Skip to content

Instantly share code, notes, and snippets.

@kornelski
Created February 14, 2016 00:44
Show Gist options
  • Save kornelski/e50af6990f9b24a130af to your computer and use it in GitHub Desktop.
Save kornelski/e50af6990f9b24a130af to your computer and use it in GitHub Desktop.
Find apps with unsafe Sparkle versions
#!/bin/bash
set -o pipefail
IFS=$'\n'
REPORT=''
checkapp() {
local APPPATH=$1
local PLIST="$APPPATH/Contents/Info.plist"
local SPARKLEPLIST="$APPPATH/Contents/Frameworks/Sparkle.framework/Resources/Info.plist"
local SPARKLEBIN="$APPPATH/Contents/Frameworks/Sparkle.framework/Sparkle"
local VER=$(defaults read "$PLIST" CFBundleShortVersionString 2>/dev/null || defaults read "$PLIST" CFBundleVersion 2>/dev/null)
local APP="$(basename -s .app "$APPPATH") $VER"
FEED=$(defaults read "$PLIST" SUFeedURL 2>/dev/null)
local RESULT=$?
if [ -d "$APPPATH/Contents/_MASReceipt" -a ! -e "$SPARKLEBIN" ]; then
echo "ok: $APP does not use Sparkle";
elif [ "$RESULT" -ne 0 -a ! -e "$SPARKLEPLIST" ]; then
echo "ok: $APP does not seem to use Sparkle";
elif [[ $FEED == "https://"* ]]; then
echo "ok: $APP uses HTTPS for updates - safe";
elif fgrep 2>/dev/null -q "about:blank" "$SPARKLEBIN"; then
echo "ok: $APP has a patched version Sparkle - safe"
else
SPARKLEVER=$(defaults read "$SPARKLEPLIST" CFBundleVersion 2>/dev/null)
local RESULT=$?
if [ $RESULT -eq 0 -a -n "$FEED" ]; then
REPORT+="
!!: $APP uses insecure feed URL '$FEED' and an unpatched version of Sparkle ($SPARKLEVER) - it is UNSAFE"
elif [ $RESULT -ne 0 ]; then
REPORT+="
!!: $APP uses insecure feed URL '$FEED' and an unknown version of Sparkle - may be UNSAFE"
else
echo "!!: $APP uses unknown feed URL and an unknown version of Sparkle - unable to tell"
fi
fi
}
for i in $({ mdfind kind:application; find /Applications -maxdepth 2 -name '*.app'; } | sort -u ); do
checkapp "$i"
done
if [ -n "$REPORT" ]; then
echo "
Unsafe applications found!
$REPORT
Please ask the apps' developers to update Sparkle to the secure version,
as described at: https://sparkle-project.org/documentation/security
"
fi
@Kosmic-Halo
Copy link

What us main script for command line?

this one?
for i in $({ mdfind kind:application; find /Applications -maxdepth 2 -name '*.app'; } | sort -u ); do
checkapp "$i"
done

@mathiasbynens
Copy link

@Kosmic-Halo You just run ./sparklecheck.sh.

Copy link

ghost commented Feb 20, 2016

Do you recommend single user mode for this? Or just the regular terminal?

@kornelski
Copy link
Author

This won't work in single user mode.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment