From 37dbe14def493da61a07bc6168fb81ea4aa4ae5d Mon Sep 17 00:00:00 2001 From: David Cooper Date: Mon, 10 Feb 2020 11:20:40 -0500 Subject: [PATCH] Fix printing percent characters As noted in #1481, testssl.sh has a problem with printing percent ('%') characters. At one point, the function out() was implemented as `/usr/bin/printf -- "${1//%/%%}"`. When this was the case, any '%' needed to be replaced with '%%' since '$1' was being used as the format string. This was changed, however, by https://github.com/drwetter/testssl.sh/commit/8a2fe5915a8d4f70ba423f98eff02a6646935aa9. Since the format string is now "%b" rather than '$1', the replacement is not needed anymore. Instead, the replacement now causes any '%' to be printed to be duplicated. This problem does not happen very often, but does sometimes occur when a '%' character appears in a URI, such as in an HTTP redirect, a certificate revocation list, or an OCSP URI. --- testssl.sh | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/testssl.sh b/testssl.sh index 4b8c463..9f7c40c 100755 --- a/testssl.sh +++ b/testssl.sh @@ -501,17 +501,16 @@ html_reserved(){ html_out() { "$do_html" || return 0 - [[ -n "$HTMLFILE" ]] && [[ ! -d "$HTMLFILE" ]] && printf -- "%b" "${1//%/%%}" >> "$HTMLFILE" - # here and other printf's: a little bit of sanitizing with bash internal search&replace -- otherwise printf will hiccup at '%'. '--' and %b do the rest. + [[ -n "$HTMLFILE" ]] && [[ ! -d "$HTMLFILE" ]] && printf -- "%b" "$1" >> "$HTMLFILE" } # This is intentionally the same. -safe_echo() { printf -- "%b" "${1//%/%%}"; } -tm_out() { printf -- "%b" "${1//%/%%}"; } -tmln_out() { printf -- "%b" "${1//%/%%}\n"; } +safe_echo() { printf -- "%b" "$1"; } +tm_out() { printf -- "%b" "$1"; } +tmln_out() { printf -- "%b" "$1\n"; } -out() { printf -- "%b" "${1//%/%%}"; html_out "$(html_reserved "$1")"; } -outln() { printf -- "%b" "${1//%/%%}\n"; html_out "$(html_reserved "$1")\n"; } +out() { printf -- "%b" "$1"; html_out "$(html_reserved "$1")"; } +outln() { printf -- "%b" "$1\n"; html_out "$(html_reserved "$1")\n"; } #TODO: Still no shell injection safe but if just run it from the cmd line: that's fine