On 10 Feb 2016, at 22:55, Peter Teeson <peter.tee...@icloud.com> wrote:
find /Applications -path '*Autoupdate.app/Contents/Info.plist' -exec echo {} \;
-exec grep -A1 CFBundleShortVersionString '{}' \; | grep -v
CFBundleShortVersionString
That produces a list of apps that are on earlier versions of Sparkle than 1.13.
That’s not the same as a list of apps that are vulnerable to the exploit. Apps
running 1.11 are safe if both the https urls and release notes urls are https
secured (or so we established earlier in the thread, so I say that
notwithstanding further info to the contrary).
Here’s the latest version of the applescript that reveals any Sparkle app not
using https. I had to abandon the attempt to implement choosing other folders.
Too many problems trying to get it to work.
#script version 1.4
set x to (path to startup disk) as text
set pathToAppFolder to x & "Applications:" as alias
set defaultAppsFolder to "/Applications"
set plistContents to ""
set x to (path to startup disk) as text
set pathToAppFolder to x & "Applications:" as alias
set infoFilePath to "Contents:info.plist"
set theApp to ""
set sparkleAppsList to {}
set theAppList to do shell script "find " & defaultAppsFolder & " -name
Sparkle.framework | awk -F'/' '{print $3}'"
set theAppList to paragraphs of theAppList
repeat with i from 1 to number of items in theAppList
set theApp to text of item i of theAppList
set this_item to item i of theAppList
set f to pathToAppFolder & this_item & ":" & infoFilePath as string
tell application "System Events"
if exists property list file f then
set thePlist to contents of property list file f
set theValue to value of thePlist
try
if exists SUFeedURL of theValue then
set thisSUFeedURL to SUFeedURL of theValue as text
if thisSUFeedURL contains "http:" then
set theResultString to "Application : " & my theApp & " : " & thisSUFeedURL as
text
set end of my sparkleAppsList to theResultString & "
"
end if
end if
end try
end if
end tell
end repeat
display dialog "The following apps do not use secure https connections for the
Sparkle updater:
" & sparkleAppsList as string buttons "OK" default button "OK" with title "Sparkle
Framework Vulnerability Check"
#EOF
_______________________________________________
Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)
Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com
Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com
This email sent to arch...@mail-archive.com
