git-svn: trunk@3240
Nigel Horne authored on 2007/09/23 22:37:03... | ... |
@@ -1,3 +1,8 @@ |
1 |
+Sun Sep 23 13:49:12 BST 2007 (njh) |
|
2 |
+---------------------------------- |
|
3 |
+ * libclamav/mbox.c: MailFollowURLS: Prefer .exes for download, catches |
|
4 |
+ Trojan.IRC-Script-33 |
|
5 |
+ |
|
1 | 6 |
Sat Sep 22 18:14:49 EEST 2007 (edwin) |
2 | 7 |
------------------------------------- |
3 | 8 |
* libclamav/cvd.c: seek on the underlying file descriptor and not FILE*. |
... | ... |
@@ -36,6 +36,8 @@ static char const rcsid[] = "$Id: mbox.c,v 1.381 2007/02/15 12:26:44 njh Exp $"; |
36 | 36 |
#endif |
37 | 37 |
#endif |
38 | 38 |
|
39 |
+#define _GNU_SOURCE |
|
40 |
+ |
|
39 | 41 |
#include <stdio.h> |
40 | 42 |
#include <stdlib.h> |
41 | 43 |
#include <errno.h> |
... | ... |
@@ -156,7 +158,7 @@ typedef enum { |
156 | 156 |
#endif |
157 | 157 |
#endif |
158 | 158 |
|
159 |
-#if (!defined(C_WINDOWS)) && !defined(C_BEOS) |
|
159 |
+#ifndef C_WINDOWS |
|
160 | 160 |
#define closesocket(s) close(s) |
161 | 161 |
#define SOCKET int |
162 | 162 |
#endif |
... | ... |
@@ -184,6 +186,10 @@ typedef unsigned int in_addr_t; |
184 | 184 |
#define EISCONN WSAEISCONN |
185 | 185 |
#endif |
186 | 186 |
|
187 |
+#ifdef C_WINDOWS |
|
188 |
+#define strcasestr(h, n) strstr(h, n) /* This will cause isBounceMessage() to match too much */ |
|
189 |
+#endif |
|
190 |
+ |
|
187 | 191 |
/* |
188 | 192 |
* Define this to handle messages covered by section 7.3.2 of RFC1341. |
189 | 193 |
* This is experimental code so it is up to YOU to (1) ensure it's secure |
... | ... |
@@ -2835,7 +2841,7 @@ parseEmailBody(message *messageIn, text *textIn, mbox_ctx *mctx, unsigned int re |
2835 | 2835 |
* Don't bother with text/plain or |
2836 | 2836 |
* text/html |
2837 | 2837 |
*/ |
2838 |
- if(strstr(s, "text/plain") != NULL) |
|
2838 |
+ if(strcasestr(s, "text/plain") != NULL) |
|
2839 | 2839 |
/* |
2840 | 2840 |
* Don't bother to save the |
2841 | 2841 |
* unuseful part, read past |
... | ... |
@@ -2845,7 +2851,7 @@ parseEmailBody(message *messageIn, text *textIn, mbox_ctx *mctx, unsigned int re |
2845 | 2845 |
*/ |
2846 | 2846 |
continue; |
2847 | 2847 |
if((!doPhishingScan) && |
2848 |
- (strstr(s, "text/html") != NULL)) |
|
2848 |
+ (strcasestr(s, "text/html") != NULL)) |
|
2849 | 2849 |
continue; |
2850 | 2850 |
break; |
2851 | 2851 |
} |
... | ... |
@@ -3993,6 +3999,31 @@ do_checkURLs(const char *dir, tag_arguments_t *hrefs) |
3993 | 3993 |
|
3994 | 3994 |
n = 0; |
3995 | 3995 |
|
3996 |
+ /* |
|
3997 |
+ * Sort .exes higher up so that there's more chance they'll be |
|
3998 |
+ * downloaded and scanned |
|
3999 |
+ */ |
|
4000 |
+ for(i = FOLLOWURLS; (i < hrefs->count) && (n < FOLLOWURLS); i++) { |
|
4001 |
+ const char *url = (const char *)hrefs->value[i]; |
|
4002 |
+ const char *ptr; |
|
4003 |
+ |
|
4004 |
+ if(strncasecmp("http://", url, 7) != 0) |
|
4005 |
+ continue; |
|
4006 |
+ |
|
4007 |
+ ptr = strrchr(url, '.'); |
|
4008 |
+ if(ptr == NULL) |
|
4009 |
+ continue; |
|
4010 |
+ if(strcasecmp(ptr, ".exe") == 0) { |
|
4011 |
+ /* FIXME: Could be swapping with another .exe */ |
|
4012 |
+ cli_dbgmsg("swap %s %s\n", hrefs->value[n], hrefs->value[i]); |
|
4013 |
+ ptr = hrefs->value[n]; |
|
4014 |
+ hrefs->value[n++] = url; |
|
4015 |
+ hrefs->value[i] = ptr; |
|
4016 |
+ } |
|
4017 |
+ } |
|
4018 |
+ |
|
4019 |
+ n = 0; |
|
4020 |
+ |
|
3996 | 4021 |
for(i = 0; i < hrefs->count; i++) { |
3997 | 4022 |
const char *url = (const char *)hrefs->value[i]; |
3998 | 4023 |
|