Merge pull request #2497 from drwetter/fix_2496

drwetter · web-flow · commit b22f9cb50133 · 2024-05-26T17:37:44.000+02:00
Supply overwrite option to --file/-iL with warnings off
diff --git a/.github/workflows/codespell.yml b/.github/workflows/codespell.yml
@@ -12,5 +12,5 @@ jobs:
       - uses: actions/checkout@v4
       - uses: codespell-project/actions-codespell@master
         with:
-          skip: ca_hashes.txt,tls_data.txt,*.pem,OPENSSL-LICENSE.txt,CREDITS.md,openssl.cnf
+          skip: ca_hashes.txt,tls_data.txt,*.pem,OPENSSL-LICENSE.txt,CREDITS.md,openssl.cnf,fedora-dirk-ipv6.diff
           ignore_words_list: borken,gost,ciph,ba,bloc,isnt,chello,fo,alle,anull
diff --git a/doc/testssl.1 b/doc/testssl.1
@@ -60,7 +60,7 @@ Options are either short or long options\. Any long or short option requiring a
 .SS "INPUT PARAMETERS"
 \fBURI\fR can be a hostname, an IPv4 or IPv6 address (restriction see below) or an URL\. IPv6 addresses need to be in square brackets\. For any given parameter port 443 is assumed unless specified by appending a colon and a port number\. The only preceding protocol specifier allowed is \fBhttps\fR\. You need to be aware that checks for an IP address might not hit the vhost you want\. DNS resolution (A/AAAA record) is being performed unless you have an \fB/etc/hosts\fR entry for the hostname\.
 .P
-\fB\-\-file <fname>\fR or the equivalent \fB\-iL <fname>\fR are mass testing options\. Per default it implicitly turns on \fB\-\-warnings batch\fR\. In its first incarnation the mass testing option reads command lines from \fBfname\fR\. \fBfname\fR consists of command lines of testssl, one line per instance\. Comments after \fB#\fR are ignored, \fBEOF\fR signals the end of fname any subsequent lines will be ignored too\. You can also supply additional options which will be inherited to each child, e\.g\. When invoking \fBtestssl\.sh \-\-wide \-\-log \-\-file <fname>\fR \. Each single line in \fBfname\fR is parsed upon execution\. If there's a conflicting option and serial mass testing option is being performed the check will be aborted at the time it occurs and depending on the output option potentially leaving you with an output file without footer\. In parallel mode the mileage varies, likely a line won't be scanned\.
+\fB\-\-file <fname>\fR or the equivalent \fB\-iL <fname>\fR are mass testing options\. Per default it implicitly turns on \fB\-\-warnings batch\fR\, unless warnings has been set to off before. In its first incarnation the mass testing option reads command lines from \fBfname\fR\. \fBfname\fR consists of command lines of testssl, one line per instance\. Comments after \fB#\fR are ignored, \fBEOF\fR signals the end of fname any subsequent lines will be ignored too\. You can also supply additional options which will be inherited to each child, e\.g\. When invoking \fBtestssl\.sh \-\-wide \-\-log \-\-file <fname>\fR \. Each single line in \fBfname\fR is parsed upon execution\. If there's a conflicting option and serial mass testing option is being performed the check will be aborted at the time it occurs and depending on the output option potentially leaving you with an output file without footer\. In parallel mode the mileage varies, likely a line won't be scanned\.
 .P
 Alternatively \fBfname\fR can be in \fBnmap\fR's grep(p)able output format (\fB\-oG\fR)\. Only open ports will be considered\. Multiple ports per line are allowed\. The ports can be different and will be tested by testssl\.sh according to common practice in the internet, i\.e\. if nmap shows in its output an open port 25, automatically \fB\-t smtp\fR will be added before the URI whereas port 465 will be treated as a plain TLS/SSL port, not requiring an STARTTLS SMTP handshake upfront\. This is done by an internal table which correlates nmap's open port detected to the STARTTLS/plain text decision from testssl\.sh\.
 .P
diff --git a/doc/testssl.1.html b/doc/testssl.1.html
diff --git a/doc/testssl.1.md b/doc/testssl.1.md
@@ -80,7 +80,7 @@ Options are either short or long options. Any long or short option requiring a v
 
 `URI` can be a hostname, an IPv4 or IPv6 address (restriction see below) or an URL. IPv6 addresses need to be in square brackets. For any given parameter port 443 is assumed unless specified by appending a colon and a port number. The only preceding protocol specifier allowed is `https`. You need to be aware that checks for an IP address might not hit the vhost you want. DNS resolution (A/AAAA record) is being performed unless you have an `/etc/hosts` entry for the hostname.
 
-`--file <fname>` or the equivalent `-iL <fname>` are mass testing options. Per default it implicitly turns on `--warnings batch`. In its first incarnation the mass testing option reads command lines from `fname`. `fname` consists of command lines of testssl, one line per instance. Comments after `#` are ignored, `EOF` signals the end of fname any subsequent lines will be ignored too. You can also supply additional options which will be inherited to each child, e.g.  When invoking `testssl.sh --wide --log --file <fname>` . Each single line in `fname` is parsed upon execution. If there's a conflicting option and serial mass testing option is being performed the check will be aborted at the time it occurs and depending on the output option potentially leaving you with an output file without footer. In parallel mode the mileage varies, likely a line won't be scanned.
+`--file <fname>` or the equivalent `-iL <fname>` are mass testing options. Per default it implicitly turns on `--warnings batch`, unless warnings has been set to off before. In its first incarnation the mass testing option reads command lines from `fname`. `fname` consists of command lines of testssl, one line per instance. Comments after `#` are ignored, `EOF` signals the end of fname any subsequent lines will be ignored too. You can also supply additional options which will be inherited to each child, e.g.  When invoking `testssl.sh --wide --log --file <fname>` . Each single line in `fname` is parsed upon execution. If there's a conflicting option and serial mass testing option is being performed the check will be aborted at the time it occurs and depending on the output option potentially leaving you with an output file without footer. In parallel mode the mileage varies, likely a line won't be scanned.
 
 Alternatively `fname` can be in `nmap`'s grep(p)able output format (`-oG`). Only open ports will be considered. Multiple ports per line are allowed. The ports can be different and will be tested by testssl.sh according to common practice in the internet, i.e. if nmap shows in its output an open port 25, automatically `-t smtp` will be added before the URI whereas port 465 will be treated as a plain TLS/SSL port, not requiring an STARTTLS SMTP handshake upfront. This is done by an internal table which correlates nmap's open port detected to the STARTTLS/plain text decision from testssl.sh.
 
diff --git a/testssl.sh b/testssl.sh
@@ -2306,7 +2306,7 @@ s_client_options() {
                fi
           fi
      fi
-     
+
      # In case of mutual TLS authentication is required by the server
      # Note: the PEM certificate file must contain: client certificate and key (not encrypted)
      if [[ -n "$MTLS" ]]; then
@@ -23585,7 +23585,8 @@ parse_cmd_line() {
                     FNAME="$(parse_opt_equal_sign "$1" "$2")"
                     [[ $? -eq 0 ]] && shift
                     IKNOW_FNAME=true
-                    WARNINGS="batch"           # set this implicitly!
+                    # If WARNINGS was set to "off, we shouldn't overwrite it, see #2496. "batch" is set implicitly otherwise
+                    [[ "$WARNINGS" != off ]] && WARNINGS="batch"
                     do_mass_testing=true
                     ;;
                --mode|--mode=*)
