mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-20 23:49:30 +01:00
Fix for non compliant DNS PTR records
This commit addresses two bugs: #1506 and #1508. First, the variable rDNS can contain multiple lines due to multiple PTR DNS records, though this is not recommended. In those cases the multiple PTR DNS were concatenated on the screen, without any blank. Secondly - depending on the name server entries and on the output of the DNS binaries used it can contain non-printable characters or characters which are printable but later on interpreted on the output device (\032 was mentioned in #1506) which on the screen was interpreted as octal 32 (decimal 26 = ▒, try echo "\032"), so basically a terminal escape sequence was smuggled from the DNS server to the screen of the users. In JSON pretty output we had also this escape sequence which was fine for jsonlint but caused jq to hiccup. Fix: we use a loop to check for each FQDN returned. There we remove chars which under those circumstances can show up. The blacklist is taken from RFC 1912 ("Allowable characters in a label for a host name are only ASCII, letters, digits, and the `-' character").
This commit is contained in:
parent
f01c1196c0
commit
b81c409135
15
testssl.sh
15
testssl.sh
@ -19209,7 +19209,7 @@ determine_ip_addresses() {
|
|||||||
|
|
||||||
determine_rdns() {
|
determine_rdns() {
|
||||||
local saved_openssl_conf="$OPENSSL_CONF"
|
local saved_openssl_conf="$OPENSSL_CONF"
|
||||||
local nodeip=""
|
local nodeip="" rdns="" line=""
|
||||||
|
|
||||||
[[ -n "$NODNS" ]] && rDNS="(instructed to minimize DNS queries)" && return 0 # PTR records were not asked for
|
[[ -n "$NODNS" ]] && rDNS="(instructed to minimize DNS queries)" && return 0 # PTR records were not asked for
|
||||||
local nodeip="$(tr -d '[]' <<< $NODEIP)" # for DNS we do not need the square brackets of IPv6 addresses
|
local nodeip="$(tr -d '[]' <<< $NODEIP)" # for DNS we do not need the square brackets of IPv6 addresses
|
||||||
@ -19231,10 +19231,15 @@ determine_rdns() {
|
|||||||
rDNS=$(strip_lf "$(nslookup -type=PTR $nodeip 2>/dev/null | grep -v 'canonical name =' | grep 'name = ' | awk '{ print $NF }' | sed 's/\.$//')")
|
rDNS=$(strip_lf "$(nslookup -type=PTR $nodeip 2>/dev/null | grep -v 'canonical name =' | grep 'name = ' | awk '{ print $NF }' | sed 's/\.$//')")
|
||||||
fi
|
fi
|
||||||
OPENSSL_CONF="$saved_openssl_conf" # see https://github.com/drwetter/testssl.sh/issues/134
|
OPENSSL_CONF="$saved_openssl_conf" # see https://github.com/drwetter/testssl.sh/issues/134
|
||||||
rDNS="$(echo $rDNS)"
|
# First, rDNS can contain multilines due to multiple PTR DNS records, though this is not recommended.
|
||||||
# remove chars which under weird circumstances can show up here
|
# So we use a loop to check for each FQDN returned. There we remove chars which under weird
|
||||||
rDNS=${rDNS// /}
|
# circumstances (see #1506) can show up here. The blacklist is taken from RFC 1912 ("Allowable characters in a
|
||||||
rDNS=${rDNS//;/}
|
# label for a host name are only ASCII, letters, digits, and the `-' character")
|
||||||
|
while read -r line; do
|
||||||
|
line="$(tr -dc '[a-zA-Z0-9-_.]' <<< "$line")"
|
||||||
|
[[ -z "$rdns" ]] && rdns="$line" || rdns="$rdns $line"
|
||||||
|
done <<< "$rDNS"
|
||||||
|
rDNS="$rdns"
|
||||||
[[ -z "$rDNS" ]] && rDNS="--"
|
[[ -z "$rDNS" ]] && rDNS="--"
|
||||||
return 0
|
return 0
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user