Robustness + IDN improvements

This PR adds a few quotes to some arguments which when previous code
was executed properly weren't needed.

Also it improves the IDN code from @teward, so that when idn2 is
available, a conversion will be tried, and when idn is available
and/or idn2 failed, a conversion will be tried.

Finally it'll be tried to continue without conversion, hoping that
the DNS client binaries can cope with the IDN URI.

This is not good enough yet and needs to be complemented, see discussion
@ #1321.
This commit is contained in:
Dirk Wetter 2019-09-19 13:36:53 +02:00
parent 1276c6754d
commit 837c246173

View File

@ -17357,11 +17357,14 @@ filter_ip4_address() {
done done
} }
# For security testing sometimes we have local entries. Getent is BS under Linux for localhost: No network, no resolution
# arg1 is the entry we want to look up in the host file
get_local_aaaa() { get_local_aaaa() {
local ip6="" local ip6=""
local etchosts="/etc/hosts /c/Windows/System32/drivers/etc/hosts" local etchosts="/etc/hosts /c/Windows/System32/drivers/etc/hosts"
# for security testing sometimes we have local entries. Getent is BS under Linux for localhost: No network, no resolution [[ -z "$1" ]] && echo "" && return 1
# Also multiple records should work fine
ip6=$(grep -wih "$1" $etchosts 2>/dev/null | grep ':' | grep -Ev '^#|\.local' | grep -Ei "[[:space:]]$1" | awk '{ print $1 }') ip6=$(grep -wih "$1" $etchosts 2>/dev/null | grep ':' | grep -Ev '^#|\.local' | grep -Ei "[[:space:]]$1" | awk '{ print $1 }')
if is_ipv6addr "$ip6"; then if is_ipv6addr "$ip6"; then
echo "$ip6" echo "$ip6"
@ -17369,12 +17372,10 @@ get_local_aaaa() {
echo "" echo ""
fi fi
} }
get_local_a() { get_local_a() {
local ip4="" local ip4=""
local etchosts="/etc/hosts /c/Windows/System32/drivers/etc/hosts" local etchosts="/etc/hosts /c/Windows/System32/drivers/etc/hosts"
# for security testing sometimes we have local entries. Getent is BS under Linux for localhost: No network, no resolution
ip4=$(grep -wih "$1" $etchosts 2>/dev/null | grep -Ev ':|^#|\.local' | grep -Ei "[[:space:]]$1" | awk '{ print $1 }') ip4=$(grep -wih "$1" $etchosts 2>/dev/null | grep -Ev ':|^#|\.local' | grep -Ei "[[:space:]]$1" | awk '{ print $1 }')
if is_ipv4addr "$ip4"; then if is_ipv4addr "$ip4"; then
echo "$ip4" echo "$ip4"
@ -17590,8 +17591,8 @@ determine_ip_addresses() {
local ip4="" local ip4=""
local ip6="" local ip6=""
ip4=$(get_a_record $NODE) ip4="$(get_a_record "$NODE")"
ip6=$(get_aaaa_record $NODE) ip6="$(get_aaaa_record "$NODE")"
IP46ADDRs=$(newline_to_spaces "$ip4 $ip6") IP46ADDRs=$(newline_to_spaces "$ip4 $ip6")
if [[ -n "$CMDLINE_IP" ]]; then if [[ -n "$CMDLINE_IP" ]]; then
@ -17616,16 +17617,16 @@ determine_ip_addresses() {
ip4="$NODE" # only an IPv4 address was supplied as an argument, no hostname ip4="$NODE" # only an IPv4 address was supplied as an argument, no hostname
SNI="" # override Server Name Indication as we test the IP only SNI="" # override Server Name Indication as we test the IP only
else else
ip4=$(get_local_a $NODE) # is there a local host entry? ip4=$(get_local_a "$NODE") # is there a local host entry?
if [[ -z $ip4 ]]; then # empty: no (LOCAL_A is predefined as false) if [[ -z "$ip4" ]]; then # empty: no (LOCAL_A is predefined as false)
ip4=$(get_a_record $NODE) ip4=$(get_a_record "$NODE")
else else
LOCAL_A=true # we have the ip4 from local host entry and need to signal this to testssl LOCAL_A=true # we have the ip4 from local host entry and need to signal this to testssl
fi fi
# same now for ipv6 # same now for ipv6
ip6=$(get_local_aaaa $NODE) ip6=$(get_local_aaaa "$NODE")
if [[ -z $ip6 ]]; then if [[ -z "$ip6" ]]; then
ip6=$(get_aaaa_record $NODE) ip6=$(get_aaaa_record "$NODE")
else else
LOCAL_AAAA=true # we have a local ipv6 entry and need to signal this to testssl LOCAL_AAAA=true # we have a local ipv6 entry and need to signal this to testssl
fi fi
@ -19364,12 +19365,26 @@ parse_cmd_line() {
if [[ -z "$1" ]] && [[ -z "$FNAME" ]] && ! "$do_display_only"; then if [[ -z "$1" ]] && [[ -z "$FNAME" ]] && ! "$do_display_only"; then
fatal "URI missing" $ERR_CMDLINE fatal "URI missing" $ERR_CMDLINE
else else
# left off here is the URI # What is left here is the URI. We check for non-ASCII chars first:
if [[ $1 = *[![:ascii:]]* ]]; then if [[ "$1" == *[![:ascii:]]* ]]; then
if [[ "$(command -v idn)" == "" ]]; then HAS_IDN=false
fatal "URI contains non-ASCII characters, and IDN not available." HAS_IDN2=false
else type -p idn2 &>/dev/null && HAS_IDN=true
URI="$(echo $1 | idn)" type -p idn2 &>/dev/null && HAS_IDN2=true
#ToDo: the user needs to know whether installing libidn(2) could help him here
if "$HAS_IDN2"; then
URI="$(idn2 "$1" 2>/dev/null)"
fi
if "$HAS_IDN" && [[ -z "$URI" ]]; then
URI="$(idn "$1" 2>/dev/null)"
fi
if [[ -z "$URI" ]]; then
# fatal "URI contains non-ASCII characters, and IDN not available."
pr_warning "URI contains non-ASCII characters, and IDN not available or conversion failed."
outln " Trying to continue with not converted URI"
#ToDo: fileout is missing
URI="$1"
fi fi
else else
URI="$1" URI="$1"