got mixed up during writing, yes that's right.
That is a correct assumption. There's about three mixups in that short
blob :)
> > That would make strange corner cases go away:
> > (not +http-title) => errror, no + allowed inside expression, + only
> > allowed at the left side of an expression.
> They are not really corner cases but strange consequences of the
> design. It just wasn't well defined why or how the force "operator"
> should apply to only parts of an expression. David brought this up
> earlier in the thread.
Good, then I understood you correctly and agree fully.
/Martin


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/