Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server
Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server
- Subject: Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server
- From: Sandor Szatmari <email@hidden>
- Date: Wed, 10 Feb 2016 08:05:32 -0500
It looks safe...
> On Feb 10, 2016, at 07:39, email@hidden wrote:
>
> You can do that in the terminal, I found this terminal command online:
>
> find /Applications -name Sparkle.framework | awk -F'/' '{print $3}' | awk
> -F'.' '{print $1}'
This finds all files named Sparkle.framework in your applications folder and pipes the path as a string to awk, which tokenizes the string first on '/' and prints the 3rd token which is piped to awk again which this time tokenizes on '.' (This is stripping of '.app') and prints the first token, the application name.
Sandor
>
> This returns:
> Cornerstone
> Sequel Pro
>
> on my Mac Book Pro...
>
> Important note: I did not come up with this myself and was a bit nervous
> running it in the terminal.
>
> Any Linux guru's on this list that can say whether the above command is OK
> to run in all circumstances?
>
>
>
>
>>
>> On 10 Feb 2016, at 13:59, email@hidden wrote:
>> tell them how they can find out which apps use
>> Sparkle??
>>
>>
>> On 10 Feb 2016, at 13:59, email@hidden wrote:
>> tell them how they can find out which apps use
>> Sparkle??
>>
>>
>> I was thinking of writing a script for this, checking for SUFeedURL for
>> every .app bundle, but
>>
>> i. is there already an easy way to check which apps use Sparkle?
>>
>> ii. I donât see an easy way for users to tell what version of Sparkle is
>> installed in an app.Â
>> Does anyone know where the Sparkle version number is hidden in the bundle?
>>
>> ii. given what Roland and Ken both say downthread, vis:
>>
>> If the release notes are via a separate URL and that URL is HTTP rather
>> than HTTPS, then the attacker can spoof it
>>
>> it looks like just checking the SUFeedURL for http or https wonât be
>> enough to determine if the app is safe for any app running older versions
>> than Sparkle 1.13. Of course, we should all update to the latest version,
>> but I have one app that has to be 10.6 compatible and that canât use
>> anything but an  ***old*** version of Sparkle. The app cast and release
>> notes are both https so Iâm assuming this is secure (at least regarding
>> this particular issueâ¦).Â
>>
>>
>>
>> Best
>>
>>
>> Phil
>> _______________________________________________
>>
>> Cocoa-dev mailing list (email@hidden)
>>
>> Please do not post admin requests or moderator comments to the list.
>> Contact the moderators at cocoa-dev-admins(at)lists.apple.com
>>
>> Help/Unsubscribe/Update your Subscription:
>>
>> This email sent to email@hidden
>
> _______________________________________________
>
> Cocoa-dev mailing list (email@hidden)
>
> Please do not post admin requests or moderator comments to the list.
> Contact the moderators at cocoa-dev-admins(at)lists.apple.com
>
> Help/Unsubscribe/Update your Subscription:
>
> This email sent to email@hidden
_______________________________________________
Cocoa-dev mailing list (email@hidden)
Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden