FIX #694 for 2.8: (CSP and other HTTP header friends were cut off @ last colon)

2025-01-11 03:00:57 +01:00 · 2017-04-05 14:56:18 +02:00 · 2017-04-05 14:56:18 +02:00 · 3fba2564df
commit 3fba2564df
parent c99fd7f37e
1 changed files with 21 additions and 14 deletions
--- a/testssl.sh
+++ b/testssl.sh
@ -510,9 +510,14 @@ strip_spaces() {
     echo "${1// /}"
 }

-trim_trailing_space() {
-     echo "${1%%*( )}"
+# https://web.archive.org/web/20121022051228/http://codesnippets.joyent.com/posts/show/1816
+strip_leading_space() {
+     echo "${1#"${1%%[\![:space:]]*}"}"
 }
+strip_trailing_space() {
+     echo "${1%"${1##*[![:space:]]}"}"
+}
+

 if [[ $(uname) == "Linux" ]] ; then
     toupper() { echo -n "${1^^}" ;  }
@ -1051,7 +1056,9 @@ detect_header() {
          HEADERVALUE=""
          return 0
     elif [[ $nr -eq 1 ]]; then
-          HEADERVALUE=$(grep -Faiw "$key:" $HEADERFILE | sed 's/^.*://')
+          HEADERVALUE=$(grep -Faiw "$key:" $HEADERFILE)
+          HEADERVALUE=${HEADERVALUE#*:}                        # remove leading part=key to colon
+          HEADERVALUE="$(strip_leading_space "$HEADERVALUE")"
          return 1
     else
          pr_svrty_medium "misconfiguration: "
@ -1059,14 +1066,14 @@ detect_header() {
          pr_svrty_medium " ${nr}x"
          out " -- checking first one "
          out "\n$spaces"
-          # first awk matches the key, second extracts the from the first line the value, be careful with quotes here!
-          HEADERVALUE=$(grep -Faiw "$key:" $HEADERFILE | sed 's/^.*://' | head -1)
+          HEADERVALUE=$(grep -Faiw "$key:" $HEADERFILE | head -1)
+          HEADERVALUE=${HEADERVALUE#*:}
+          HEADERVALUE="$(strip_leading_space "$HEADERVALUE")"
          [[ $DEBUG -ge 2 ]] && pr_italic "$HEADERVALUE" && out "\n$spaces"
          fileout "$2""_multiple" "WARN" "Multiple $2 headers. Using first header: $HEADERVALUE"
          return $nr
     fi
 }
-# wir brauchen hier eine Funktion, die generell den Header detectiert


 includeSubDomains() {
@ -1593,7 +1600,7 @@ run_more_flags() {
     pr_bold " Security headers             "
     for f2t in $good_flags2test; do
          debugme echo "---> $f2t"
-          detect_header $f2t $f2t
+          detect_header "$f2t" "$f2t"
          if [[ $? -ge 1 ]]; then
               if ! "$first"; then
                    out "$spaces"  # output leading spaces if the first header
@ -1607,7 +1614,7 @@ run_more_flags() {

     for f2t in $other_flags2test; do
          debugme echo "---> $f2t"
-          detect_header $f2t $f2t
+          detect_header "$f2t" "$f2t"
          if [[ $? -ge 1 ]]; then
               if ! "$first"; then
                    out "$spaces"  # output leading spaces if the first header
@ -9198,4 +9205,4 @@ fi
 exit $?


-#  $Id: testssl.sh,v 1.576 2017/04/04 08:03:41 dirkw Exp $
+#  $Id: testssl.sh,v 1.577 2017/04/05 12:56:17 dirkw Exp $