Broken HTTP redirect check for credentials #826

Closed
nnposter opened this Issue Apr 5, 2017 · 0 comments

Comments

Projects
None yet
1 participant

nnposter commented Apr 5, 2017

One of the default HTTP redirect checks, located here, is presumably to prevent a redirect if credentials are embedded in the URL:

  -- Check if there's any credentials in the url
  function (url, host, port)
    -- bail if userinfo is present
    return ( url.userinfo and false ) or true
  end,

The return expression is patently broken as it always returns true:

$ lua
Lua 5.3.4  Copyright (C) 1994-2017 Lua.org, PUC-Rio
> url={userinfo="whatever"}
> print((url.userinfo and false) or true)
true
> url.userinfo=nil
> print((url.userinfo and false) or true)
true

The following patch resolves the issue:

--- a/nselib/http.lua
+++ b/nselib/http.lua
@@ -1479,7 +1479,7 @@
   -- Check if there's any credentials in the url
   function (url, host, port)
     -- bail if userinfo is present
-    return ( url.userinfo and false ) or true
+    return not url.userinfo
   end,
 
   -- Check if the location is within the domain or host

Please let me know if you have any questions or concerns. Otherwise I will commit the patch in a few weeks.

nmap-bot closed this in 17c37b7 Apr 19, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment