http.get_url makes plain text request for HTTPS urls #212

boite opened this Issue Sep 17, 2015 · 0 comments


None yet
1 participant

boite commented Sep 17, 2015

  • http.get_url parses the url to produce a port table: {service: "https", number: 443}
  • http.request is eventually called with the port table and this is passed to comm.tryssl
  • comm.tryssl passes the port table to comm.bestoption, which calls comm.is_ssl, which calls shortport.ssl
  • shortport.ssl calls shortport.port_or_service which returns false because both the port_checker and service_checker demand that port.state be either "open" or "open|filtered", but port.state is not set in this case
  • thus comm.tryssl uses opts.proto="tcp" instead of "ssl" when calling comm.opencon

I can think of four fixes:-

  1. shortport.includes, used by the checker functions, could return true if a nil value is being checked for inclusion in a set
  2. the shortport checker functions could avoid testing port.state for inclusion in a set of states if port.state is not set (and return true when the other demands are met).
  3. http.get_url could add port.state="open" after parsing its url argument.
  4. http.request could set port.state

Doing option 3 seems appropriate, but it doesn't help script writers using other http.lua functions such as get or head. Option 1 seems like the right thing to do, except that it arguably violates the principle of least surprise. Options 2 and 4 are probably not the appropriate places to solve this problem.

@nmap-bot nmap-bot closed this in 6752546 Sep 18, 2015

qha added a commit to qha/nmap that referenced this issue Dec 16, 2015

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment