git-svn-id: file:///var/lib/svn/clamav-devel/trunk/clamav-devel@551 77e5149b-7576-45b1-b177-96237e5ba77b
Nigel Horne authored on 2004/05/10 20:27:36... | ... |
@@ -1,3 +1,10 @@ |
1 |
+Mon May 10 12:25:09 BST 2004 (njh) |
|
2 |
+---------------------------------- |
|
3 |
+ * libclamav: Don't call cli_filetype() so often since it gives |
|
4 |
+ false positives about the start of bounce messages which |
|
5 |
+ opens up DoS attacks, and allows worms hidden in bounce |
|
6 |
+ messages to be hidden with ease |
|
7 |
+ |
|
1 | 8 |
Mon May 10 02:43:32 CEST 2004 (tk) |
2 | 9 |
---------------------------------- |
3 | 10 |
* clamscan, sigtool: compare clamav.conf's DatabaseDirectory against the |
... | ... |
@@ -17,6 +17,9 @@ |
17 | 17 |
* |
18 | 18 |
* Change History: |
19 | 19 |
* $Log: mbox.c,v $ |
20 |
+ * Revision 1.70 2004/05/10 11:24:18 nigelhorne |
|
21 |
+ * Handle bounce message false positives |
|
22 |
+ * |
|
20 | 23 |
* Revision 1.69 2004/05/06 11:26:49 nigelhorne |
21 | 24 |
* Force attachments marked as RFC822 messages to be scanned |
22 | 25 |
* |
... | ... |
@@ -198,7 +201,7 @@ |
198 | 198 |
* Compilable under SCO; removed duplicate code with message.c |
199 | 199 |
* |
200 | 200 |
*/ |
201 |
-static char const rcsid[] = "$Id: mbox.c,v 1.69 2004/05/06 11:26:49 nigelhorne Exp $"; |
|
201 |
+static char const rcsid[] = "$Id: mbox.c,v 1.70 2004/05/10 11:24:18 nigelhorne Exp $"; |
|
202 | 202 |
|
203 | 203 |
#if HAVE_CONFIG_H |
204 | 204 |
#include "clamav-config.h" |
... | ... |
@@ -1432,26 +1435,28 @@ parseEmailBody(message *messageIn, blob **blobsIn, int nBlobs, text *textIn, con |
1432 | 1432 |
} |
1433 | 1433 |
blobDestroy(b); |
1434 | 1434 |
} |
1435 |
- } else if((encodingLine(mainMessage) != NULL) && |
|
1436 |
- ((t_line = bounceBegin(mainMessage)) != NULL)) { |
|
1437 |
- /* |
|
1438 |
- * Attempt to save the original (unbounced) |
|
1439 |
- * message - clamscan will find that in the |
|
1440 |
- * directory and call us again (with any luck) |
|
1441 |
- * having found an e-mail message to handle |
|
1442 |
- */ |
|
1443 |
- if((b = textToBlob(t_line, NULL)) != NULL) { |
|
1444 |
- cli_dbgmsg("Found a bounce message\n"); |
|
1445 |
- |
|
1446 |
- saveFile(b, dir); |
|
1447 |
- |
|
1448 |
- blobDestroy(b); |
|
1449 |
- } |
|
1450 | 1435 |
} else { |
1451 | 1436 |
bool saveIt; |
1437 |
+ bool savedBounce = FALSE; |
|
1452 | 1438 |
|
1453 | 1439 |
cli_dbgmsg("Not found uuencoded file\n"); |
1454 | 1440 |
|
1441 |
+ if((encodingLine(mainMessage) != NULL) && |
|
1442 |
+ ((t_line = bounceBegin(mainMessage)) != NULL)) |
|
1443 |
+ /* |
|
1444 |
+ * Attempt to save the original (unbounced) |
|
1445 |
+ * message - clamscan will find that in the |
|
1446 |
+ * directory and call us again (with any luck) |
|
1447 |
+ * having found an e-mail message to handle |
|
1448 |
+ */ |
|
1449 |
+ if((b = textToBlob(t_line, NULL)) != NULL) { |
|
1450 |
+ cli_dbgmsg("Found a bounce message\n"); |
|
1451 |
+ |
|
1452 |
+ saveFile(b, dir); |
|
1453 |
+ |
|
1454 |
+ blobDestroy(b); |
|
1455 |
+ savedBounce = TRUE; |
|
1456 |
+ } |
|
1455 | 1457 |
if(messageGetMimeType(mainMessage) == MESSAGE) |
1456 | 1458 |
/* |
1457 | 1459 |
* Quick peek, if the encapsulated |
... | ... |
@@ -1465,7 +1470,7 @@ parseEmailBody(message *messageIn, blob **blobsIn, int nBlobs, text *textIn, con |
1465 | 1465 |
* Some bounces include the message |
1466 | 1466 |
* body without the headers |
1467 | 1467 |
*/ |
1468 |
- if((b = blobCreate()) != NULL) { |
|
1468 |
+ if((!savedBounce) && ((b = blobCreate()) != NULL)) { |
|
1469 | 1469 |
cli_dbgmsg("Found a bounce message with no header\n"); |
1470 | 1470 |
blobAddData(b, "Received: by clamd\n", 19); |
1471 | 1471 |
|
... | ... |
@@ -17,6 +17,9 @@ |
17 | 17 |
* |
18 | 18 |
* Change History: |
19 | 19 |
* $Log: message.c,v $ |
20 |
+ * Revision 1.55 2004/05/10 11:24:18 nigelhorne |
|
21 |
+ * Handle bounce message false positives |
|
22 |
+ * |
|
20 | 23 |
* Revision 1.54 2004/05/06 18:01:25 nigelhorne |
21 | 24 |
* Force attachments marked as RFC822 messages to be scanned |
22 | 25 |
* |
... | ... |
@@ -159,7 +162,7 @@ |
159 | 159 |
* uuencodebegin() no longer static |
160 | 160 |
* |
161 | 161 |
*/ |
162 |
-static char const rcsid[] = "$Id: message.c,v 1.54 2004/05/06 18:01:25 nigelhorne Exp $"; |
|
162 |
+static char const rcsid[] = "$Id: message.c,v 1.55 2004/05/10 11:24:18 nigelhorne Exp $"; |
|
163 | 163 |
|
164 | 164 |
#if HAVE_CONFIG_H |
165 | 165 |
#include "clamav-config.h" |
... | ... |
@@ -735,6 +738,15 @@ messageAddLine(message *m, const char *line, int takeCopy) |
735 | 735 |
/* |
736 | 736 |
* See if this line marks the start of a non MIME inclusion that |
737 | 737 |
* will need to be scanned |
738 |
+ * |
|
739 |
+ * Notes that X- lines are not taken as start of mails because |
|
740 |
+ * cli_filetype() is too keen: any line it finds that starts X- |
|
741 |
+ * is seen to be the start of a new message, which results in too |
|
742 |
+ * many false positives for locating the possible start of a bounce, |
|
743 |
+ * and allows some instances of Worm.SomeFool.Gen-1 to get through in |
|
744 |
+ * bounce messages which end up not being correctly handled because |
|
745 |
+ * the real start of a bounce header is missed because of the earlier |
|
746 |
+ * false positive |
|
738 | 747 |
*/ |
739 | 748 |
if(line) { |
740 | 749 |
if((m->encoding == NULL) && |
... | ... |
@@ -742,6 +754,7 @@ messageAddLine(message *m, const char *line, int takeCopy) |
742 | 742 |
(strstr(line, "7bit") == NULL)) |
743 | 743 |
m->encoding = m->body_last; |
744 | 744 |
else if((m->bounce == NULL) && |
745 |
+ (strncmp(line, "X-", 2) != 0) && /*!!*/ |
|
745 | 746 |
(cli_filetype(line, strlen(line)) == CL_MAILFILE)) |
746 | 747 |
m->bounce = m->body_last; |
747 | 748 |
else if((m->binhex == NULL) && |