• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

  • Subject: Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server
  • From: Bill Cheeseman <email@hidden>
  • Date: Thu, 11 Feb 2016 14:22:23 -0500

On Feb 11, 2016, at 9:33 AM, Deivy Petrescu <email@hidden> wrote:

I saw Bill Cheeseman’s email using the Finder and that also did not work,...

Sorry about that.

Below is my extensively revised script, still avoiding use of 'do shell script'. These are among its many new features:

1. It uses System Events instead of Finder.

2. It uses 'choose folder' (defaulting to the local Applications folder), so you can examine any folder

3. It examines file packages at the root level of the chosen folder.

4. It uses a recursive handler to examine file packages in all subfolders of the chosen folder, no matter how deeply nested.

5. It lists all file packages that contain the Sparkle framework in the standard location, even if they meet all known security requirements.

6. It reports the version or bundle version of the framework, if available.

7. It reports whether the appcast feed URL is HTTP, HTTPS, something else ("anomalous'), or the absence of an info.plist setting named "SUFeedURL".

8. It uses 'choose from list' to report its results, to get the benefit of scrolling so you can see long lists on your screen.

9. It lets you choose any application in the list and launch it, so that you can turn off its automatic update checking if that feature is available.

global appList
set appList to {}

set targetFolder to choose folder with prompt "List applications containing the Sparkle framework in folder:" default location path to applications folder
my examineApplicationsOf(targetFolder)
my examineSubfoldersOf(targetFolder)

activate
tell application "System Events" to get name of targetFolder
set targetName to result
if appList is not {} then
set appListCount to count of appList
set intro to "These are the " & appListCount & " applications or other file packages in the " & targetName & "  folder that contain the Sparkle framework in the standard location." & return & return & "Any application with a Sparkle framework version older than 1.13.1 and which does not use an HTTPS appcast feed URL is subject to the recently reported Sparkle security issue. Choose any such application in the list and click Launch, and then consider disabling automatic update checks if the application supports that feature." & return & return & "Where available, the version or bundle version of the Sparkle framework is noted in the list. Some of the listed applications with framework versions older than 1.13.1 may have been updated to use a security patch; check with the application's developer. Be aware that this list may not include all software that uses Sparkle with other insecure techniques, such as a plug-in or an insecure HTTP release note link."
choose from list appList with title "Sparkle Applications" with prompt intro OK button name "Launch"
if result is not false then
set appPath to item 1 of result
get offset of " /" in appPath
set appPath to text from character 1 to character (result - 1) of appPath
tell me to launch application appPath
end if
else
display alert "No applications found" message "No applications or file packages containing the Sparkle framework were found in the " & targetName & "  folder."
end if

on examineSubfoldersOf(thisFolder)
tell application "System Events"
get every folder of thisFolder
repeat with thisSubfolder in result
my examineApplicationsOf(thisSubfolder)
my examineSubfoldersOf(thisSubfolder) -- recursive
end repeat
end tell
end examineSubfoldersOf

on examineApplicationsOf(thisFolder)
tell application "System Events"
get every file package of thisFolder
repeat with thisApp in result
set appPath to path of thisApp
set sparklePath to appPath & "Contents:Frameworks:Sparkle.framework"
if exists disk item sparklePath then
set plistPath to appPath & "Contents:info.plist"
if exists disk item plistPath then
get (every property list item of property list file plistPath whose name is "SUFeedURL")
if (count of result) > 0 then
get value of item 1 of result
if result starts with "http:" then
set end of appList to appPath & my sparkleVersion(appPath) & " (uses HTTP in its appcast feed URL)"
else if result starts with "https:" then
set end of appList to appPath & my sparkleVersion(appPath) & " (uses HTTPS in its appcast feed URL)"
else
set end of appList to appPath & my sparkleVersion(appPath) & " (uses an anomalous appcast feed URL)"
end if
else
set end of appList to appPath & my sparkleVersion(appPath) & " (does not use an appcast feed URL named SUFeedURL)"
end if
end if
end if
end repeat
end tell
end examineApplicationsOf

on sparkleVersion(appPath)
tell application "System Events"
set sparklePlistPath to appPath & "Contents:Frameworks:Sparkle.framework:Versions:Current:Resources:Info.plist"
if exists disk item sparklePlistPath then
get (every property list item of property list file sparklePlistPath whose name is "CFBundleShortVersionString")
if (count of result) > 0 then
get value of item 1 of result
return " /Sparkle version " & result
else
get (every property list item of property list file sparklePlistPath whose name is "CFBundleVersion")
if (count of result) > 0 then
get value of item 1 of result
return " /Sparkle bundle version " & result
else
return " /Sparkle version not available"
end if
end if
end if
end tell
return ""
end sparkleVersion

-- 

Bill Cheeseman - email@hidden
 

 _______________________________________________
Do not post admin requests to the list. They will be ignored.
AppleScript-Users mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
Archives: http://lists.apple.com/archives/applescript-users

This email sent to email@hidden
  • Follow-Ups:
    • Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server
      • From: 2551phil <email@hidden>
References: 
 >Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server (From: Bill Cheeseman <email@hidden>)
 >Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server (From: "Stockly, Ed" <email@hidden>)
 >Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server (From: Bill Cheeseman <email@hidden>)
 >Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server (From: Deivy Petrescu <email@hidden>)

  • Prev by Date: Applescript, Indesign CS5 and OS X 10.11.3
  • Next by Date: Re: Sparkle updater check vulnerability script
  • Previous by thread: Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server
  • Next by thread: Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server
  • Index(es):
    • Date
    • Thread