Join GitHub today
NSE: http.identify_404 - change to not follow redirects #251
This PR changes http.identify_404 so that it no longer follows HTTP redirects which caused false positives and other unexpected behavior. The PR also changes calls to this function in certain scripts to be more standardized and return nil instead of false.
http.identify_404 is a function that can be used to determine how an HTTP server responds to unknown pages. It can be used, for example, to detect when an HTTP server responds 200 OK to everything which can break a script if it is merely checking the status code when requesting something like /MyAppsSpecialPage.
http.identify_404 follows HTTP redirects which may result in unexpected behavior. I noticed this while testing some changes to a script against a ethernet switch that generates a 302 redirect
Relevant code is at line 2476 in nselib/http.lua
The key change is in the last line:
A review of the scripts where identify_404 is being used did not find any place where it looked like following redirects would be desirable.