Nmap Development mailing list archives
Re: [NSE] Changes to http-auth
From: David Fifield <david () bamsoftware com>
Date: Mon, 19 Dec 2011 11:17:06 -0800
On Mon, Dec 19, 2011 at 07:44:16PM +0100, Patrik Karlsson wrote:
On Mon, Dec 19, 2011 at 3:47 PM, Rob Nicholls <robert () robnicholls co uk>wrote:I've taken a slightly closer look and I think the existing http.lua can cope without the quotes. But I get the impression that http.lua is struggling to deal with more than one scheme in the WWW-Authenticate header. I think something's not quite right with the parsing, probably some kind of off-by-one problem. I briefly tried playing around with the code, which got it sort of working for the header Patrik supplied, but then I was off-by-one in another place (I don't think the comma is being properly taken into account after the name of the scheme, but if you try to increment it there then other tokens can get screwed up later on). It's not my code, so I'm finding it hard to follow exactly what's going on. I might take another stab later, but I can't spend any more time on it right now.Thanks for looking into this Rob. I figured out what the problem was and it had to do with authentication schemes that did not contain any parameters. The read_auth_challenge would fail if no params were present. As my servers supported both Kerberos and NTLM, which both don't have any parameters in addition to the scheme, parsing would fail. I'm hoping the patch I committed in r27560 solves this problem. I've also committed a new version of http-auth r27561 that takes this fact into account and contains some other cosmetic changes, and Duarte's path addition.
Thanks for helping to figure this out, everyone. Having zero auth-params
is not allowed according to RFC 2617 section 1.2, which says
auth-scheme = token
auth-param = token "=" ( token | quoted-string )
challenge = auth-scheme 1*SP 1#auth-param
where 1#auth-param means "one or more auth-params separated by commas."
But it seems obvious we should support zero auth-params as well since
Patrik found it in the wild. The http.lua code is based on
http_read_challenge in Ncat, where I have just made the same change.
David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] Changes to http-auth Patrik Karlsson (Dec 17)
- Re: [NSE] Changes to http-auth David Fifield (Dec 18)
- Re: [NSE] Changes to http-auth Patrik Karlsson (Dec 18)
- RE: [NSE] Changes to http-auth Rob Nicholls (Dec 18)
- RE: [NSE] Changes to http-auth Rob Nicholls (Dec 19)
- Re: [NSE] Changes to http-auth Patrik Karlsson (Dec 19)
- Re: [NSE] Changes to http-auth David Fifield (Dec 19)
- Re: [NSE] Changes to http-auth Patrik Karlsson (Dec 18)
- Re: [NSE] Changes to http-auth David Fifield (Dec 18)