- sanitize '%' in general output function, avoids hiccups in url encoded strings
- FIX #178 (Security headers only key in green, not value) - CSP rule for facebook hast 127.0.0.1 which is labeled as IP address
This commit is contained in:
parent
87cef93b6c
commit
6baf5e377c
39
testssl.sh
39
testssl.sh
|
@ -86,7 +86,6 @@ date --help >/dev/null 2>&1 && \
|
||||||
echo A | sed -E 's/A//' >/dev/null 2>&1 && \
|
echo A | sed -E 's/A//' >/dev/null 2>&1 && \
|
||||||
readonly HAS_SED_E=true || \
|
readonly HAS_SED_E=true || \
|
||||||
readonly HAS_SED_E=false
|
readonly HAS_SED_E=false
|
||||||
readonly ECHO="/usr/bin/printf --" # works under Linux, BSD, MacOS.
|
|
||||||
TERM_DWITH=${COLUMNS:-$(tput cols)} # for future custom line wrapping
|
TERM_DWITH=${COLUMNS:-$(tput cols)} # for future custom line wrapping
|
||||||
TERM_CURRPOS=0 # ^^^ we also need to find out the length or current pos in the line
|
TERM_CURRPOS=0 # ^^^ we also need to find out the length or current pos in the line
|
||||||
|
|
||||||
|
@ -247,12 +246,12 @@ readonly SSLv2_CLIENT_HELLO="
|
||||||
|
|
||||||
|
|
||||||
###### output functions ######
|
###### output functions ######
|
||||||
|
# a little bit of sanitzing with bash internal search&replace -- otherwise printf will hiccup at '%' and '--' does the rest.
|
||||||
out() { $ECHO "$1"; }
|
out() { /usr/bin/printf -- "${1//%/%%}"; }
|
||||||
outln() { [[ -z "$1" ]] || $ECHO "$1"; $ECHO "\n"; }
|
outln() { out "$1\n"; }
|
||||||
|
#TODO: Still no shell injection safe but if just run it from the cmd line: that's fine
|
||||||
|
|
||||||
# color print functions, see also http://www.tldp.org/HOWTO/Bash-Prompt-HOWTO/x329.html
|
# color print functions, see also http://www.tldp.org/HOWTO/Bash-Prompt-HOWTO/x329.html
|
||||||
|
|
||||||
pr_liteblue() { [[ "$COLOR" -eq 2 ]] && out "\033[0;34m$1" || out "$1"; pr_off; }
|
pr_liteblue() { [[ "$COLOR" -eq 2 ]] && out "\033[0;34m$1" || out "$1"; pr_off; }
|
||||||
pr_liteblueln() { pr_liteblue "$1"; outln; }
|
pr_liteblueln() { pr_liteblue "$1"; outln; }
|
||||||
pr_blue() { [[ "$COLOR" -eq 2 ]] && out "\033[1;34m$1" || out "$1"; pr_off; }
|
pr_blue() { [[ "$COLOR" -eq 2 ]] && out "\033[1;34m$1" || out "$1"; pr_off; }
|
||||||
|
@ -580,9 +579,9 @@ detect_ipv4() {
|
||||||
http_header "$1" || return 3
|
http_header "$1" || return 3
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# remove pagespeed header first as it is mistakenly identified as ipv4 address
|
# remove pagespeed header as it is mistakenly identified as ipv4 address https://github.com/drwetter/testssl.sh/issues/158
|
||||||
# https://github.com/drwetter/testssl.sh/issues/158
|
# also facebook has a CSP rule for 127.0.0.1
|
||||||
if egrep -vi "pagespeed|page-speed" $HEADERFILE | grep -iqE $ipv4address; then
|
if egrep -vi "pagespeed|page-speed|Content-Security-Policy" $HEADERFILE | grep -iqE $ipv4address; then
|
||||||
pr_bold " IPv4 address in header "
|
pr_bold " IPv4 address in header "
|
||||||
cat $HEADERFILE | while read line; do
|
cat $HEADERFILE | while read line; do
|
||||||
result="$(echo -n "$line" | grep -E $ipv4address)"
|
result="$(echo -n "$line" | grep -E $ipv4address)"
|
||||||
|
@ -594,8 +593,7 @@ detect_ipv4() {
|
||||||
else
|
else
|
||||||
first=false
|
first=false
|
||||||
fi
|
fi
|
||||||
# a little bit of sanitzing, otherwise printf will hiccup @ %
|
pr_litered "$result"
|
||||||
pr_litered "$(echo $result|sed 's/%/%%/g')"
|
|
||||||
outln "$your_ip_msg"
|
outln "$your_ip_msg"
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
@ -897,6 +895,7 @@ run_more_flags() {
|
||||||
outln "--"
|
outln "--"
|
||||||
ret=1
|
ret=1
|
||||||
else
|
else
|
||||||
|
#set -x
|
||||||
ret=0
|
ret=0
|
||||||
for f2t in $good_flags2test; do
|
for f2t in $good_flags2test; do
|
||||||
debugme echo "---> $f2t"
|
debugme echo "---> $f2t"
|
||||||
|
@ -908,13 +907,12 @@ run_more_flags() {
|
||||||
else
|
else
|
||||||
first=false
|
first=false
|
||||||
fi
|
fi
|
||||||
#if [ $(echo "$result_str" | wc -l | sed 's/ //g') -eq 1 ]; then
|
# extract and print key(=flag) in green:
|
||||||
pr_litegreenln "$result_str"
|
pr_litegreen "${result_str%%:*}:"
|
||||||
#else # for the case we have two times the same header:
|
#pr_litegreen "$(sed 's/:.*$/:/' <<< "$result_str")"
|
||||||
# exchange the line feeds between the two lines only:
|
# print value in plain text:
|
||||||
#pr_litecyan "double -->" ; echo "$result_str" | tr '\n\r' ' | ' | sed 's/| $//g'
|
outln "${result_str#*:}"
|
||||||
#pr_litecyanln "<-- double"
|
|
||||||
#fi
|
|
||||||
done
|
done
|
||||||
# now the same with other flags
|
# now the same with other flags
|
||||||
for f2t in $other_flags2test; do
|
for f2t in $other_flags2test; do
|
||||||
|
@ -925,7 +923,10 @@ run_more_flags() {
|
||||||
else
|
else
|
||||||
first=false
|
first=false
|
||||||
fi
|
fi
|
||||||
outln "$result_str"
|
# extract and print key(=flag) underlined
|
||||||
|
pr_underline "${result_str%%:*}:"
|
||||||
|
# print value in plain text:
|
||||||
|
outln "${result_str#*:}"
|
||||||
done
|
done
|
||||||
fi
|
fi
|
||||||
#TODO: I am not testing for the correctness or anything stupid yet, e.g. "X-Frame-Options: allowall"
|
#TODO: I am not testing for the correctness or anything stupid yet, e.g. "X-Frame-Options: allowall"
|
||||||
|
@ -4722,4 +4723,4 @@ fi
|
||||||
exit $ret
|
exit $ret
|
||||||
|
|
||||||
|
|
||||||
# $Id: testssl.sh,v 1.349 2015/08/21 10:43:09 dirkw Exp $
|
# $Id: testssl.sh,v 1.352 2015/08/21 16:10:44 dirkw Exp $
|
||||||
|
|
Loading…
Reference in New Issue