git-svn: trunk@2621
Tomasz Kojm authored on 2007/01/14 04:39:21... | ... |
@@ -1,3 +1,7 @@ |
1 |
+Sat Jan 13 20:37:22 CET 2007 (tk) |
|
2 |
+--------------------------------- |
|
3 |
+ * clamscan, libclamav: phishing fixes (bb#157) |
|
4 |
+ |
|
1 | 5 |
Sat Jan 13 17:55:25 CET 2007 (tk) |
2 | 6 |
--------------------------------- |
3 | 7 |
* libclamav, freshclam: add dbdir locking mechanism (closes bb#113, #143) |
... | ... |
@@ -43,7 +47,6 @@ Fri Jan 12 18:51:33 CET 2007 (acab) |
43 | 43 |
* libclamav: add MEW support from Michal Spadlinski <gim913 * gmail.com> |
44 | 44 |
Part of the Google Summer of Code program |
45 | 45 |
|
46 |
->>>>>>> 1.1692 |
|
47 | 46 |
Fri Jan 12 18:35:02 CET 2007 (tk) |
48 | 47 |
--------------------------------- |
49 | 48 |
* libclamav/phishcheck.c: add img url link-type filtering (patch from Edwin) |
... | ... |
@@ -97,13 +97,13 @@ int scanmanager(const struct optstruct *opt) |
97 | 97 |
dboptions |= CL_DB_PHISHING_URLS; |
98 | 98 |
if(!opt_check(opt,"no-phishing-restrictedscan")) { |
99 | 99 |
/* not scanning all domains, check only URLs with domains from .pdb */ |
100 |
- dboptions |= CL_SCAN_PHISHING_DOMAINLIST; |
|
100 |
+ options |= CL_SCAN_PHISHING_DOMAINLIST; |
|
101 | 101 |
} |
102 | 102 |
if(opt_check(opt,"phishing-ssl")) { |
103 |
- dboptions |= CL_SCAN_PHISHING_BLOCKSSL; |
|
103 |
+ options |= CL_SCAN_PHISHING_BLOCKSSL; |
|
104 | 104 |
} |
105 | 105 |
if(opt_check(opt,"phishing-cloak")) { |
106 |
- dboptions |= CL_SCAN_PHISHING_BLOCKCLOAK; |
|
106 |
+ options |= CL_SCAN_PHISHING_BLOCKCLOAK; |
|
107 | 107 |
} |
108 | 108 |
#endif |
109 | 109 |
|
... | ... |
@@ -19,6 +19,9 @@ |
19 | 19 |
* MA 02110-1301, USA. |
20 | 20 |
* |
21 | 21 |
* $Log: phish_whitelist.c,v $ |
22 |
+ * Revision 1.7 2007/01/13 19:39:21 tkojm |
|
23 |
+ * phishing fixes (bb#157) |
|
24 |
+ * |
|
22 | 25 |
* Revision 1.6 2006/10/10 23:51:49 tkojm |
23 | 26 |
* apply patches for the anti-phish code from Edwin |
24 | 27 |
* |
... | ... |
@@ -104,6 +107,7 @@ |
104 | 104 |
int whitelist_match(const struct cl_engine* engine,const char* real_url,const char* display_url,int hostOnly) |
105 | 105 |
{ |
106 | 106 |
const char* info;/*unused*/ |
107 |
+ cli_dbgmsg("Phishing: looking up in whitelist:%s:%s; hostonly:%d\n",real_url,display_url,hostOnly); |
|
107 | 108 |
return engine->whitelist_matcher ? regex_list_match(engine->whitelist_matcher,real_url,display_url,hostOnly,&info,1) : 0; |
108 | 109 |
} |
109 | 110 |
|
... | ... |
@@ -19,6 +19,9 @@ |
19 | 19 |
* MA 02110-1301, USA. |
20 | 20 |
* |
21 | 21 |
* $Log: phishcheck.c,v $ |
22 |
+ * Revision 1.19 2007/01/13 19:39:21 tkojm |
|
23 |
+ * phishing fixes (bb#157) |
|
24 |
+ * |
|
22 | 25 |
* Revision 1.18 2007/01/12 17:36:53 tkojm |
23 | 26 |
* add img url link-type filtering |
24 | 27 |
* |
... | ... |
@@ -954,6 +957,7 @@ int phishingScan(message* m,const char* dir,cli_ctx* ctx,tag_arguments_t* hrefs) |
954 | 954 |
if(hrefs->contents[i]) { |
955 | 955 |
struct url_check urls; |
956 | 956 |
enum phish_status rc; |
957 |
+ urls.always_check_flags = DOMAINLIST_REQUIRED;/* required to work correctly */ |
|
957 | 958 |
urls.flags = strncmp((char*)hrefs->tag[i],href_text,href_text_len)? (CL_PHISH_ALL_CHECKS&~CHECK_SSL): CL_PHISH_ALL_CHECKS; |
958 | 959 |
urls.link_type = 0; |
959 | 960 |
if(!strncmp((char*)hrefs->tag[i],src_text,src_text_len)) { |
... | ... |
@@ -1202,7 +1206,7 @@ int url_get_host(const struct phishcheck* pchk, struct url_check* url,struct url |
1202 | 1202 |
string_free(host); |
1203 | 1203 |
return CL_PHISH_TEXTURL; |
1204 | 1204 |
} |
1205 |
- if(!regexec(&pchk->preg_hexurl,host->data,0,NULL,0)) { |
|
1205 |
+ if(url->flags&CHECK_CLOAKING && !regexec(&pchk->preg_hexurl,host->data,0,NULL,0)) { |
|
1206 | 1206 |
/* use a regex here, so that we don't accidentally block 0xacab.net style hosts */ |
1207 | 1207 |
string_free(host); |
1208 | 1208 |
return CL_PHISH_HEX_URL; |
... | ... |
@@ -1302,7 +1306,7 @@ enum phish_status phishingCheck(const struct cl_engine* engine,struct url_check* |
1302 | 1302 |
|
1303 | 1303 |
if(urls->flags&DOMAINLIST_REQUIRED) { |
1304 | 1304 |
if(!(phishy&DOMAIN_LISTED)) { |
1305 |
- if(domainlist_match(engine,urls->displayLink.data,urls->realLink.data,1,&urls->flags)) |
|
1305 |
+ if(domainlist_match(engine,host_url.displayLink.data,host_url.realLink.data,1,&urls->flags)) |
|
1306 | 1306 |
phishy |= DOMAIN_LISTED; |
1307 | 1307 |
else { |
1308 | 1308 |
} |
... | ... |
@@ -1451,6 +1455,8 @@ enum phish_status phishingCheck(const struct cl_engine* engine,struct url_check* |
1451 | 1451 |
free_if_needed(&host_url); |
1452 | 1452 |
}/*HOST_SUFFICIENT*/ |
1453 | 1453 |
/*we failed to find a reason why the 2 URLs are different, this is definetely phishing*/ |
1454 |
+ if(urls->flags&DOMAINLIST_REQUIRED && !(phishy&DOMAIN_LISTED)) |
|
1455 |
+ return CL_PHISH_HOST_NOT_LISTED; |
|
1454 | 1456 |
return phishy_map(phishy,CL_PHISH_NOMATCH); |
1455 | 1457 |
} |
1456 | 1458 |
|
... | ... |
@@ -1494,6 +1500,8 @@ const char* phishing_ret_toString(enum phish_status rc) |
1494 | 1494 |
return "Host not listed in .pdb -> not checked"; |
1495 | 1495 |
case CL_PHISH_CLEAN_CID: |
1496 | 1496 |
return "Embedded image in mail -> clean"; |
1497 |
+ case CL_PHISH_HEX_URL: |
|
1498 |
+ return "Embedded hex urls"; |
|
1497 | 1499 |
default: |
1498 | 1500 |
return "Unknown return code"; |
1499 | 1501 |
} |
... | ... |
@@ -50,7 +50,7 @@ enum phish_status {CL_PHISH_NODECISION=0,CL_PHISH_CLEAN=CL_PHISH_BASE, CL_PHISH_ |
50 | 50 |
|
51 | 51 |
#define LINKTYPE_IMAGE 1 |
52 | 52 |
|
53 |
-#define CL_PHISH_ALL_CHECKS (CLEANUP_URL|DOMAIN_SUFFICIENT|CHECK_SSL|CHECK_CLOAKING|DOMAINLIST_REQUIRED|CHECK_IMG_URL) |
|
53 |
+#define CL_PHISH_ALL_CHECKS (CLEANUP_URL|DOMAIN_SUFFICIENT|CHECK_SSL|CHECK_CLOAKING|CHECK_IMG_URL) |
|
54 | 54 |
|
55 | 55 |
struct string { |
56 | 56 |
int refcount; |