- sanitize '%' in general output function, avoids hiccups in url encoded strings

- FIX #178 (Security headers only key in green, not value)
- CSP rule for facebook hast 127.0.0.1 which is labeled as IP address
This commit is contained in:
Dirk Wetter 2015-08-21 18:10:45 +02:00
parent 87cef93b6c
commit 6baf5e377c
1 changed files with 20 additions and 19 deletions

View File

@ -86,7 +86,6 @@ date --help >/dev/null 2>&1 && \
echo A | sed -E 's/A//' >/dev/null 2>&1 && \ echo A | sed -E 's/A//' >/dev/null 2>&1 && \
readonly HAS_SED_E=true || \ readonly HAS_SED_E=true || \
readonly HAS_SED_E=false readonly HAS_SED_E=false
readonly ECHO="/usr/bin/printf --" # works under Linux, BSD, MacOS.
TERM_DWITH=${COLUMNS:-$(tput cols)} # for future custom line wrapping TERM_DWITH=${COLUMNS:-$(tput cols)} # for future custom line wrapping
TERM_CURRPOS=0 # ^^^ we also need to find out the length or current pos in the line TERM_CURRPOS=0 # ^^^ we also need to find out the length or current pos in the line
@ -247,12 +246,12 @@ readonly SSLv2_CLIENT_HELLO="
###### output functions ###### ###### output functions ######
# a little bit of sanitzing with bash internal search&replace -- otherwise printf will hiccup at '%' and '--' does the rest.
out() { $ECHO "$1"; } out() { /usr/bin/printf -- "${1//%/%%}"; }
outln() { [[ -z "$1" ]] || $ECHO "$1"; $ECHO "\n"; } outln() { out "$1\n"; }
#TODO: Still no shell injection safe but if just run it from the cmd line: that's fine
# color print functions, see also http://www.tldp.org/HOWTO/Bash-Prompt-HOWTO/x329.html # color print functions, see also http://www.tldp.org/HOWTO/Bash-Prompt-HOWTO/x329.html
pr_liteblue() { [[ "$COLOR" -eq 2 ]] && out "\033[0;34m$1" || out "$1"; pr_off; } pr_liteblue() { [[ "$COLOR" -eq 2 ]] && out "\033[0;34m$1" || out "$1"; pr_off; }
pr_liteblueln() { pr_liteblue "$1"; outln; } pr_liteblueln() { pr_liteblue "$1"; outln; }
pr_blue() { [[ "$COLOR" -eq 2 ]] && out "\033[1;34m$1" || out "$1"; pr_off; } pr_blue() { [[ "$COLOR" -eq 2 ]] && out "\033[1;34m$1" || out "$1"; pr_off; }
@ -580,9 +579,9 @@ detect_ipv4() {
http_header "$1" || return 3 http_header "$1" || return 3
fi fi
# remove pagespeed header first as it is mistakenly identified as ipv4 address # remove pagespeed header as it is mistakenly identified as ipv4 address https://github.com/drwetter/testssl.sh/issues/158
# https://github.com/drwetter/testssl.sh/issues/158 # also facebook has a CSP rule for 127.0.0.1
if egrep -vi "pagespeed|page-speed" $HEADERFILE | grep -iqE $ipv4address; then if egrep -vi "pagespeed|page-speed|Content-Security-Policy" $HEADERFILE | grep -iqE $ipv4address; then
pr_bold " IPv4 address in header " pr_bold " IPv4 address in header "
cat $HEADERFILE | while read line; do cat $HEADERFILE | while read line; do
result="$(echo -n "$line" | grep -E $ipv4address)" result="$(echo -n "$line" | grep -E $ipv4address)"
@ -594,8 +593,7 @@ detect_ipv4() {
else else
first=false first=false
fi fi
# a little bit of sanitzing, otherwise printf will hiccup @ % pr_litered "$result"
pr_litered "$(echo $result|sed 's/%/%%/g')"
outln "$your_ip_msg" outln "$your_ip_msg"
fi fi
done done
@ -897,6 +895,7 @@ run_more_flags() {
outln "--" outln "--"
ret=1 ret=1
else else
#set -x
ret=0 ret=0
for f2t in $good_flags2test; do for f2t in $good_flags2test; do
debugme echo "---> $f2t" debugme echo "---> $f2t"
@ -908,13 +907,12 @@ run_more_flags() {
else else
first=false first=false
fi fi
#if [ $(echo "$result_str" | wc -l | sed 's/ //g') -eq 1 ]; then # extract and print key(=flag) in green:
pr_litegreenln "$result_str" pr_litegreen "${result_str%%:*}:"
#else # for the case we have two times the same header: #pr_litegreen "$(sed 's/:.*$/:/' <<< "$result_str")"
# exchange the line feeds between the two lines only: # print value in plain text:
#pr_litecyan "double -->" ; echo "$result_str" | tr '\n\r' ' | ' | sed 's/| $//g' outln "${result_str#*:}"
#pr_litecyanln "<-- double"
#fi
done done
# now the same with other flags # now the same with other flags
for f2t in $other_flags2test; do for f2t in $other_flags2test; do
@ -925,7 +923,10 @@ run_more_flags() {
else else
first=false first=false
fi fi
outln "$result_str" # extract and print key(=flag) underlined
pr_underline "${result_str%%:*}:"
# print value in plain text:
outln "${result_str#*:}"
done done
fi fi
#TODO: I am not testing for the correctness or anything stupid yet, e.g. "X-Frame-Options: allowall" #TODO: I am not testing for the correctness or anything stupid yet, e.g. "X-Frame-Options: allowall"
@ -4722,4 +4723,4 @@ fi
exit $ret exit $ret
# $Id: testssl.sh,v 1.349 2015/08/21 10:43:09 dirkw Exp $ # $Id: testssl.sh,v 1.352 2015/08/21 16:10:44 dirkw Exp $