It appears many existing NASL scripts use string() to concatenate strings.
Just grep them for ``[^_]string\([^)]*,'' and you'll see. But this is
wrong! string() interprets escape sequences (namely \n) in its parameters,
ergo the result of
x = "\n";
y = string(x, x);
will be two newlines in y, not "\n\n". Fortunately, in most of the cases,
backslashes are quite unlikely to appear in the values being passed to
string(), nevertheless, there are some scripts where less or more serious
problems might happen--here is an incomplete list:
NDS_Object_Enum.nasl X.nasl bftpd_format_string.nasl
cisco_ssh_multiple_vulns.nasl dcetest.nasl (*)
dns_xfer.nasl ftp_glob_overflow.nasl logins.nasl
netbios_name_get.nasl silverstream_database.nasl
smb_enum_services.nasl smb_reg_hklm.nasl snmp_vacm.nasl
webmirror.nasl smb_nt.inc
(*) dcetest.nasl is completely broken, I am rewriting it from the scratch
--Pavel Kankovsky aka Peak
"Welcome to the Czech Republic. Bring your own lifeboats."
Just grep them for ``[^_]string\([^)]*,'' and you'll see. But this is
wrong! string() interprets escape sequences (namely \n) in its parameters,
ergo the result of
x = "\n";
y = string(x, x);
will be two newlines in y, not "\n\n". Fortunately, in most of the cases,
backslashes are quite unlikely to appear in the values being passed to
string(), nevertheless, there are some scripts where less or more serious
problems might happen--here is an incomplete list:
NDS_Object_Enum.nasl X.nasl bftpd_format_string.nasl
cisco_ssh_multiple_vulns.nasl dcetest.nasl (*)
dns_xfer.nasl ftp_glob_overflow.nasl logins.nasl
netbios_name_get.nasl silverstream_database.nasl
smb_enum_services.nasl smb_reg_hklm.nasl snmp_vacm.nasl
webmirror.nasl smb_nt.inc
(*) dcetest.nasl is completely broken, I am rewriting it from the scratch
--Pavel Kankovsky aka Peak
"Welcome to the Czech Republic. Bring your own lifeboats."