Here some some things I stumbled over during a recent review of
Nessus plugins.
CRLF in some scripts. Grep is your friend. :)
Ugly "staircase effect" in (re)formatted text. Look at
redhat-RHSA-2002-289.nasl for a subtle example ("fix"
on the 2nd line of the text).
The list of evil format strings in http_header_name_format_string.nasl,
http_header_value_format_string.nasl et al. should probably be put into
a shared .inc.
"Avisory is copyright" in gentoo_*.nasl.
rand() is not a safe way to make temporary filenames.
Stupid summaries of redhat-RHSA-*.nasl scripts for multi-package
updates. For instance: redhat-RHSA-2002-121.nasl's summary talks about
arpwatch even if the "primary" package of the set is tcpdump.
Improper "stemming" of package names in redhat-RHSA-*.nasl. E.g.:
redhat-RHSA-2003-246.nasl checks "wu-" rather than "wu-ftpd".
A strange inconsistency: smtp/PORT/real_banner vs www/real_banner/PORT.
pread() arguments with embedded apostrophes or quotation marks in
ssh_get_info.nasl look suspicious.
--Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation.
Nessus plugins.
CRLF in some scripts. Grep is your friend. :)
Ugly "staircase effect" in (re)formatted text. Look at
redhat-RHSA-2002-289.nasl for a subtle example ("fix"
on the 2nd line of the text).
The list of evil format strings in http_header_name_format_string.nasl,
http_header_value_format_string.nasl et al. should probably be put into
a shared .inc.
"Avisory is copyright" in gentoo_*.nasl.
rand() is not a safe way to make temporary filenames.
Stupid summaries of redhat-RHSA-*.nasl scripts for multi-package
updates. For instance: redhat-RHSA-2002-121.nasl's summary talks about
arpwatch even if the "primary" package of the set is tcpdump.
Improper "stemming" of package names in redhat-RHSA-*.nasl. E.g.:
redhat-RHSA-2003-246.nasl checks "wu-" rather than "wu-ftpd".
A strange inconsistency: smtp/PORT/real_banner vs www/real_banner/PORT.
pread() arguments with embedded apostrophes or quotation marks in
ssh_get_info.nasl look suspicious.
--Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation.