Re: [nse] #212 - http.get_url makes plain text request for HTTPS urls

[Daniel Miller <bonsaiviking () gmail com>]

jah,

Thanks for continuing to follow up on this. I like this new approach much
better. I applied something similar in r35272, but created the temporary
port table all at once. Still credited you in the changelog. Much
appreciated!

Dan

On Fri, Sep 18, 2015 at 9:58 AM, jah <jah () zadkiel plus com> wrote:

> On 18/09/15 05:19, Daniel Miller wrote:
> > jah,
> >
> > Thanks for the report. Very thorough! I added port.state = "open" to
> get_url in r35251. I think this is enough to fix the issue. We can do an
> audit later to determine if any other scripts or functions pass a
> constructed port table without a state to comm.tryssl or shortport.ssl.
> > Dan
> Dan,
>
> I wasn't thorough enough!  It turns out that port.protocol is also
> necessary for shortport.ssl to perform its tests. Specifically, it needs
> either {number, protocol and state} or {service, protocol and state}.
>
> When comm.bestoption is supplied with a numeric port argument, it will
> construct a port table for shortport.ssl on which it sets some default
> values: protocol="tcp", state="open" and version={}.
>
> The attached extends comm.bestoption to do a similar thing when the port
> arg is a table. Specifically it makes a partial copy of the port table and
> provides default values for state, protocol and version in the same way as
> for numerical port args.
>
> The patch also reverts r35251 so that comm.bestoption would be solely
> responsible for coercing a port for testing by shortport.ssl. I've tested
> the patch and can confirm the changes prevent the plaintext request for
> HTTPS urls.
>
> jah
>
> _______________________________________________
> Sent through the dev mailing list
> https://nmap.org/mailman/listinfo/dev
> Archived at http://seclists.org/nmap-dev/
_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/