make csd-post.sh continue with a warning without xmlstarlet (using Po…

…or Man's vary speshul XML parsing)
sailfishos-mirror · Jan 3, 2019 · 959ef95 · 959ef95
1 parent f57a5d7
commit 959ef95
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 6 deletions.
diff --git a/trojans/csd-post.sh b/trojans/csd-post.sh
@@ -12,9 +12,13 @@
 # server's security policy with lies. This script exists as an example
 # to work from.
 
-if ! xmlstarlet --version > /dev/null; then
-    echo "No xmlstarlet found"
-    exit 1;
+if ! xmlstarlet --version > /dev/null 2>&1; then
+    echo "************************************************************************" >&2
+    echo "WARNING: xmlstarlet not found in path; CSD token extraction may not work" >&2
+    echo "************************************************************************" >&2
+    unset XMLSTARLET
+else
+    XMLSTARLET=true
 fi
 
 DATA='endpoint.os.version="Linux";
@@ -64,7 +68,12 @@ done
 
 PINNEDPUBKEY="-s ${CSD_SHA256:+"-k --pinnedpubkey sha256//$CSD_SHA256"}"
 URL="https://$CSD_HOSTNAME/+CSCOE+/sdesktop/token.xml?ticket=$TICKET&stub=$STUB"
-COOKIE_HEADER="Cookie: sdesktop="$(curl $PINNEDPUBKEY -s "$URL"  | xmlstarlet sel -t -v /hostscan/token)
+if [ -n "$XMLSTARLET" ]; then
+    TOKEN=$(curl $PINNEDPUBKEY -s "$URL"  | xmlstarlet sel -t -v /hostscan/token)
+else
+    TOKEN=$(curl $PINNEDPUBKEY -s "$URL" | sed -n '/<token>/s^.*<token>\(.*\)</token>^\1^p' )
+fi
+COOKIE_HEADER="Cookie: sdesktop=$TOKEN"
 CONTENT_HEADER="Content-Type: text/xml"
 URL="https://$CSD_HOSTNAME/+CSCOE+/sdesktop/scan.xml?reusebrowser=1"
 curl $PINNEDPUBKEY -H "$CONTENT_HEADER" -H "$COOKIE_HEADER" --data "$DATA;type=text/xml" "$URL"
diff --git a/www/csd.xml b/www/csd.xml
@@ -54,8 +54,7 @@ the <tt>trojans/</tt> subdirectory:</p>
 
   <li><tt>csd-post.sh</tt>: This script does <i>not</i> actually run the CSD trojan binary. Instead, it emulates
   the behaviour of the CSD trojan, creating a plaintext report similar to the one that the CSD trojans build, and
-  uploading it to the server sent by the VPN gateway. It requires the <tt>xmlstarlet</tt> tool for parsing XML
-  sent by the server, to extract a token value. The report may need to be customized in order to be accepted by some
+  uploading it to the server sent by the VPN gateway. The report may need to be customized in order to be accepted by some
   servers; the <a href="https://github.com/Gilks/hostscan-bypass">hostscan-bypass</a> tool may help with this.
   Because this script does not actually execute a trojan binary, and because its complete output is easily visible
   in the script, the security concerns are greatly alleviated.