• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

  • Subject: Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server
  • From: Yvan KOENIG <email@hidden>
  • Date: Thu, 11 Feb 2016 14:21:55 +0100
Looking more closer to available applications, I found five ones embedding an old version of Sparkle but with no SUFeedURL property.
As I doubt that the developper embedded the framework without using it I assume that they call it from the executable itself.
This is why I edited one more time the script.
When there is no SUFeedURL property, the file is reported with the string "no link available".
For the same reason I no longer make a difference between apps using https and those using http in SUFeedURL property. Maybe they use http from the executable code.
I found two using https with old Sparkle version :

CopyPaste Pro.app : https://www.scriptsoftware.com/appcastSSL.php?pid=89 (use version 1.5 Beta 6)
Pacifist.app : https://www.charlessoft.com/cgi-bin/pacifist_sparkle.cgi (use version 1.5 Beta (bzr))

Here is the new version.
#script version 1.5.3
set foundCounter to 0
set infoFilePath to "/Contents/info.plist"

set theApps to do shell script "mdfind kMDItemFSName == '*.prefPane' & mdfind kMDItemFSName == '*.app'"

--set theApps to theApps & (do shell script "mdfind -onlyin /Applications " & quote & "kMDItemFSName == '*.app'" & quote) # disabled in 1.5.2

set theApps to paragraphs of theApps
set sparkleAppsList to {}
tell application "System Events"
repeat with anApp in theApps
set anApp to anApp as text
set aFrameWork to anApp & "/Contents/Frameworks/Sparkle.framework"
if exists disk item aFrameWork then


set aSparklePlist to aFrameWork & "/Versions/A/Resources/Info.plist"
set thePlist to contents of property list file aSparklePlist
set theValue to value of thePlist
try
set sparkleVersion to CFBundleShortVersionString of theValue as text
on error
set sparkleVersion to CFBundleVersion of theValue as text
end try
considering numeric strings
set vulnerable to sparkleVersion < "1.13.1"
end considering
if vulnerable then
set thePlist to contents of property list file (anApp & infoFilePath)
set theValue to value of thePlist
try # Edited in 1.5.3
set thisSUFeedURL to SUFeedURL of theValue as text
if thisSUFeedURL does not contain "http" then set thisSUFeedURL to "no link available"
on error
set thisSUFeedURL to "no link available"
end try
set end of sparkleAppsList to "Application : " & anApp & " : " & thisSUFeedURL & linefeed & linefeed
set foundCounter to foundCounter + 1
end if # vulnerable
end if
end repeat
end tell

display dialog "Found: " & foundCounter & " apps that do not use secure https connections for the Sparkle updater:

" & sparkleAppsList buttons {"Save List", "OK"} default button "OK" with title "Sparkle Framework Vulnerability Check"

set aResponse to button returned of the result # Edited in 1.5.3

if aResponse is "Save List" then # Edited in 1.5.3
tell application "TextEdit"
activate
make new document
set text of document 1 to sparkleAppsList as text
end tell
end if
#EOF


Yvan KOENIG running El Capitan 10.11.3 in French (VALLAURIS, France) jeudi 11 février 2016 14:17:45




 _______________________________________________
Do not post admin requests to the list. They will be ignored.
AppleScript-Users mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
Archives: http://lists.apple.com/archives/applescript-users

This email sent to email@hidden
  • Follow-Ups:
    • Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server
      • From: 2551phil <email@hidden>
    • Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server
      • From: 2551phil <email@hidden>
References: 
 >Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server (From: Bill Cheeseman <email@hidden>)
 >Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server (From: Yvan KOENIG <email@hidden>)
 >Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server (From: Yvan KOENIG <email@hidden>)
 >Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server (From: Yvan KOENIG <email@hidden>)
 >Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server (From: Shane Stanley <email@hidden>)
 >Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server (From: Philip Stokes <email@hidden>)
 >Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server (From: Shane Stanley <email@hidden>)
 >Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server (From: Phil Stokes <email@hidden>)
 >Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server (From: Yvan KOENIG <email@hidden>)
 >Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server (From: Yvan KOENIG <email@hidden>)

  • Prev by Date: Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server
  • Next by Date: Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server
  • Previous by thread: Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server
  • Next by thread: Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server
  • Index(es):
    • Date
    • Thread