From acf48977c25ed57ee106901dcf246377141e35fd Mon Sep 17 00:00:00 2001 From: David Cooper Date: Thu, 13 Feb 2025 14:21:26 -0800 Subject: [PATCH] Fix pattern matches This commit fixes three lines of code that use Bash substring matching. In each case, a list of strings to match was enclosed in brackets. This resulted in a match if the string to test contained any character from any of the strings to match. This commit fixes the issue by removing the brackets. (The bugs were introduced in https://github.com/testssl/testssl.sh/commit/b8e9b09ca78832b1608dbce48305e65762368a0d and https://github.com/testssl/testssl.sh/commit/8149c2d5cf56d9874c91923e236b9feb5264b88b) --- testssl.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/testssl.sh b/testssl.sh index 038fd72..0015cba 100755 --- a/testssl.sh +++ b/testssl.sh @@ -3370,7 +3370,7 @@ run_cookie_flags() { # ARG1: Path fi if [[ ! "$HTTP_STATUS_CODE" =~ 20 ]]; then - if [[ "$HTTP_STATUS_CODE" =~ [301|302] ]]; then + if [[ "$HTTP_STATUS_CODE" =~ 301|302 ]]; then msg302=" -- maybe better try target URL of 30x" msg302_=" (30x detected, better try target URL of 30x)" else @@ -11312,7 +11312,7 @@ run_npn() { fileout "$jsonID" "INFO" "not offered" else # now comes a strange thing: "Protocols advertised by server:" is empty but connection succeeded - if [[ "$tmpstr" =~ [h2|spdy|http] ]]; then + if [[ "$tmpstr" =~ h2|spdy|http ]]; then out "$tmpstr" outln " (advertised)" fileout "$jsonID" "INFO" "offered with $tmpstr (advertised)" @@ -16854,7 +16854,7 @@ run_ccs_injection(){ fileout "$jsonID" "OK" "not vulnerable" "$cve" "$cwe" fi elif [[ "${tls_hello_ascii:0:4}" == "1503" ]]; then - if [[ ! "${tls_hello_ascii:5:2}" =~ [03|02|01|00] ]]; then + if [[ ! "${tls_hello_ascii:5:2}" =~ 03|02|01|00 ]]; then pr_warning "test failed " out "no proper TLS reply (debug info: protocol sent: 1503${tls_hexcode#x03, x}, reply: ${tls_hello_ascii:0:14}" fileout "$jsonID" "DEBUG" "test failed, around line $LINENO, debug info (${tls_hello_ascii:0:14})" "$cve" "$cwe" "$hint"