2
0
mirror of https://github.com/mozilla/cipherscan.git synced 2024-11-22 14:23:41 +01:00

Rewrite HOST[:PORT] extraction routine (less sed, more validation).

The HOST[:PORT] extraction routine was written using several calls to
sed and a bunch of regex post-processing of the bash $@ array.

This replaces that with bash-native array commands, copying $@ into
a $PARAMS array, removing the last element into $TARGET, and then
passing the remainder to openssl s_client.

This adds validation of the TARGET to ensure that it matches what we
expect for a HOST[:PORT]; if a ':' is present, it must be preceded by a
hostname and followed by a port number, otherwise :443 is appended.

The check to ensure that HOST is not an -option is merged into this as
well, since we already test for : at the beginning of the HOST
(indicating that only a port was provided).

Additionally, this now defends against an empty string "" being passed
as the final option, which could occur if a script calling cipherscan
goes awry and starts passing empty values as the target.

top1m may see a slight speed improvement from this commit, as 4 calls to
sed are replaced with native bash functions.

Fixes one "SC2086: Double quote to prevent globbing and word splitting.":

In cipherscan line 1402:
SCLIENTARGS=$(sed -e s,${TEMPTARGET},,<<<"${@}")
                       ^-- SC2086: Double quote to prevent globbing and
                       word splitting.
This commit is contained in:
Richard Soderberg 2015-09-05 01:36:50 -07:00
parent d81ee1c801
commit 097bd0c43b

View File

@ -1355,27 +1355,21 @@ if (( $# < 1 )); then
exit 1 exit 1
fi fi
TEMPTARGET=$(sed -e 's/^.* //'<<<"${@}") PARAMS=("$@")
HOST=$(sed -e 's/:.*//'<<<"${TEMPTARGET}") TARGET=${PARAMS[-1]}
PORT=$(sed -e 's/.*://'<<<"${TEMPTARGET}") unset PARAMS[-1]
# Default to https if no port given
if [[ "$HOST" = "$PORT" ]]; then
PORT=443
fi
# Refuse to proceed if the hostname starts with a hyphen, since hostnames can't # Refuse to proceed if the hostname starts with a hyphen, since hostnames can't
# begin with a hyphen and this likely means we accidentally parsed an option as # begin with a hyphen and this likely means we accidentally parsed an option as
# a hostname. # a hostname.
if [[ $HOST =~ ^- ]]; then if [[ -z $TARGET || $TARGET =~ ^[-:] || $TARGET =~ :.*[^0-9] ]]; then
echo "The final argument '$TEMPTARGET' begins with a hyphen '-', which is not a valid HOST[:PORT]." 1>&2 echo "The final argument '$TARGET' is not a valid HOST[:PORT]." 1>&2
exit 1 exit 1
fi fi
if ! [[ $TARGET =~ : ]]; then
TARGET="${TARGET}:443"
fi
debug "host: $HOST"
debug "Port: $PORT"
TARGET=$HOST:$PORT
debug "target: $TARGET" debug "target: $TARGET"
# test our openssl is usable # test our openssl is usable
@ -1399,7 +1393,7 @@ if [[ $VERBOSE != 0 ]] ; then
$OPENSSLBIN ciphers ALL 2>/dev/null $OPENSSLBIN ciphers ALL 2>/dev/null
fi fi
SCLIENTARGS=$(sed -e s,${TEMPTARGET},,<<<"${@}") SCLIENTARGS="${PARAMS[*]}"
debug "sclientargs: $SCLIENTARGS" debug "sclientargs: $SCLIENTARGS"