Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Find apps with unsafe Sparkle versions
#!/bin/bash
set -o pipefail
IFS=$'\n'
REPORT=''
checkapp() {
local APPPATH=$1
local PLIST="$APPPATH/Contents/Info.plist"
local SPARKLEPLIST="$APPPATH/Contents/Frameworks/Sparkle.framework/Resources/Info.plist"
local SPARKLEBIN="$APPPATH/Contents/Frameworks/Sparkle.framework/Sparkle"
local VER=$(defaults read "$PLIST" CFBundleShortVersionString 2>/dev/null || defaults read "$PLIST" CFBundleVersion 2>/dev/null)
local APP="$(basename -s .app "$APPPATH") $VER"
FEED=$(defaults read "$PLIST" SUFeedURL 2>/dev/null)
local RESULT=$?
if [ -d "$APPPATH/Contents/_MASReceipt" -a ! -e "$SPARKLEBIN" ]; then
echo "ok: $APP does not use Sparkle";
elif [ "$RESULT" -ne 0 -a ! -e "$SPARKLEPLIST" ]; then
echo "ok: $APP does not seem to use Sparkle";
elif [[ $FEED == "https://"* ]]; then
echo "ok: $APP uses HTTPS for updates - safe";
elif fgrep 2>/dev/null -q "about:blank" "$SPARKLEBIN"; then
echo "ok: $APP has a patched version Sparkle - safe"
else
SPARKLEVER=$(defaults read "$SPARKLEPLIST" CFBundleVersion 2>/dev/null)
local RESULT=$?
if [ $RESULT -eq 0 -a -n "$FEED" ]; then
REPORT+="
!!: $APP uses insecure feed URL '$FEED' and an unpatched version of Sparkle ($SPARKLEVER) - it is UNSAFE"
elif [ $RESULT -ne 0 ]; then
REPORT+="
!!: $APP uses insecure feed URL '$FEED' and an unknown version of Sparkle - may be UNSAFE"
else
echo "!!: $APP uses unknown feed URL and an unknown version of Sparkle - unable to tell"
fi
fi
}
for i in $({ mdfind kind:application; find /Applications -maxdepth 2 -name '*.app'; } | sort -u ); do
checkapp "$i"
done
if [ -n "$REPORT" ]; then
echo "
Unsafe applications found!
$REPORT
Please ask the apps' developers to update Sparkle to the secure version,
as described at: https://sparkle-project.org/documentation/security
"
fi
@Kosmic-Halo

This comment has been minimized.

Copy link

Kosmic-Halo commented Feb 14, 2016

What us main script for command line?

this one?
for i in $({ mdfind kind:application; find /Applications -maxdepth 2 -name '*.app'; } | sort -u ); do
checkapp "$i"
done

@mathiasbynens

This comment has been minimized.

Copy link

mathiasbynens commented Feb 14, 2016

@Kosmic-Halo You just run ./sparklecheck.sh.

@ghost

This comment has been minimized.

Copy link

ghost commented Feb 20, 2016

Do you recommend single user mode for this? Or just the regular terminal?

@kornelski

This comment has been minimized.

Copy link
Owner Author

kornelski commented Apr 27, 2016

This won't work in single user mode.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.