Skip to content

Commit 06506b3

Browse files
drwetterdrwetter
committed
Make sure control chars from HTTP header don't end up in html,csv,json
This addresses the bug #2330 by implementing a function which removes control characters from the file output format html,csv,json at the output. In every instance called there's a check before whether the string contains control chars, hoping it'll save a few milli seconds. A tr function is used, omitting LF. It doesn't filter the terminal output and the log file output.
1 parent 1ee21b7 commit 06506b3

1 file changed

Lines changed: 30 additions & 3 deletions

File tree

testssl.sh

Lines changed: 30 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -534,7 +534,6 @@ show_finding() {
534534
html_reserved(){
535535
local output
536536
"$do_html" || return 0
537-
#sed -e 's/\&/\&amp;/g' -e 's/</\&lt;/g' -e 's/>/\&gt;/g' -e 's/"/\&quot;/g' -e "s/'/\&apos;/g" <<< "$1"
538537
output="${1//&/$'&'amp;}"
539538
output="${output//</$'&'lt;}"
540539
output="${output//>/$'&'gt;}"
@@ -545,8 +544,26 @@ html_reserved(){
545544
}
546545

547546
html_out() {
547+
local outstr="$1"
548+
548549
"$do_html" || return 0
549-
[[ -n "$HTMLFILE" ]] && [[ ! -d "$HTMLFILE" ]] && printf -- "%b" "$1" >> "$HTMLFILE"
550+
if [[ -n "$HTMLFILE" ]] && [[ ! -d "$HTMLFILE" ]]; then
551+
if [[ "$outstr" =~ [[:cntrl:]] ]]; then
552+
outstr="$(sanitize_fileout "$outstr")"
553+
fi
554+
printf -- "%b" "$outstr" >> "$HTMLFILE"
555+
fi
556+
}
557+
558+
# Removes on printable chars in CSV, JSON, HTML, see #2330
559+
sanitize_fileout() {
560+
tr -d '\000-\011,\013-\037' <<< "$1"
561+
}
562+
563+
# Removes on printable chars in terminal output (log files)
564+
# We need to keep the icolor ANSI escape code, see #2330
565+
sanitize_termout() {
566+
tr -d '\000-\011,\013-\032,\034-\037' <<< "$1"
550567
}
551568

552569
# This is intentionally the same.
@@ -1227,6 +1244,9 @@ fileout_json_print_parameter() {
12271244
spaces=" " || \
12281245
spaces=" "
12291246
if [[ -n "$value" ]] || [[ "$parameter" == finding ]]; then
1247+
if [[ "$value" =~ [[:cntrl:]] ]]; then
1248+
value="$(sanitize_fileout "$value")"
1249+
fi
12301250
printf -- "%b%b%b%b" "$spaces" "\"$parameter\"" "$filler" ": \"$value\"" >> "$JSONFILE"
12311251
"$not_last" && printf ",\n" >> "$JSONFILE"
12321252
fi
@@ -1350,12 +1370,19 @@ fileout_insert_warning() {
13501370
fi
13511371
}
13521372

1373+
# args: "id" "fqdn/ip" "port" "severity" "finding" "cve" "cwe" "hint"
1374+
#
13531375
fileout_csv_finding() {
1376+
local finding="$5"
1377+
1378+
if [[ "$finding" =~ [[:cntrl:]] ]]; then
1379+
finding="$(sanitize_fileout "$finding")"
1380+
fi
13541381
safe_echo "\"$1\"," >> "$CSVFILE"
13551382
safe_echo "\"$2\"," >> "$CSVFILE"
13561383
safe_echo "\"$3\"," >> "$CSVFILE"
13571384
safe_echo "\"$4\"," >> "$CSVFILE"
1358-
safe_echo "\"$5\"," >> "$CSVFILE"
1385+
safe_echo "\"$finding\"," >> "$CSVFILE"
13591386
safe_echo "\"$6\"," >> "$CSVFILE"
13601387
if "$GIVE_HINTS"; then
13611388
safe_echo "\"$7\"," >> "$CSVFILE"

0 commit comments

Comments
 (0)