• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Sparkle updater check vulnerability script
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Sparkle updater check vulnerability script


  • Subject: Sparkle updater check vulnerability script
  • From: 2551phil <email@hidden>
  • Date: Wed, 10 Feb 2016 20:54:33 +0700

Hey folks

Here’s a script that should check whether apps located in your /Applications folder are using an insecure http address for the Sparkle updater url 

(If you don’t know what I’m talking about more info about the issue here: http://applehelpwriter.com/2016/02/10/how-to-check-for-sparkle-vulnerability/ , but the TL;DR is that you’ve almost certainly got apps on your mac that use the Sparkle framework).

Note that there’s two important classes of application it won’t find:

i. any insecure Sparkle apps that are not in your /Applications folder, and 
ii. any Sparkle apps that do not use the SUFeedURL key in their info plist.

For the former, you’ll either have to move the apps into Applications or adapt the script (choose folder would be the easiest way, I guess).

For the latter, the only way I can think of at the moment is to use ‘strings’ (or a text editor) and grep for ‘appcast’ on the binary located in /Contents/MacOS. 



set plistContents to ""
set x to (path to startup disk) as text
set pathToAppFolder to x & "Applications:" as alias
set infoFilePath to "Contents:info.plist"
set theApp to ""
set sparkleAppsList to {}
set theAppList to do shell script "find /Applications -name Sparkle.framework | awk -F'/' '{print $3}'"
set theAppList to paragraphs of theAppList
repeat with i from 1 to number of items in theAppList
set theApp to text of item i of theAppList
set this_item to item i of theAppList
set f to pathToAppFolder & this_item & ":" & infoFilePath as string
tell application "System Events"
set thePlist to contents of property list file f
set theValue to value of thePlist
set thisSUFeedURL to SUFeedURL of theValue as text
if thisSUFeedURL contains "http:" then
set theResultString to "Application : " & my theApp & " : " & thisSUFeedURL as text
set end of my sparkleAppsList to theResultString & "

"
end if
end tell
end repeat
display dialog "The following apps do not use secure https connections for the sparkle updater:

" & sparkleAppsList as string

 _______________________________________________
Do not post admin requests to the list. They will be ignored.
AppleScript-Users mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
Archives: http://lists.apple.com/archives/applescript-users

This email sent to email@hidden

  • Follow-Ups:
    • Re: Sparkle updater check vulnerability script
      • From: "S. J. Cunningham" <email@hidden>
    • Re: Sparkle updater check vulnerability script
      • From: Steve Mills <email@hidden>
    • Re: Sparkle updater check vulnerability script
      • From: 2551phil <email@hidden>
  • Prev by Date: Re: Oops!
  • Next by Date: Re: Sparkle updater check vulnerability script
  • Previous by thread: Re: Oops!
  • Next by thread: Re: Sparkle updater check vulnerability script
  • Index(es):
    • Date
    • Thread