I forgot a piece of the code.
Here is an enhanced one which analyse more deeply the use of appcast.
When this one is called using https there is no problem but sometimes it's called using http.
#script version 1.5.5
set foundCounter to 0
set infoFilePath to "/Contents/info.plist"
set theApps to do shell script "mdfind kMDItemFSName == '*.prefPane' & mdfind kMDItemFSName == '*.app'"
--set theApps to theApps & (do shell script "mdfind -onlyin /Applications " & quote & "kMDItemFSName == '*.app'" & quote) # disabled in 1.5.2
set theApps to paragraphs of theApps
set sparkleAppsList to {}
tell application "System Events"
repeat with anApp in theApps
set anApp to anApp as text
set aFrameWork to anApp & "/Contents/Frameworks/Sparkle.framework"
if exists disk item aFrameWork then
set aSparklePlist to aFrameWork & "/Versions/A/Resources/Info.plist"
set thePlist to contents of property list file aSparklePlist
set theValue to value of thePlist
try
set sparkleVersion to CFBundleShortVersionString of theValue as text
on error
set sparkleVersion to CFBundleVersion of theValue as text
end try
considering numeric strings
set vulnerable to sparkleVersion < "1.13.1"
end considering
if vulnerable then
# Added in v1.5.4
set theBin to (first disk item of folder (anApp & "/Contents/MacOS/") whose type identifier is "public.unix-executable")
tell me to set binContents to read theBin
set callAppcast to binContents contains "appcast"
if callAppcast then
set vulnerable2 to false
set inList to my decoupe(binContents, "appcast")
repeat with i from 1 to (count inList) - 1
set itemI to inList's item i
if (count itemI) > 100 then
set maybe to text -100 thru -1 of itemI
if (maybe contains "http:") and (maybe does not contain "https:") then set vulnerable2 to true
end if
end repeat
set thePlist to contents of property list file (anApp & infoFilePath)
set theValue to value of thePlist
try # Edited in 1.5.3
set thisSUFeedURL to SUFeedURL of theValue as text
if (thisSUFeedURL contains "https:") and vulnerable2 is true then
set thisSUFeedURL to thisSUFeedURL & " but call appcast thru http"
else if thisSUFeedURL contains "http:" then
if vulnerable2 then
set thisSUFeedURL to thisSUFeedURL & " and call appcast thru http"
else
set thisSUFeedURL to thisSUFeedURL & " but call appcast thru https"
end if
end if
on error
if vulnerable2 then
set thisSUFeedURL to "no link available but call appcast thru http"
else
set thisSUFeedURL to "no link available but call appcast thru https"
end if
end try
set end of sparkleAppsList to "Application : " & anApp & " : " & thisSUFeedURL & linefeed & linefeed
set foundCounter to foundCounter + 1
else
# I forgot these instructions
set thePlist to contents of property list file (anApp & infoFilePath)
set theValue to value of thePlist
try # Edited in 1.5.3 and 1.5.4
set thisSUFeedURL to SUFeedURL of theValue as text
if thisSUFeedURL contains "http:" then set thisSUFeedURL to thisSUFeedURL
on error
set thisSUFeedURL to "no link available"
end try
set end of sparkleAppsList to "Application : " & anApp & " : " & thisSUFeedURL & linefeed & linefeed
set foundCounter to foundCounter + 1
end if
end if # vulnerable
end if
end repeat
end tell
display dialog "Found: " & foundCounter & " apps that do not use secure https connections for the Sparkle updater:
" & sparkleAppsList buttons {"Save List", "OK"} default button "OK" with title "Sparkle Framework Vulnerability Check"
set aResponse to button returned of the result # Edited in 1.5.3
if aResponse is "Save List" then # Edited in 1.5.3
tell application "TextEdit"
activate
make new document
set text of document 1 to sparkleAppsList as text
end tell
end if
#=====
on decoupe(t, d)
local oTIDs, l
set {oTIDs, AppleScript's text item delimiters} to {AppleScript's text item delimiters, d}
set l to text items of t
set AppleScript's text item delimiters to oTIDs
return l
end decoupe
#=====
#EOF
Yvan KOENIG running El Capitan 10.11.3 in French (VALLAURIS, France) jeudi 11 février 2016 21:41:39