• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

  • Subject: Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server
  • From: sqwarqDev <email@hidden>
  • Date: Wed, 10 Feb 2016 16:22:37 +0000 (GMT)

On 10 Feb 2016, at 22:55, Peter Teeson <email@hidden> wrote:
find /Applications -path '*Autoupdate.app/Contents/Info.plist' -exec echo {} \; -exec grep -A1 CFBundleShortVersionString '{}' \; | grep -v CFBundleShortVersionString


That produces a list of apps that are on earlier versions of Sparkle than 1.13. That’s not the same as a list of apps that are vulnerable to the exploit. Apps running 1.11 are safe if both the https urls and release notes urls are https secured (or so we established earlier in the thread, so I say that notwithstanding further info to the contrary). 

Here’s the latest version of the applescript that reveals any Sparkle app not using https. I had to abandon the attempt to implement choosing other folders. Too many problems trying to get it to work. 



#script version 1.4
set x to (path to startup disk) as text
set pathToAppFolder to x & "Applications:" as alias
set defaultAppsFolder to "/Applications"


set plistContents to ""
set x to (path to startup disk) as text
set pathToAppFolder to x & "Applications:" as alias
set infoFilePath to "Contents:info.plist"
set theApp to ""
set sparkleAppsList to {}
set theAppList to do shell script "find " & defaultAppsFolder & " -name Sparkle.framework | awk -F'/' '{print $3}'"
set theAppList to paragraphs of theAppList
repeat with i from 1 to number of items in theAppList
set theApp to text of item i of theAppList
set this_item to item i of theAppList
set f to pathToAppFolder & this_item & ":" & infoFilePath as string
tell application "System Events"
if exists property list file f then
set thePlist to contents of property list file f
set theValue to value of thePlist
try
if exists SUFeedURL of theValue then

set thisSUFeedURL to SUFeedURL of theValue as text
if thisSUFeedURL contains "http:" then
set theResultString to "Application : " & my theApp & " : " & thisSUFeedURL as text
set end of my sparkleAppsList to theResultString & "

"
end if

end if
end try
end if
end tell
end repeat
display dialog "The following apps do not use secure https connections for the Sparkle updater:

" & sparkleAppsList as string buttons "OK" default button "OK" with title "Sparkle Framework Vulnerability Check"

#EOF

_______________________________________________

Cocoa-dev mailing list (email@hidden)

Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com

Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden
  • Prev by Date: Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server
  • Next by Date: Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server
  • Previous by thread: Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server
  • Next by thread: Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server
  • Index(es):
    • Date
    • Thread