GitList

Browse code

phishing fixes (bb#157)

git-svn: trunk@2621

Tomasz Kojm authored on 2007/01/14 04:39:21
Showing 5 changed files

clamav-devel/ChangeLog index f8bb7aa..24b2566 100644
clamav-devel/clamscan/manager.c index 7c9d043..d4d8a5f 100644
clamav-devel/libclamav/phish_whitelist.c index f58f85e..a07c1d9 100644
clamav-devel/libclamav/phishcheck.c index adc85b5..5b489d1 100644
clamav-devel/libclamav/phishcheck.h index 738761f..bc0dadb 100644

@@ -1,3 +1,7 @@
                     +Sat Jan 13 20:37:22 CET 2007 (tk)
                     +---------------------------------
                     +  * clamscan, libclamav: phishing fixes (bb#157)
+                    +
                      Sat Jan 13 17:55:25 CET 2007 (tk)
                      ---------------------------------
                        * libclamav, freshclam: add dbdir locking mechanism (closes bb#113, #143)
@@ -43,7 +47,6 @@ Fri Jan 12 18:51:33 CET 2007 (acab)
                        * libclamav: add MEW support from Michal Spadlinski <gim913 * gmail.com>
                      	       Part of the Google Summer of Code program
                     ->>>>>>> 1.1692
                      Fri Jan 12 18:35:02 CET 2007 (tk)
                      ---------------------------------
                        * libclamav/phishcheck.c: add img url link-type filtering (patch from Edwin)

clamav-devel/clamscan/manager.c

History View file @ 6e96505

@@ -97,13 +97,13 @@ int scanmanager(const struct optstruct *opt)
                      	dboptions |= CL_DB_PHISHING_URLS;
                          if(!opt_check(opt,"no-phishing-restrictedscan")) {
                      	/* not scanning all domains, check only URLs with domains from .pdb */
                     -	dboptions |= CL_SCAN_PHISHING_DOMAINLIST;
                     +	options |= CL_SCAN_PHISHING_DOMAINLIST;
+                         }
                          if(opt_check(opt,"phishing-ssl")) {
                     -	   dboptions |= CL_SCAN_PHISHING_BLOCKSSL;
                     +	options |= CL_SCAN_PHISHING_BLOCKSSL;
+                         }
                          if(opt_check(opt,"phishing-cloak")) {
                     -	    dboptions |= CL_SCAN_PHISHING_BLOCKCLOAK;
                     +	options |= CL_SCAN_PHISHING_BLOCKCLOAK;
+                         }
                      #endif

clamav-devel/libclamav/phish_whitelist.c

History View file @ 6e96505

@@ -19,6 +19,9 @@
  *  MA 02110-1301, USA.
  *
  *  $Log: phish_whitelist.c,v $
+ *  Revision 1.7  2007/01/13 19:39:21  tkojm
+ *  phishing fixes (bb#157)
+ *
  *  Revision 1.6  2006/10/10 23:51:49  tkojm
  *  apply patches for the anti-phish code from Edwin
  *
@@ -104,6 +107,7 @@
 int whitelist_match(const struct cl_engine* engine,const char* real_url,const char* display_url,int hostOnly)
 {
 	const char* info;/*unused*/
+	cli_dbgmsg("Phishing: looking up in whitelist:%s:%s; hostonly:%d\n",real_url,display_url,hostOnly);
 	return	engine->whitelist_matcher ? regex_list_match(engine->whitelist_matcher,real_url,display_url,hostOnly,&info,1) : 0;
 }
 

clamav-devel/libclamav/phishcheck.c

History View file @ 6e96505

@@ -19,6 +19,9 @@
                       *  MA 02110-1301, USA.
+                      *
                       *  $Log: phishcheck.c,v $
                     + *  Revision 1.19  2007/01/13 19:39:21  tkojm
                     + *  phishing fixes (bb#157)
                     + *
                       *  Revision 1.18  2007/01/12 17:36:53  tkojm
                       *  add img url link-type filtering
+                      *
@@ -954,6 +957,7 @@ int phishingScan(message* m,const char* dir,cli_ctx* ctx,tag_arguments_t* hrefs)
                      		if(hrefs->contents[i]) {
                      			struct url_check urls;
                      			enum phish_status rc;
                     +			urls.always_check_flags = DOMAINLIST_REQUIRED;/* required to work correctly */
                      			urls.flags	 = strncmp((char*)hrefs->tag[i],href_text,href_text_len)? (CL_PHISH_ALL_CHECKS&~CHECK_SSL): CL_PHISH_ALL_CHECKS;
                      			urls.link_type   = 0;
                      			if(!strncmp((char*)hrefs->tag[i],src_text,src_text_len)) {
@@ -1202,7 +1206,7 @@ int url_get_host(const struct phishcheck* pchk, struct url_check* url,struct url
                      		string_free(host);
                      		return CL_PHISH_TEXTURL;
+                     	}
                     -	if(!regexec(&pchk->preg_hexurl,host->data,0,NULL,0)) {
                     +	if(url->flags&CHECK_CLOAKING && !regexec(&pchk->preg_hexurl,host->data,0,NULL,0)) {
                      		/* use a regex here, so that we don't accidentally block 0xacab.net style hosts */
                      		string_free(host);
                      		return CL_PHISH_HEX_URL;
@@ -1302,7 +1306,7 @@ enum phish_status phishingCheck(const struct cl_engine* engine,struct url_check*
                      	if(urls->flags&DOMAINLIST_REQUIRED) {
                      		if(!(phishy&DOMAIN_LISTED)) {
                     -			if(domainlist_match(engine,urls->displayLink.data,urls->realLink.data,1,&urls->flags))
                     +			if(domainlist_match(engine,host_url.displayLink.data,host_url.realLink.data,1,&urls->flags))
                      				phishy |= DOMAIN_LISTED;
                      			else {
+                     			}
@@ -1451,6 +1455,8 @@ enum phish_status phishingCheck(const struct cl_engine* engine,struct url_check*
                      		free_if_needed(&host_url);
                      	}/*HOST_SUFFICIENT*/
                      	/*we failed to find a reason why the 2 URLs are different, this is definetely phishing*/
                     +	if(urls->flags&DOMAINLIST_REQUIRED && !(phishy&DOMAIN_LISTED))
                     +		return CL_PHISH_HOST_NOT_LISTED;
                      	return phishy_map(phishy,CL_PHISH_NOMATCH);
+                     }
@@ -1494,6 +1500,8 @@ const char* phishing_ret_toString(enum phish_status rc)
                      			return "Host not listed in .pdb -> not checked";
                      		case CL_PHISH_CLEAN_CID:
                      			return "Embedded image in mail -> clean";
                     +		case CL_PHISH_HEX_URL:
                     +			return "Embedded hex urls";
                      		default:
                      			return "Unknown return code";
+                     	}

clamav-devel/libclamav/phishcheck.h

History View file @ 6e96505

@@ -50,7 +50,7 @@ enum phish_status {CL_PHISH_NODECISION=0,CL_PHISH_CLEAN=CL_PHISH_BASE, CL_PHISH_
                      #define LINKTYPE_IMAGE     1
                     -#define CL_PHISH_ALL_CHECKS (CLEANUP_URL|DOMAIN_SUFFICIENT|CHECK_SSL|CHECK_CLOAKING|DOMAINLIST_REQUIRED|CHECK_IMG_URL)
                     +#define CL_PHISH_ALL_CHECKS (CLEANUP_URL|DOMAIN_SUFFICIENT|CHECK_SSL|CHECK_CLOAKING|CHECK_IMG_URL)
                      struct string {
                      	int refcount;

...	...	@@ -19,6 +19,9 @@
19	19	* MA 02110-1301, USA.
20	20	*
21	21	* $Log: phish_whitelist.c,v $
	22	+ * Revision 1.7 2007/01/13 19:39:21 tkojm
	23	+ * phishing fixes (bb#157)
	24	+ *
22	25	* Revision 1.6 2006/10/10 23:51:49 tkojm
23	26	* apply patches for the anti-phish code from Edwin
24	27	*
...	...	@@ -104,6 +107,7 @@
104	104	int whitelist_match(const struct cl_engine* engine,const char* real_url,const char* display_url,int hostOnly)
105	105	{
106	106	const char* info;/unused/
	107	+ cli_dbgmsg("Phishing: looking up in whitelist:%s:%s; hostonly:%d\n",real_url,display_url,hostOnly);
107	108	return engine->whitelist_matcher ? regex_list_match(engine->whitelist_matcher,real_url,display_url,hostOnly,&info,1) : 0;
108	109	}
109	110