pr_url() and pr_boldurl() interpolated their argument directly into
<a href="$1">$1</a> without HTML escaping. The most notable caller
passes the raw HTTP Location: header from the scanned server, so a
malicious HTTPS target could inject arbitrary HTML/JS into an
operator's --htmlfile report. Route both the href attribute and the
link text through the existing html_reserved() escaper, matching the
pattern already used by every other pr_* HTML-output function.
18422: if [[ $tmp_result -eq 1 ]] && [[ loop_reneg -eq 1 ]]; then
19633: [[ aaa == bbb ]] # provoke return code=1
450:TRUSTED1ST="" # Contains the `-trusted_first` flag, if this version of openssl supports it
The latter check be amended/corrected later, so that backticks in comments are allowed.
Staring with a simple pattern for checking for non-variables at left hand
side like [[ LHS == $value ]]. The file is supposed be amended in the future.
This fixes#3074 .
Upon commit it fails first as there are two instances which will be detected
(one is deliberate but will be changed too) .
When scanning hosts which offer only TLS 1.3 under some circumstances (e.g. using
MacOS) the scan stopped and prompted the user . It happened always when $OPENSSL
supported TLS 1.3. It did not when this was not the case.
This fixes that (see #3083) for 3.3dev by just skipping the rest in determine_optimal_proto()
when TLS13_ONLY is true.
Also it fixes missing line feeds for servoce detecttion and order in which DNS HTTPS
RR are displayed.
[BUG / possible BUG] Inverted return check in sym-encrypt() at testssl.sh:14741 makes the function return error 7 on every success. The tm_out line at testssl.sh:14743 is unreachable.
#3079
... also improve error handling by adding return values in
*https_rr functions.
The error for ~Macs occured because for interpretation of
raw TYPE65 DNS data it was just 1 returned instead of 0
--for empty records.
... which is initialized with "initt" to distinguish between not being tested yet and no value.
We only display the value once per $NODE for the first IP address being tested.
HTTPS_RR doesn't have to be reset in reset_hostdepended_vars()
Few comments were added / indentation fixed (not relevant to this PR)
- AI generated code becomes more important, so we add a new section (albeit bash support is not really as good as for other languages).
- streamlined comment, which is a comment