Merge pull request #2386 from drwetter/strict_parsing_HSTS

Strict parser for HSTS
This commit is contained in:
Dirk Wetter 2023-08-28 19:55:57 +02:00 committed by GitHub
commit 765b5855cc
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 32 additions and 20 deletions

View File

@ -2716,8 +2716,19 @@ run_hsts() {
match_httpheader_key "Strict-Transport-Security" "HSTS" "$spaces" "true"
if [[ $? -ne 0 ]]; then
echo "$HEADERVALUE" >$TMPFILE
hsts_age_sec="${HEADERVALUE//[^0-9]/}"
# strict parsing now as suggested in #2381
hsts_age_sec="${HEADERVALUE#*=}"
hsts_age_sec=${hsts_age_sec%%;*}
if [[ $hsts_age_sec =~ \" ]]; then
# remove first an last " in $hsts_age_sec (borrowed from strip_trailing_space/strip_leading_space):
hsts_age_sec=$(printf "%s" "${hsts_age_sec#"${hsts_age_sec%%[!\"]*}"}")
hsts_age_sec=$(printf "%s" "${hsts_age_sec%"${hsts_age_sec##*[!\"]}"}")
fi
debugme echo "hsts_age_sec: $hsts_age_sec"
if ! is_number "$hsts_age_sec"; then
pr_svrty_medium "misconfiguration: \'"$hsts_age_sec"\' is not a valid max-age specification"
fileout "${jsonID}_time" "MEDIUM" "misconfiguration, specified not a number for max-age"
else
if [[ -n $hsts_age_sec ]]; then
hsts_age_days=$(( hsts_age_sec / 86400))
else
@ -2739,6 +2750,7 @@ run_hsts() {
fileout "${jsonID}_time" "MEDIUM" "max-age too short. $hsts_age_days days (=$hsts_age_sec seconds) < $HSTS_MIN seconds"
set_grade_cap "A" "HSTS max-age is too short"
fi
fi
if includeSubDomains "$TMPFILE"; then
fileout "${jsonID}_subdomains" "OK" "includes subdomains"
else