• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server


  • Subject: Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server
  • From: Yvan KOENIG <email@hidden>
  • Date: Thu, 11 Feb 2016 13:48:25 +0100


Le 2016/02/11 à 12:36, Yvan KOENIG <email@hidden> a écrit :

I added test upon Sparkle version.

#script version 1.5.1
set foundCounter to 0
set infoFilePath to "/Contents/info.plist"

set theApps to do shell script "mdfind kMDItemFSName == '*.prefPane' & mdfind kMDItemFSName == '*.app'"

-- set theApps to theApps & (do shell script "mdfind -onlyin /Applications " & quote & "kMDItemFSName == '*.app'" & quote)

set theApps to paragraphs of theApps
set sparkleAppsList to {}
tell application "System Events"
repeat with anApp in theApps
set anApp to anApp as text
set aFrameWork to anApp & "/Contents/Frameworks/Sparkle.framework"
if exists disk item aFrameWork then
set aSparklePlist to aFrameWork & "/Versions/A/Resources/Info.plist"
set thePlist to contents of property list file aSparklePlist
set theValue to value of thePlist
try
set sparkleVersion to CFBundleShortVersionString of theValue as text
on error
set sparkleVersion to CFBundleVersion of theValue as text
end try
considering numeric strings
set vulnerable to sparkleVersion < "1.13.1"
end considering
if vulnerable then
try
set thePlist to contents of property list file (anApp & infoFilePath)
set theValue to value of thePlist
try
set thisSUFeedURL to SUFeedURL of theValue as text
if thisSUFeedURL contains "http:" then
set end of sparkleAppsList to "Application : " & anApp & " : " & thisSUFeedURL & linefeed & linefeed
set foundCounter to foundCounter + 1
end if
end try
end try
end if # vulnerable
end if
end repeat
end tell

display dialog "Found: " & foundCounter & " apps that do not use secure https connections for the Sparkle updater:

" & sparkleAppsList buttons {"Save List", "OK"} default button "OK" with title "Sparkle Framework Vulnerability Check"

set aResponse to text of the result

if aResponse contains "Save List" then
tell application "TextEdit"
activate
make new document
set text of document 1 to sparkleAppsList as text
end tell
end if
#EOF

I was surprised to see that the late Phil's version scan all mounted volumes.
Here I boot my iMac from an external SSD and so the script list items from the SSD and from the internal HD.


I was puzzled by the way Sparkle describes its version.
I found some occurrences with CFBundleShortVersionString:1.5 Beta 6, CFBundleVersion:313
and some with no CFBundleShortVersionString and with CFBundleVersion:1.1.
This is why I use a try block checking for CFBundleShortVersionString and for CFBundleVersion if there is no CFBundleShortVersionString.


In fact, the first shell script instruction extracts the list of every application files available so the second one is useless.


Yvan KOENIG running El Capitan 10.11.3 in French (VALLAURIS, France) jeudi 11 février 2016 13:48:21




 _______________________________________________
Do not post admin requests to the list. They will be ignored.
AppleScript-Users mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
Archives: http://lists.apple.com/archives/applescript-users

This email sent to email@hidden

  • Follow-Ups:
    • Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server
      • From: Yvan KOENIG <email@hidden>
References: 
 >Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server (From: Bill Cheeseman <email@hidden>)
 >Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server (From: Yvan KOENIG <email@hidden>)
 >Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server (From: Yvan KOENIG <email@hidden>)
 >Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server (From: Yvan KOENIG <email@hidden>)
 >Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server (From: Shane Stanley <email@hidden>)
 >Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server (From: Philip Stokes <email@hidden>)
 >Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server (From: Shane Stanley <email@hidden>)
 >Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server (From: Phil Stokes <email@hidden>)
 >Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server (From: Yvan KOENIG <email@hidden>)

  • Prev by Date: Re: Sparkle updater check vulnerability script
  • Next by Date: Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server
  • Previous by thread: Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server
  • Next by thread: Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server
  • Index(es):
    • Date
    • Thread