Not all SSH key formats use base64 encoding, for example SSH1 keys looks
different. So we can't blindly base64-encode the raw strings that we
receive. Attempt to return keys in the same format as is used by the
known_hosts file.
If you ran the (fortunately non-default) http-domino-enum-passwords
script with the (fortunately also non-default)
domino-enum-passwords.idpath parameter against a malicious server,
it could cause an arbitrarily named file to to be written to the
client system. Thanks to Trustwave researcher Piotr Duszynski for
discovering and reporting the problem. We've fixed that script, and
also updated several other scripts to use a new
stdnse.filename_escape function for extra safety. This breaks our
record of never having a vulnerability in the 16 years that Nmap has
existed, but that's still a fairly good run. [David, Fyodor]
This is the site-local prefix deprecated by RFC 3879. Suggested by Marek
Majkowski, who noticed that the prefix was included in Tor's
tor_addr_is_internal_ function.
final script-args table. The rationale is, unfortunately shells interpret
quotes differently and so it can be hard to tell exactly what NSE ends up
seeing/producing. [Some discussion in #nmap on Freenode resulted in this
addition.]
Removed some non-ANSI-C strftime format strings ("%F") and
locale-dependent formats ("%c") from NSE scripts and libraries.
C99-specified %F was noticed by Alex Weber
(http://seclists.org/nmap-dev/2013/q2/300)
Two changes here, both minor. First, explicitly assigning a new key to
nil does not add the key to the ordered set of keys. This better
emulates the behavior of regular tables.
> o = stdnse.output_table()
> o["test"] = nil
This previously resulted in output like this:
|_ test: nil
Now it simply omits the "test:" key.
Second, I needed a way to tell whether an output table was empty or not.
Since Lua's next() function doesn't call the __pairs metamethod, it was
always returning nil. Instead, I used the __call metamethod, since it
had the least preexisting semantic meaning:
> o = stdnse.output_table()
> =o()
false
> o["test"] = 1
> =o()
true
We never intend to ask for a service on a port other than the one we
connect to. By my reading of RFC 2616 section 14.23, we can leave the
port number off in this case. Robin Wood reported that
https://twitter.com/ gives you a redirect instead of a page if you send
it
Host: twitter.com:443
rather than
Host: twitter.com
http://seclists.org/nmap-dev/2013/q1/267
RFC 3986 section 3.1:
Although schemes are case-insensitive, the canonical form is lowercase
and documents that specify schemes must do so with lowercase letters.
An implementation should accept uppercase letters as equivalent to
lowercase in scheme names (e.g., allow "HTTP" as well as "http") for the
sake of robustness but should only produce lowercase scheme names for
consistency.
RFC 3986 says that these URLs are equivalent:
http://example.com/http://example.com:/
url.parse was returning port="" for the latter. Make it instead return
port=nil like the former.
