Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-10-30 21:35:26 +01:00
Code Issues Packages Projects Releases Wiki Activity

Finalize proxy support for http_get()

Browse Source 
... for curl, wget and sockets. Tested and worked.

Furthermore: fd_socket() now is a bit more injection safe as
an echo statement was exchange by printf. For possible future
changes fd_socket now also has and arg1 for the file descriptor.
This commit is contained in:
Dirk
2018-08-17 12:23:16 +02:00
parent 7cc584027c
commit ed17797b13
1 changed files with 39 additions and 36 deletions
Download Patch File Download Diff File Expand all files Collapse all files

69
testssl.sh
View File

@@ -1399,33 +1399,38 @@ filter_input() {
# Dl's any URL (arg1) via HTTP 1.1 GET from port 80, arg2: file to store http body. # Dl's any URL (arg1) via HTTP 1.1 GET from port 80, arg2: file to store http body.
# Proxy is not honored yet (see cmd line switches) -- except when using curl or wget. # Proxy is not honored yet (see cmd line switches) -- except when using curl or wget.
# There the environment variable is used automatically # There the environment variable is used automatically
# # Currently it is being used by check_revocation_crl() only.
http_get() { http_get() {
local proto z local proto z
local node="" query="" local node="" query=""
local dl="$2" local dl="$2"
local useragent="$UA_STD" local useragent="$UA_STD"
local proxy_arg="" local proxy_arg=""
local jsonID="http_get"
"$SNEAKY" && useragent="$UA_SNEAKY" "$SNEAKY" && useragent="$UA_SNEAKY"
set -x
if type -p curl &>/dev/null; then if type -p curl &>/dev/null; then
if [[ -z "$PROXY" ]]; then if [[ -z "$PROXY" ]]; then
curl -s --noproxy '*' -A $''"$useragent"'' -o $dl "$1" curl -s --noproxy '*' -A $''"$useragent"'' -o $dl "$1"
else else
# If there's a proxy defined, we just use the env variable http_proxy # for the sake of simplicity assume the proxy is using http
#http_proxy hier definieren! curl -s -x $PROXYIP:$PROXYPORT -A $''"$useragent"'' -o $dl "$1"
curl -s -A $''"$useragent"'' -o $dl "$1"
fi fi
return $? return $?
elif type -p wget &>/dev/null; then elif type -p wget &>/dev/null; then
# wget has no proxy command line. We need to use http_proxy instead. And for the sake of simplicity
# assume the GET protocol we query is using http -- http_proxy is the $ENV not for the connection TO
# the proxy, but for the protocol we query THROUGH the proxy
if [[ -z "$PROXY" ]]; then if [[ -z "$PROXY" ]]; then
proxy_arg='--no-proxy' wget --no-proxy -q -U $''"$useragent"'' -O $dl "$1"
#http_proxy hier definieren! else
if [[ -z "$http_proxy" ]]; then
http_proxy=http://$PROXYIP:$PROXYPORT wget -q -U $''"$useragent"'' -O $dl "$1"
else
wget -q -U $''"$useragent"'' -O $dl "$1"
fi
fi fi
# If there's a proxy defined, we just use the env variable http_proxy
wget "$proxy_arg" -q -U $''"$useragent"'' -O $dl "$1"
return $? return $?
else else
# Worst option: slower and hiccups with chunked transfers. Workround for the # Worst option: slower and hiccups with chunked transfers. Workround for the
@@ -1435,31 +1440,34 @@ set -x
proto=${proto%:} proto=${proto%:}
if [[ "$proto" != http ]]; then if [[ "$proto" != http ]]; then
pr_warning "protocol $proto not supported yet" pr_warning "protocol $proto not supported yet"
fileout "$jsonID" "DEBUG" "protocol $proto not supported yet"
return 6 return 6
fi fi
if [[ -n $PROXY ]]; then if [[ -n $PROXY ]]; then
#FIXME: finish proxy support here. fd_socket connects to NODE or NODEIP # PROXYNODE works better than PROXYIP on modern versions of squid. \
# fd_socket || return 6 # We don't reuse the code in fd_socket() as there's initial CONNECT which makes problems
# printf -- "%b" "GET $proto://$node/$query HTTP/1.0\r\nUser-Agent: $useragent\r\nHost: $node\r\nAccept: */*\r\n\r\n" >&5 if ! exec 33<> /dev/tcp/${PROXYNODE}/${PROXYPORT}; then
pr_warning "proxying not supported yet" outln
pr_warning "$PROG_NAME: unable to open a socket to proxy $PROXYNODE:$PROXYPORT"
fileout "$jsonID" "DEBUG" "$PROG_NAME: unable to open a socket to proxy $PROXYNODE:$PROXYPORT"
return 6 return 6
else
printf -- "%b" "GET $proto://$node/$query HTTP/1.0\r\nUser-Agent: $useragent\r\nHost: $node\r\nAccept: */*\r\n\r\n" >&33
fi
else else
IFS=/ read -r proto z node query <<< "$1" IFS=/ read -r proto z node query <<< "$1"
exec 33<>/dev/tcp/$node/80 exec 33<>/dev/tcp/$node/80
printf -- "%b" "GET /$query HTTP/1.0\r\nUser-Agent: $useragent\r\nHost: $node\r\nAccept: */*\r\n\r\n" >&33 printf -- "%b" "GET /$query HTTP/1.0\r\nUser-Agent: $useragent\r\nHost: $node\r\nAccept: */*\r\n\r\n" >&33
fi fi
# strip HTTP header # Strip HTTP header. When in Debug Mode we leave the raw data in place
if [[ $DEBUG -ge 1 ]]; then if [[ $DEBUG -ge 1 ]]; then
cat <&5 >${dl}.raw cat <&33 >${dl}.raw
cat ${dl}.raw | sed '1,/^[[:space:]]*$/d' >${dl} cat ${dl}.raw | sed '1,/^[[:space:]]*$/d' >${dl}
else else
cat <&5 | sed '1,/^[[:space:]]*$/d' >${dl} cat <&33 | sed '1,/^[[:space:]]*$/d' >${dl}
fi fi
if [[ -n $PROXY ]]; then
close_socket
else
exec 33<&- exec 33<&-
fi exec 33>&-
[[ -s "$dl" ]] && return 0 || return 1 [[ -s "$dl" ]] && return 0 || return 1
fi fi
} }
@@ -1564,9 +1572,9 @@ check_revocation_ocsp() {
grep -q "\-\-\-\-\-BEGIN CERTIFICATE\-\-\-\-\-" $TEMPDIR/intermediatecerts.pem || return 0 grep -q "\-\-\-\-\-BEGIN CERTIFICATE\-\-\-\-\-" $TEMPDIR/intermediatecerts.pem || return 0
tmpfile=$TEMPDIR/${NODE}-${NODEIP}.${uri##*\/} || exit $ERR_FCREATE tmpfile=$TEMPDIR/${NODE}-${NODEIP}.${uri##*\/} || exit $ERR_FCREATE
if [[ -n "$stapled_response" ]]; then if [[ -n "$stapled_response" ]]; then
> "$TEMPDIR/stabled_ocsp_response.dd" > "$TEMPDIR/stapled_ocsp_response.dd"
asciihex_to_binary_file "$stapled_response" "$TEMPDIR/stabled_ocsp_response.dd" asciihex_to_binary_file "$stapled_response" "$TEMPDIR/stapled_ocsp_response.dd"
$OPENSSL ocsp -no_nonce -respin "$TEMPDIR/stabled_ocsp_response.dd" \ $OPENSSL ocsp -no_nonce -respin "$TEMPDIR/stapled_ocsp_response.dd" \
-issuer $TEMPDIR/hostcert_issuer.pem -verify_other $TEMPDIR/intermediatecerts.pem \ -issuer $TEMPDIR/hostcert_issuer.pem -verify_other $TEMPDIR/intermediatecerts.pem \
-CAfile <(cat $ADDITIONAL_CA_FILES "$GOOD_CA_BUNDLE") -cert $HOSTCERT -text &> "$tmpfile" -CAfile <(cat $ADDITIONAL_CA_FILES "$GOOD_CA_BUNDLE") -cert $HOSTCERT -text &> "$tmpfile"
else else
@@ -8948,7 +8956,8 @@ starttls_mysql_dialog() {
return $ret return $ret
} }
# arg for a fd doesn't work here # arg1: fd for socket -- which we don't use as it is a hassle and it is not clear whether it works under every bash version
#
fd_socket() { fd_socket() {
local jabber="" local jabber=""
local proyxline="" local proyxline=""
@@ -8962,9 +8971,9 @@ fd_socket() {
return 6 return 6
fi fi
if "$DNS_VIA_PROXY"; then if "$DNS_VIA_PROXY"; then
printf -- "%b" "CONNECT $NODE:$PORT\r\n" >&5 printf -- "%b" "CONNECT $NODE:$PORT HTTP/1.0\n\n" >&5
else else
printf -- "%b" "CONNECT $nodeip:$PORT\r\n\r\n" >&5 printf -- "%b" "CONNECT $nodeip:$PORT HTTP/1.0\n\n" >&5
fi fi
while true; do while true; do
read -t $PROXY_WAIT -r proyxline <&5 read -t $PROXY_WAIT -r proyxline <&5
@@ -16160,12 +16169,6 @@ check_proxy() {
PROXY="${https_proxy#*\/\/}" PROXY="${https_proxy#*\/\/}"
[[ -z "$PROXY" ]] && PROXY="${http_proxy#*\/\/}" [[ -z "$PROXY" ]] && PROXY="${http_proxy#*\/\/}"
[[ -z "$PROXY" ]] && fatal "you specified \"--proxy=auto\" but \"\$http(s)_proxy\" is empty" $ERR_CMDLINE [[ -z "$PROXY" ]] && fatal "you specified \"--proxy=auto\" but \"\$http(s)_proxy\" is empty" $ERR_CMDLINE
else
# set ENV as we might need it for http_get(). Normalize it to remove protocol
http_proxy="${PROXY/http\:\/\//}"
https_proxy="${PROXY/http\:\/\//}"
export http_proxy=http://${PROXY}
export https_proxy=http://${PROXY}
fi fi
# strip off http/https part if supplied: # strip off http/https part if supplied:
PROXY="${PROXY/http\:\/\//}" PROXY="${PROXY/http\:\/\//}"
@@ -16319,7 +16322,7 @@ determine_service() {
local ua local ua
local protocol local protocol
if ! fd_socket; then # check if we can connect to $NODEIP:$PORT if ! fd_socket 5; then # check if we can connect to $NODEIP:$PORT
if [[ -n "$PROXY" ]]; then if [[ -n "$PROXY" ]]; then
fatal "You're sure $PROXYNODE:$PROXYPORT allows tunneling here? Can't connect to \"$NODEIP:$PORT\"" $ERR_CONNECT fatal "You're sure $PROXYNODE:$PROXYPORT allows tunneling here? Can't connect to \"$NODEIP:$PORT\"" $ERR_CONNECT
else else