mirror of
https://github.com/mozilla/cipherscan.git
synced 2024-12-25 20:23:41 +01:00
Rewrite HOST[:PORT] extraction routine (less sed, more validation).
The HOST[:PORT] extraction routine was written using several calls to sed and a bunch of regex post-processing of the bash $@ array. This replaces that with bash-native array commands, copying $@ into a $PARAMS array, removing the last element into $TARGET, and then passing the remainder to openssl s_client. This adds validation of the TARGET to ensure that it matches what we expect for a HOST[:PORT]; if a ':' is present, it must be preceded by a hostname and followed by a port number, otherwise :443 is appended. The check to ensure that HOST is not an -option is merged into this as well, since we already test for : at the beginning of the HOST (indicating that only a port was provided). Additionally, this now defends against an empty string "" being passed as the final option, which could occur if a script calling cipherscan goes awry and starts passing empty values as the target. top1m may see a slight speed improvement from this commit, as 4 calls to sed are replaced with native bash functions. Fixes one "SC2086: Double quote to prevent globbing and word splitting.": In cipherscan line 1402: SCLIENTARGS=$(sed -e s,${TEMPTARGET},,<<<"${@}") ^-- SC2086: Double quote to prevent globbing and word splitting.
This commit is contained in:
parent
d81ee1c801
commit
097bd0c43b
24
cipherscan
24
cipherscan
@ -1355,27 +1355,21 @@ if (( $# < 1 )); then
|
||||
exit 1
|
||||
fi
|
||||
|
||||
TEMPTARGET=$(sed -e 's/^.* //'<<<"${@}")
|
||||
HOST=$(sed -e 's/:.*//'<<<"${TEMPTARGET}")
|
||||
PORT=$(sed -e 's/.*://'<<<"${TEMPTARGET}")
|
||||
|
||||
# Default to https if no port given
|
||||
if [[ "$HOST" = "$PORT" ]]; then
|
||||
PORT=443
|
||||
fi
|
||||
PARAMS=("$@")
|
||||
TARGET=${PARAMS[-1]}
|
||||
unset PARAMS[-1]
|
||||
|
||||
# Refuse to proceed if the hostname starts with a hyphen, since hostnames can't
|
||||
# begin with a hyphen and this likely means we accidentally parsed an option as
|
||||
# a hostname.
|
||||
if [[ $HOST =~ ^- ]]; then
|
||||
echo "The final argument '$TEMPTARGET' begins with a hyphen '-', which is not a valid HOST[:PORT]." 1>&2
|
||||
if [[ -z $TARGET || $TARGET =~ ^[-:] || $TARGET =~ :.*[^0-9] ]]; then
|
||||
echo "The final argument '$TARGET' is not a valid HOST[:PORT]." 1>&2
|
||||
exit 1
|
||||
fi
|
||||
if ! [[ $TARGET =~ : ]]; then
|
||||
TARGET="${TARGET}:443"
|
||||
fi
|
||||
|
||||
debug "host: $HOST"
|
||||
debug "Port: $PORT"
|
||||
|
||||
TARGET=$HOST:$PORT
|
||||
debug "target: $TARGET"
|
||||
|
||||
# test our openssl is usable
|
||||
@ -1399,7 +1393,7 @@ if [[ $VERBOSE != 0 ]] ; then
|
||||
$OPENSSLBIN ciphers ALL 2>/dev/null
|
||||
fi
|
||||
|
||||
SCLIENTARGS=$(sed -e s,${TEMPTARGET},,<<<"${@}")
|
||||
SCLIENTARGS="${PARAMS[*]}"
|
||||
debug "sclientargs: $SCLIENTARGS"
|
||||
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user