Avoid format-string bugs. Fixes #2634

nselib/bittorrent.lua

@@ -689,7 +689,7 @@ Torrent =
           stdnse.debug1("Could not get peers from tracker %s, reason: %s",tracker, err)
         end
       else -- unknown tracker
-        stdnse.debug1("Unknown tracker protocol for: "..tracker)
+        stdnse.debug1("Unknown tracker protocol for: %s", tracker)
       end
       --if not status then return false, err end
     end

nselib/cassandra.lua

@@ -106,7 +106,7 @@ function describe_cluster_name (socket,cnt)
   local status,resp = sendcmd(socket,cname,cnt)
 
   if (not(status)) then
-    stdnse.debug1("sendcmd"..resp)
+    stdnse.debug1("sendcmd: %s", resp)
     return false, "error in communication"
   end
 
@@ -127,7 +127,7 @@ function describe_version (socket,cnt)
   local status,resp = sendcmd(socket,cname,cnt)
 
   if (not(status)) then
-    stdnse.debug1("sendcmd"..resp)
+    stdnse.debug1("sendcmd: %s", resp)
     return false, "error in communication"
   end
 
@@ -151,20 +151,20 @@ function login (socket,username,password)
 
   local status, err = socket:send(string.pack(">I4", #loginstr))
   if ( not(status) ) then
-          stdnse.debug3("cannot send len "..combo)
+          stdnse.debug3("cannot send len %s", combo)
           return false, "Failed to connect to server"
   end
 
   status, err = socket:send(loginstr)
   if ( not(status) ) then
-          stdnse.debug3("Sent packet for "..combo)
+          stdnse.debug3("Sent packet for %s", combo)
           return false, err
   end
 
   local response
   status, response = socket:receive_bytes(22)
   if ( not(status) ) then
-          stdnse.debug3("Receive packet for "..combo)
+          stdnse.debug3("Receive packet for %s", combo)
           return false, err
   end
   local size = string.unpack(">I4", response)
@@ -175,7 +175,7 @@ function login (socket,username,password)
   end
 
   local magic = string.sub(response,18,22)
-  stdnse.debug3("packet for "..combo)
+  stdnse.debug3("packet for %s", combo)
   stdnse.debug3("packet hex: %s", stdnse.tohex(response) )
   stdnse.debug3("size packet hex: %s", stdnse.tohex(size) )
   stdnse.debug3("magic packet hex: %s", stdnse.tohex(magic) )

nselib/dhcp.lua

@@ -611,7 +611,7 @@ function make_request(target, request_type, ip_address, mac_address, options, re
   -- Generate the packet
   local status, packet = dhcp_build(request_type, ipOps.ip_to_str(ip_address), mac_address, options, request_options, overrides, lease_time, transaction_id)
   if(not(status)) then
-    stdnse.debug1("dhcp: Couldn't build packet: " .. packet)
+    stdnse.debug1("dhcp: Couldn't build packet: %s", packet)
     return false, "Couldn't build packet: "  .. packet
   end
 
@@ -622,7 +622,7 @@ function make_request(target, request_type, ip_address, mac_address, options, re
   -- Send the packet and get the response
   local status, response = dhcp_send(socket, target, packet)
   if(not(status)) then
-    stdnse.debug1("dhcp: Couldn't send packet: " .. response)
+    stdnse.debug1("dhcp: Couldn't send packet: %s", response)
     return false, "Couldn't send packet: "  .. response
   end
 
@@ -630,14 +630,14 @@ function make_request(target, request_type, ip_address, mac_address, options, re
   socket:close()
 
   if ( not(status) ) then
-    stdnse.debug1("dhcp: Couldn't receive packet: " .. response)
+    stdnse.debug1("dhcp: Couldn't receive packet: %s", response)
     return false, "Couldn't receive packet: "  .. response
   end
 
   -- Parse the response
   local status, parsed = dhcp_parse(response, transaction_id)
   if(not(status)) then
-    stdnse.debug1("dhcp: Couldn't parse response: " .. parsed)
+    stdnse.debug1("dhcp: Couldn't parse response: %s", parsed)
     return false, "Couldn't parse response: "  .. parsed
   end
 

nselib/http.lua

@@ -1993,7 +1993,7 @@ function pipeline_go(host, port, all_requests)
     stdnse.debug1("Warning: empty set of requests passed to http.pipeline_go()")
     return responses
   end
-  stdnse.debug1("HTTP pipeline: Total number of requests: " .. #all_requests)
+  stdnse.debug1("HTTP pipeline: Total number of requests: %d", #all_requests)
 
   -- We'll try a first request with keep-alive, just to check if the server
   -- supports it and how many requests we can send into one socket

nselib/ospf.lua

@@ -69,7 +69,7 @@ OSPF = {
         header.auth_data.hash = hash
       else
         -- Shouldn't happen
-        stdnse.debug1("Unknown authentication type " .. header.auth_type)
+        stdnse.debug1("Unknown authentication type %s", header.auth_type)
         return nil
       end
       header.router_id = ipOps.fromdword(header.router_id)

nselib/proxy.lua

@@ -102,7 +102,7 @@ function test_get(host, port, proxyType, test_url, hostname, pattern)
     return false, socket
   end
   local req = "GET " .. test_url .. " HTTP/1.0\r\nHost: " .. hostname .. "\r\n\r\n"
-  stdnse.debug1("GET Request: " .. req)
+  stdnse.debug1("GET Request: %s", req)
   return test(socket, req, pattern)
 end
 
@@ -120,7 +120,7 @@ function test_head(host, port, proxyType, test_url, hostname, pattern)
     return false, socket
   end
   local req = "HEAD " .. test_url .. " HTTP/1.0\r\nHost: " .. hostname .. "\r\n\r\n"
-  stdnse.debug1("HEAD Request: " .. req)
+  stdnse.debug1("HEAD Request: %s", req)
   return test(socket, req, pattern)
 end
 
@@ -136,7 +136,7 @@ function test_connect(host, port, proxyType, hostname)
     return false, socket
   end
   local req = "CONNECT " .. hostname .. ":80 HTTP/1.0\r\n\r\n"
-  stdnse.debug1("CONNECT Request: " .. req)
+  stdnse.debug1("CONNECT Request: %s", req)
   return test(socket, req, false)
 end
 

nselib/snmp.lua

@@ -155,7 +155,7 @@ local function getVersion (version, default)
     if num_to_version[version] then
       return version
     end
-    stdnse.debug1("Unrecognized SNMP version; proceeding with SNMP" .. num_to_version[default])
+    stdnse.debug1("Unrecognized SNMP version; proceeding with SNMP%s", num_to_version[default])
   end
   return default
 end

nselib/tn3270.lua

@@ -342,7 +342,7 @@ Telnet = {
   -- @param integer buffer address
   -- @return TN3270 encoded buffer address (12 bit) as string
   ENCODE_BADDR = function ( self, address )
-    stdnse.debug(3, "Encoding Address: " .. address)
+    stdnse.debug(3, "Encoding Address: %s", address)
     return string.pack("BB",
       -- (address >> 8) & 0x3F
       -- we need the +1 because LUA tables start at 1 (yay!)
@@ -461,7 +461,7 @@ Telnet = {
     local WONT_reply = self.commands.IAC .. self.commands.WONT
 
     --nsedebug.print_hex(data)
-    --stdnse.debug(3,"current state:" .. self.telnet_state)
+    --stdnse.debug(3,"current state:%s", self.telnet_state)
 
     if self.telnet_state == TNS_DATA then
       if data == self.commands.IAC then
@@ -549,7 +549,7 @@ Telnet = {
         end
       else
         self:send_data(WONT_reply..data)
-        stdnse.debug(3, "[TELNET] Got unsupported Do. Sent Won't Reply: " .. data .. " " .. self.telnet_data)
+        stdnse.debug(3, "[TELNET] Got unsupported Do. Sent Won't Reply: %s %s", data, self.telnet_data)
       end
       self.telnet_state = TNS_DATA
     elseif self.telnet_state == TNS_DONT then
@@ -715,9 +715,9 @@ Telnet = {
         self.fa_buffer[i] = "\0"
         self.overwrite_buf[i] = "\0"
       end
-      stdnse.debug(3, "[in3270] Empty Buffer Created. Length: " .. #self.buffer)
+      stdnse.debug(3, "[in3270] Empty Buffer Created. Length: %d", #self.buffer)
     end
-    stdnse.debug(3,"[in3270] Current State: "..self.word_state[self.state])
+    stdnse.debug(3,"[in3270] Current State: %s", self.word_state[self.state])
   end,
 
   --- Also known as process_eor
@@ -832,7 +832,7 @@ Telnet = {
       stdnse.debug(3,"TN3270 Command: No OP (NOP)")
       return self.NO_OUTPUT
     else
-      stdnse.debug(3,"Unknown 3270 Data Stream command: 0x"..stdnse.tohex(com))
+      stdnse.debug(3,"Unknown 3270 Data Stream command: 0x%s", stdnse.tohex(com))
       return self.BAD_COMMAND
 
     end
@@ -864,8 +864,8 @@ Telnet = {
     i = 3 -- skip the SF and the WCC.
     while i <= #data do
       cp = data:sub(i,i)
-      stdnse.debug(4,"Current Position: ".. i .. " of " .. #data)
+      stdnse.debug(4,"Current Position: %d of %d", i, #data)
-      stdnse.debug(4,"Current Item: ".. stdnse.tohex(cp))
+      stdnse.debug(4,"Current Item: %s", stdnse.tohex(cp))
       -- yay! lua has no switch statement
       if cp == self.orders.SF then
         stdnse.debug(4,"Start Field")
@@ -873,8 +873,8 @@ Telnet = {
 
         last_cmd = true
         i = i + 1 -- skip SF
-        stdnse.debug(4,"Writting Zero to buffer at address: " .. self.buffer_address)
+        stdnse.debug(4,"Writing Zero to buffer at address: %s", self.buffer_address)
-        stdnse.debug(4,"Attribute Type: 0x".. stdnse.tohex(data:sub(i,i)))
+        stdnse.debug(4,"Attribute Type: 0x%s", stdnse.tohex(data:sub(i,i)))
         self:write_field_attribute(data:sub(i,i))
         self:write_char("\00")
         self.buffer_address = self:INC_BUF_ADDR(self.buffer_address)
@@ -885,12 +885,12 @@ Telnet = {
         stdnse.debug(4,"Start Field Extended")
         i = i + 1 -- skip SFE
         num_attr = data:byte(i)
-        stdnse.debug(4,"Number of Attributes: ".. num_attr)
+        stdnse.debug(4,"Number of Attributes: %d", num_attr)
         for j = 1,num_attr do
           i = i + 1
           if data:byte(i) == 0xc0 then
-            stdnse.debug(4,"Writting Zero to buffer at address: " .. self.buffer_address)
+            stdnse.debug(4,"Writing Zero to buffer at address: %s", self.buffer_address)
-            stdnse.debug(4,"Attribute Type: 0x".. stdnse.tohex(data:sub(i,i)))
+            stdnse.debug(4,"Attribute Type: 0x%s", stdnse.tohex(data:sub(i,i)))
             self:write_char("\00")
             self:write_field_attribute(data:sub(i,i))
           end
@@ -902,20 +902,20 @@ Telnet = {
       elseif cp == self.orders.SBA then
         stdnse.debug(4,"Set Buffer Address (SBA) 0x11")
         self.buffer_address = self.DECODE_BADDR(data:byte(i+1), data:byte(i+2))
-        stdnse.debug(4,"Buffer Address: " .. self.buffer_address)
+        stdnse.debug(4,"Buffer Address: %s", self.buffer_address)
-        stdnse.debug(4,"Row: " .. self:BA_TO_ROW(self.buffer_address))
+        stdnse.debug(4,"Row: %s", self:BA_TO_ROW(self.buffer_address))
-        stdnse.debug(4,"Col: " .. self:BA_TO_COL(self.buffer_address))
+        stdnse.debug(4,"Col: %s", self:BA_TO_COL(self.buffer_address))
         last_cmd = true
         prev = 'SBA'
         -- the current position is SBA, the next two bytes are the lengths
         i = i + 3
-        stdnse.debug(4,"Next Command: ".. stdnse.tohex(data:sub(i,i)))
+        stdnse.debug(4,"Next Command: %s", stdnse.tohex(data:sub(i,i)))
       elseif cp == self.orders.IC then -- Insert Cursor
         stdnse.debug(4,"Insert Cursor (IC) 0x13")
-        stdnse.debug(4,"Current Cursor Address: " .. self.cursor_addr)
+        stdnse.debug(4,"Current Cursor Address: %s", self.cursor_addr)
-        stdnse.debug(4,"Buffer Address: " .. self.buffer_address)
+        stdnse.debug(4,"Buffer Address: %s", self.buffer_address)
-        stdnse.debug(4,"Row: " .. self:BA_TO_ROW(self.buffer_address))
+        stdnse.debug(4,"Row: %s", self:BA_TO_ROW(self.buffer_address))
-        stdnse.debug(4,"Col: " .. self:BA_TO_COL(self.buffer_address))
+        stdnse.debug(4,"Col: %s", self:BA_TO_COL(self.buffer_address))
         prev = 'ORDER'
         self.cursor_addr = self.buffer_address
         last_cmd = true
@@ -925,15 +925,15 @@ Telnet = {
         -- There's all kinds of weird GE stuff we could do, but not now. Maybe in future vers
         stdnse.debug(4,"Repeat to Address (RA) 0x3C")
         local ra_baddr = self.DECODE_BADDR(data:byte(i+1), data:byte(i+2))
-        stdnse.debug(4,"Repeat Character: " .. stdnse.tohex(data:sub(i+1,i+2)))
+        stdnse.debug(4,"Repeat Character: %s", stdnse.tohex(data:sub(i+1,i+2)))
 
-        stdnse.debug(4,"Repeat to this Address: " .. ra_baddr)
+        stdnse.debug(4,"Repeat to this Address: %s", ra_baddr)
-        stdnse.debug(4,"Currrent Address: " .. self.buffer_address)
+        stdnse.debug(4,"Current Address: %s", self.buffer_address)
         prev = 'ORDER'
         --char_code = data:sub(i+3,i+3)
         i = i + 3
         local char_to_repeat = data:sub(i,i)
-        stdnse.debug(4,"Repeat Character: " .. stdnse.tohex(char_to_repeat))
+        stdnse.debug(4,"Repeat Character: %s", stdnse.tohex(char_to_repeat))
         while (self.buffer_address ~= ra_baddr) do
           self:write_char(char_to_repeat)
           self.buffer_address = self:INC_BUF_ADDR(self.buffer_address)
@@ -942,13 +942,13 @@ Telnet = {
         stdnse.debug(4,"Erase Unprotected All (EAU) 0x12")
         local eua_baddr = self.DECODE_BADDR(data:byte(i+1), data:byte(i+2))
         i = i + 3
-        stdnse.debug(4,"EAU to this Address: " .. eua_baddr)
+        stdnse.debug(4,"EAU to this Address: %s", eua_baddr)
-        stdnse.debug(4,"Currrent Address: " .. self.buffer_address)
+        stdnse.debug(4,"Current Address: %s", self.buffer_address)
         while (self.buffer_address ~= eua_baddr) do
           -- do nothing for now. this feature isn't supported/required at the moment
           self.buffer_address = self:INC_BUF_ADDR(self.buffer_address)
-          --stdnse.debug(3,"Currrent Address: " .. self.buffer_address)
+          --stdnse.debug(3,"Current Address: %s", self.buffer_address)
-          --stdnse.debug(3,"EAU to this Address: " .. eua_baddr)
+          --stdnse.debug(3,"EAU to this Address: %s", eua_baddr)
         end
       elseif cp == self.orders.GE then
         stdnse.debug(4,"Graphical Escape (GE) 0x08")
@@ -994,9 +994,9 @@ Telnet = {
       else -- whoa we made it.
         local ascii_char = drda.StringUtil.toASCII(cp)
         stdnse.debug(4,"Inserting 0x"..stdnse.tohex(cp).." (".. ascii_char ..") at the following location:")
-        stdnse.debug(4,"Row: " .. self:BA_TO_ROW(self.buffer_address))
+        stdnse.debug(4,"Row: %s", self:BA_TO_ROW(self.buffer_address))
-        stdnse.debug(4,"Col: " .. self:BA_TO_COL(self.buffer_address))
+        stdnse.debug(4,"Col: %s", self:BA_TO_COL(self.buffer_address))
-        stdnse.debug(4,"Buffer Address: " .. self.buffer_address)
+        stdnse.debug(4,"Buffer Address: %s", self.buffer_address)
         self:write_char(data:sub(i,i))
         self.buffer_address = self:INC_BUF_ADDR(self.buffer_address)
         self.first_screen = true
@@ -1025,7 +1025,7 @@ Telnet = {
     stdnse.debug(3,"Generating Read Buffer")
     self.output_buffer[output_addr] = string.pack("B",self.aid)
     output_addr = output_addr + 1
-    stdnse.debug(3,"Output Address: ".. output_addr)
+    stdnse.debug(3,"Output Address: %s", output_addr)
     self.output_buffer[output_addr] = self:ENCODE_BADDR(self.cursor_addr)
     return self:send_tn3270(self.output_buffer)
 

scripts/http-form-brute.nse

@@ -514,21 +514,21 @@ action = function (host, port)
   if not path_ok(path, hostname, port) then
     return stdnse.format_output(false, string.format("Unusable form action %q", path))
   end
-  stdnse.debug(form_debug, "Form submission path: " .. path)
+  stdnse.debug(form_debug, "Form submission path: %s", path)
 
   -- HTTP method POST is the default
   method = string.upper(method or "POST")
   if not (method == "GET" or method == "POST") then
     return stdnse.format_output(false, string.format("Invalid HTTP method %q", method))
   end
-  stdnse.debug(form_debug, "HTTP method: " .. method)
+  stdnse.debug(form_debug, "HTTP method: %s", method)
 
   -- passvar must be specified or detected, uservar is optional
   if not passvar then
     return stdnse.format_output(false, "No passvar was specified or detected (see http-form-brute.passvar)")
   end
-  stdnse.debug(form_debug, "Username field: " .. (uservar or "(not set)"))
+  stdnse.debug(form_debug, "Username field: %s", uservar or "(not set)")
-  stdnse.debug(form_debug, "Password field: " .. passvar)
+  stdnse.debug(form_debug, "Password field: %s", passvar)
 
   if onsuccess and onfailure then
     return stdnse.format_output(false, "Either the onsuccess or onfailure argument should be passed, not both.")