Merge pull request #2386 from drwetter/strict_parsing_HSTS
Strict parser for HSTS
This commit is contained in:
commit
765b5855cc
14
testssl.sh
14
testssl.sh
|
@ -2716,8 +2716,19 @@ run_hsts() {
|
|||
match_httpheader_key "Strict-Transport-Security" "HSTS" "$spaces" "true"
|
||||
if [[ $? -ne 0 ]]; then
|
||||
echo "$HEADERVALUE" >$TMPFILE
|
||||
hsts_age_sec="${HEADERVALUE//[^0-9]/}"
|
||||
# strict parsing now as suggested in #2381
|
||||
hsts_age_sec="${HEADERVALUE#*=}"
|
||||
hsts_age_sec=${hsts_age_sec%%;*}
|
||||
if [[ $hsts_age_sec =~ \" ]]; then
|
||||
# remove first an last " in $hsts_age_sec (borrowed from strip_trailing_space/strip_leading_space):
|
||||
hsts_age_sec=$(printf "%s" "${hsts_age_sec#"${hsts_age_sec%%[!\"]*}"}")
|
||||
hsts_age_sec=$(printf "%s" "${hsts_age_sec%"${hsts_age_sec##*[!\"]}"}")
|
||||
fi
|
||||
debugme echo "hsts_age_sec: $hsts_age_sec"
|
||||
if ! is_number "$hsts_age_sec"; then
|
||||
pr_svrty_medium "misconfiguration: \'"$hsts_age_sec"\' is not a valid max-age specification"
|
||||
fileout "${jsonID}_time" "MEDIUM" "misconfiguration, specified not a number for max-age"
|
||||
else
|
||||
if [[ -n $hsts_age_sec ]]; then
|
||||
hsts_age_days=$(( hsts_age_sec / 86400))
|
||||
else
|
||||
|
@ -2739,6 +2750,7 @@ run_hsts() {
|
|||
fileout "${jsonID}_time" "MEDIUM" "max-age too short. $hsts_age_days days (=$hsts_age_sec seconds) < $HSTS_MIN seconds"
|
||||
set_grade_cap "A" "HSTS max-age is too short"
|
||||
fi
|
||||
fi
|
||||
if includeSubDomains "$TMPFILE"; then
|
||||
fileout "${jsonID}_subdomains" "OK" "includes subdomains"
|
||||
else
|
||||
|
|
Loading…
Reference in New Issue