git-svn-id: file:///var/lib/svn/clamav-devel/branches/newlimits@3592 77e5149b-7576-45b1-b177-96237e5ba77b
aCaB authored on 2008/02/07 11:00:21... | ... |
@@ -309,27 +309,36 @@ int acceptloop_th(int *socketds, int nsockets, struct cl_engine *engine, unsigne |
309 | 309 |
logg("*Listening daemon: PID: %u\n", (unsigned int) mainpid); |
310 | 310 |
max_threads = cfgopt(copt, "MaxThreads")->numarg; |
311 | 311 |
|
312 |
- if(cfgopt(copt, "ScanArchive")->enabled) { |
|
312 |
+ if(cfgopt(copt, "ScanArchive")->enabled) { /* FIXMELIMITS: unparsed if archives disabled! */ |
|
313 | 313 |
|
314 | 314 |
/* set up limits */ |
315 | 315 |
memset(&limits, 0, sizeof(struct cl_limits)); |
316 | 316 |
|
317 |
- if((limits.maxfilesize = cfgopt(copt, "ArchiveMaxFileSize")->numarg)) { |
|
318 |
- logg("Archive: Archived file size limit set to %lu bytes.\n", limits.maxfilesize); |
|
317 |
+ logg("Archive support enabled.\n"); |
|
318 |
+ options |= CL_SCAN_ARCHIVE; |
|
319 |
+ |
|
320 |
+ if((limits.maxfilesize = cfgopt(copt, "MaxScanSize")->numarg)) { |
|
321 |
+ logg("Limits: Global size limit set to %lu bytes.\n", limits.maxscansize); |
|
322 |
+ } else { |
|
323 |
+ logg("^Limits: Global size limit protection disabled.\n"); |
|
324 |
+ } |
|
325 |
+ |
|
326 |
+ if((limits.maxfilesize = cfgopt(copt, "MaxFileSize")->numarg)) { |
|
327 |
+ logg("Limits: File size limit set to %lu bytes.\n", limits.maxfilesize); |
|
319 | 328 |
} else { |
320 |
- logg("^Archive: File size limit protection disabled.\n"); |
|
329 |
+ logg("^Limits: File size limit protection disabled.\n"); |
|
321 | 330 |
} |
322 | 331 |
|
323 |
- if((limits.maxreclevel = cfgopt(copt, "ArchiveMaxRecursion")->numarg)) { |
|
324 |
- logg("Archive: Recursion level limit set to %u.\n", limits.maxreclevel); |
|
332 |
+ if((limits.maxreclevel = cfgopt(copt, "MaxRecursion")->numarg)) { |
|
333 |
+ logg("Limits: Recursion level limit set to %u.\n", limits.maxreclevel); |
|
325 | 334 |
} else { |
326 |
- logg("^Archive: Recursion level limit protection disabled.\n"); |
|
335 |
+ logg("^Limits: Recursion level limit protection disabled.\n"); |
|
327 | 336 |
} |
328 | 337 |
|
329 |
- if((limits.maxfiles = cfgopt(copt, "ArchiveMaxFiles")->numarg)) { |
|
330 |
- logg("Archive: Files limit set to %u.\n", limits.maxfiles); |
|
338 |
+ if((limits.maxfiles = cfgopt(copt, "MaxFiles")->numarg)) { |
|
339 |
+ logg("Limits: Files limit set to %u.\n", limits.maxfiles); |
|
331 | 340 |
} else { |
332 |
- logg("^Archive: Files limit protection disabled.\n"); |
|
341 |
+ logg("^Limits: Files limit protection disabled.\n"); |
|
333 | 342 |
} |
334 | 343 |
|
335 | 344 |
if(cfgopt(copt, "ArchiveLimitMemoryUsage")->enabled) { |
... | ... |
@@ -338,22 +347,12 @@ int acceptloop_th(int *socketds, int nsockets, struct cl_engine *engine, unsigne |
338 | 338 |
} else { |
339 | 339 |
limits.archivememlim = 0; |
340 | 340 |
} |
341 |
- } |
|
342 |
- |
|
343 |
- if(cfgopt(copt, "ScanArchive")->enabled) { |
|
344 |
- logg("Archive support enabled.\n"); |
|
345 |
- options |= CL_SCAN_ARCHIVE; |
|
346 | 341 |
|
347 | 342 |
if(cfgopt(copt, "ArchiveBlockEncrypted")->enabled) { |
348 | 343 |
logg("Archive: Blocking encrypted archives.\n"); |
349 | 344 |
options |= CL_SCAN_BLOCKENCRYPTED; |
350 | 345 |
} |
351 | 346 |
|
352 |
- if(cfgopt(copt, "ArchiveBlockMax")->enabled) { |
|
353 |
- logg("Archive: Blocking archives that exceed limits.\n"); |
|
354 |
- options |= CL_SCAN_BLOCKMAX; |
|
355 |
- } |
|
356 |
- |
|
357 | 347 |
} else { |
358 | 348 |
logg("Archive support disabled.\n"); |
359 | 349 |
} |
... | ... |
@@ -144,11 +144,22 @@ int main(int argc, char **argv) |
144 | 144 |
|
145 | 145 |
/* validate some numerical options */ |
146 | 146 |
|
147 |
- if(opt_check(opt, "max-space")) { |
|
148 |
- pt = opt_arg(opt, "max-space"); |
|
147 |
+ if(opt_check(opt, "max-scansize")) { |
|
148 |
+ pt = opt_arg(opt, "max-scansize"); |
|
149 | 149 |
if(!strchr(pt, 'M') && !strchr(pt, 'm')) { |
150 | 150 |
if(!isnumb(pt)) { |
151 |
- logg("!--max-space requires a natural number\n"); |
|
151 |
+ logg("!--max-scansize requires a natural number\n"); |
|
152 |
+ opt_free(opt); |
|
153 |
+ return 40; |
|
154 |
+ } |
|
155 |
+ } |
|
156 |
+ } |
|
157 |
+ |
|
158 |
+ if(opt_check(opt, "max-filesize")) { |
|
159 |
+ pt = opt_arg(opt, "max-filesize"); |
|
160 |
+ if(!strchr(pt, 'M') && !strchr(pt, 'm')) { |
|
161 |
+ if(!isnumb(pt)) { |
|
162 |
+ logg("!--max-filesize requires a natural number\n"); |
|
152 | 163 |
opt_free(opt); |
153 | 164 |
return 40; |
154 | 165 |
} |
... | ... |
@@ -311,14 +322,11 @@ void help(void) |
311 | 311 |
mprintf(" --block-max Block archives that exceed limits\n"); |
312 | 312 |
mprintf(" --mail-follow-urls Download and scan URLs\n"); |
313 | 313 |
mprintf("\n"); |
314 |
- mprintf(" --max-space=#n Only extract first #n kilobytes from\n"); |
|
315 |
- mprintf(" archived files\n"); |
|
316 |
- mprintf(" --max-files=#n Only extract first #n files from\n"); |
|
317 |
- mprintf(" archives\n"); |
|
318 |
- mprintf(" --max-ratio=#n Maximum compression ratio limit\n"); |
|
314 |
+ mprintf(" --max-scansize=#n FIXMELIMITS\n"); |
|
315 |
+ mprintf(" --max-filesize=#n FIXMELIMITS\n"); |
|
316 |
+ mprintf(" --max-files=#n FIXMELIMITS\n"); |
|
319 | 317 |
mprintf(" --max-recursion=#n Maximum archive recursion level\n"); |
320 | 318 |
mprintf(" --max-dir-recursion=#n Maximum directory recursion level\n"); |
321 |
- mprintf(" --max-mail-recursion=#n Maximum mail recursion level\n"); |
|
322 | 319 |
mprintf(" --unzip[=FULLPATH] Enable support for .zip files\n"); |
323 | 320 |
mprintf(" --unrar[=FULLPATH] Enable support for .rar files\n"); |
324 | 321 |
mprintf(" --arj[=FULLPATH] Enable support for .arj files\n"); |
... | ... |
@@ -54,7 +54,8 @@ static struct option clamscan_longopt[] = { |
54 | 54 |
{"include", 1, 0, 0}, |
55 | 55 |
{"include-dir", 1, 0, 0}, |
56 | 56 |
{"max-files", 1, 0, 0}, |
57 |
- {"max-space", 1, 0, 0}, |
|
57 |
+ {"max-filesize", 1, 0, 0}, |
|
58 |
+ {"max-scansize", 1, 0, 0}, |
|
58 | 59 |
{"max-recursion", 1, 0, 0}, |
59 | 60 |
{"max-dir-recursion", 1, 0, 0}, |
60 | 61 |
{"detect-pua", 0, 0, 0}, |
... | ... |
@@ -220,9 +220,22 @@ int scanmanager(const struct optstruct *opt) |
220 | 220 |
/* set limits */ |
221 | 221 |
memset(&limits, 0, sizeof(struct cl_limits)); |
222 | 222 |
|
223 |
- if(opt_check(opt, "max-space")) { |
|
223 |
+ if(opt_check(opt, "max-scansize")) { |
|
224 | 224 |
char *cpy, *ptr; |
225 |
- ptr = opt_arg(opt, "max-space"); |
|
225 |
+ ptr = opt_arg(opt, "max-scansize"); |
|
226 |
+ if(tolower(ptr[strlen(ptr) - 1]) == 'm') { |
|
227 |
+ cpy = calloc(strlen(ptr), 1); |
|
228 |
+ strncpy(cpy, ptr, strlen(ptr) - 1); |
|
229 |
+ limits.maxfilesize = atoi(cpy) * 1024 * 1024; |
|
230 |
+ free(cpy); |
|
231 |
+ } else |
|
232 |
+ limits.maxscansize = atoi(ptr) * 1024; |
|
233 |
+ } else |
|
234 |
+ limits.maxscansize = 104857600; /* FIXMELIMITS */ |
|
235 |
+ |
|
236 |
+ if(opt_check(opt, "max-filesize")) { |
|
237 |
+ char *cpy, *ptr; |
|
238 |
+ ptr = opt_arg(opt, "max-filesize"); |
|
226 | 239 |
if(tolower(ptr[strlen(ptr) - 1]) == 'm') { |
227 | 240 |
cpy = calloc(strlen(ptr), 1); |
228 | 241 |
strncpy(cpy, ptr, strlen(ptr) - 1); |
... | ... |
@@ -231,7 +244,7 @@ int scanmanager(const struct optstruct *opt) |
231 | 231 |
} else |
232 | 232 |
limits.maxfilesize = atoi(ptr) * 1024; |
233 | 233 |
} else |
234 |
- limits.maxfilesize = 10485760; |
|
234 |
+ limits.maxfilesize = 10485760; /* FIXMELIMITS */ |
|
235 | 235 |
|
236 | 236 |
if(opt_check(opt, "max-files")) |
237 | 237 |
limits.maxfiles = atoi(opt_arg(opt, "max-files")); |
... | ... |
@@ -412,9 +425,10 @@ static int clamav_unpack(const char *prog, const char **args, const char *tmpdir |
412 | 412 |
else |
413 | 413 |
maxfiles = 0; |
414 | 414 |
|
415 |
- if(opt_check(opt, "max-space")) { |
|
415 |
+ /* FIXMELIMITS */ |
|
416 |
+ if(opt_check(opt, "max-filesize")) { |
|
416 | 417 |
char *cpy, *ptr; |
417 |
- ptr = opt_arg(opt, "max-space"); |
|
418 |
+ ptr = opt_arg(opt, "max-filesize"); |
|
418 | 419 |
if(tolower(ptr[strlen(ptr) - 1]) == 'm') { /* megabytes */ |
419 | 420 |
cpy = calloc(strlen(ptr), 1); |
420 | 421 |
strncpy(cpy, ptr, strlen(ptr) - 1); |
... | ... |
@@ -224,10 +224,6 @@ LocalSocket /tmp/clamd.socket |
224 | 224 |
# Default: no |
225 | 225 |
#MailFollowURLs no |
226 | 226 |
|
227 |
-# Recursion level limit for the mail scanner. |
|
228 |
-# Default: 64 |
|
229 |
-#MailMaxRecursion 128 |
|
230 |
- |
|
231 | 227 |
# With this option enabled ClamAV will try to detect phishing attempts by using |
232 | 228 |
# signatures. |
233 | 229 |
# Default: yes |
... | ... |
@@ -270,28 +266,27 @@ LocalSocket /tmp/clamd.socket |
270 | 270 |
# The options below protect your system against Denial of Service attacks |
271 | 271 |
# using archive bombs. |
272 | 272 |
|
273 |
+# FIXMELIMITS |
|
274 |
+# Value of 0 disables the limit. |
|
275 |
+# Default: FIXMELIMITS |
|
276 |
+#MaxScanSize 15M |
|
277 |
+ |
|
273 | 278 |
# Files in archives larger than this limit won't be scanned. |
274 | 279 |
# Value of 0 disables the limit. |
275 | 280 |
# Default: 10M |
276 |
-#ArchiveMaxFileSize 15M |
|
281 |
+#MaxFileSize 15M |
|
277 | 282 |
|
278 | 283 |
# Nested archives are scanned recursively, e.g. if a Zip archive contains a RAR |
279 | 284 |
# file, all files within it will also be scanned. This options specifies how |
280 | 285 |
# deeply the process should be continued. |
281 | 286 |
# Value of 0 disables the limit. |
282 | 287 |
# Default: 8 |
283 |
-#ArchiveMaxRecursion 10 |
|
288 |
+#MaxRecursion 10 |
|
284 | 289 |
|
285 | 290 |
# Number of files to be scanned within an archive. |
286 | 291 |
# Value of 0 disables the limit. |
287 | 292 |
# Default: 1000 |
288 |
-#ArchiveMaxFiles 1500 |
|
289 |
- |
|
290 |
-# If a file in an archive is compressed more than ArchiveMaxCompressionRatio |
|
291 |
-# times it will be marked as a virus (Oversized.ArchiveType, e.g. Oversized.Zip) |
|
292 |
-# Value of 0 disables the limit. |
|
293 |
-# Default: 250 |
|
294 |
-#ArchiveMaxCompressionRatio 300 |
|
293 |
+#MaxFiles 1500 |
|
295 | 294 |
|
296 | 295 |
# Use slower but memory efficient decompression algorithm. |
297 | 296 |
# only affects the bzip2 decompressor. |
... | ... |
@@ -302,12 +297,6 @@ LocalSocket /tmp/clamd.socket |
302 | 302 |
# Default: no |
303 | 303 |
#ArchiveBlockEncrypted no |
304 | 304 |
|
305 |
-# Mark archives as viruses (e.g. RAR.ExceededFileSize, Zip.ExceededFilesLimit) |
|
306 |
-# if ArchiveMaxFiles, ArchiveMaxFileSize, or ArchiveMaxRecursion limit is |
|
307 |
-# reached. |
|
308 |
-# Default: no |
|
309 |
-#ArchiveBlockMax no |
|
310 |
- |
|
311 | 305 |
|
312 | 306 |
## |
313 | 307 |
## Clamuko settings |
... | ... |
@@ -47,7 +47,6 @@ struct cfgoption cfg_options[] = { |
47 | 47 |
{"DetectBrokenExecutables", OPT_BOOL, 0, NULL, 0, OPT_CLAMD}, |
48 | 48 |
{"ScanMail", OPT_BOOL, 1, NULL, 0, OPT_CLAMD}, |
49 | 49 |
{"MailFollowURLs", OPT_BOOL, 0, NULL, 0, OPT_CLAMD}, |
50 |
- {"MailMaxRecursion", OPT_NUM, 64, NULL, 0, OPT_CLAMD}, |
|
51 | 50 |
{"PhishingSignatures", OPT_BOOL, 1, NULL, 0, OPT_CLAMD}, |
52 | 51 |
{"PhishingScanURLs",OPT_BOOL, 1, NULL, 0, OPT_CLAMD}, |
53 | 52 |
/* these are FP prone options, if default isn't used */ |
... | ... |
@@ -61,13 +60,12 @@ struct cfgoption cfg_options[] = { |
61 | 61 |
{"ScanOLE2", OPT_BOOL, 1, NULL, 0, OPT_CLAMD}, |
62 | 62 |
{"ScanPDF", OPT_BOOL, 0, NULL, 0, OPT_CLAMD}, |
63 | 63 |
{"ScanArchive", OPT_BOOL, 1, NULL, 0, OPT_CLAMD}, |
64 |
- {"ArchiveMaxFileSize", OPT_COMPSIZE, 10485760, NULL, 0, OPT_CLAMD}, |
|
65 |
- {"ArchiveMaxRecursion", OPT_NUM, 8, NULL, 0, OPT_CLAMD}, |
|
66 |
- {"ArchiveMaxFiles", OPT_NUM, 1000, NULL, 0, OPT_CLAMD}, |
|
67 |
- {"ArchiveMaxCompressionRatio", OPT_NUM, 250, NULL, 0, OPT_CLAMD}, |
|
64 |
+ {"MaxScanSize", OPT_COMPSIZE, 104857600, NULL, 0, OPT_CLAMD}, /* FIXMELIMITS */ |
|
65 |
+ {"MaxFileSize", OPT_COMPSIZE, 10485760, NULL, 0, OPT_CLAMD}, |
|
66 |
+ {"MaxRecursion", OPT_NUM, 8, NULL, 0, OPT_CLAMD}, |
|
67 |
+ {"MaxFiles", OPT_NUM, 1000, NULL, 0, OPT_CLAMD}, |
|
68 | 68 |
{"ArchiveLimitMemoryUsage", OPT_BOOL, 0, NULL, 0, OPT_CLAMD}, |
69 | 69 |
{"ArchiveBlockEncrypted", OPT_BOOL, 0, NULL, 0, OPT_CLAMD}, |
70 |
- {"ArchiveBlockMax", OPT_BOOL, 0, NULL, 0, OPT_CLAMD}, |
|
71 | 70 |
{"DatabaseDirectory", OPT_QUOTESTR, -1, DATADIR, 0, OPT_CLAMD | OPT_FRESHCLAM}, |
72 | 71 |
{"TCPAddr", OPT_QUOTESTR, -1, NULL, 0, OPT_CLAMD}, |
73 | 72 |
{"TCPSocket", OPT_NUM, -1, NULL, 0, OPT_CLAMD}, |