@@ -127,6 +127,7 @@ Ed Phillips <ed*UDel.Edu>

 Pierre <pierrezero*fastmail.fm>

 Andreas Piesk <Andreas.Piesk*heise.de>

 Ant La Porte <ant*dvere.net>

+Christophe Poujol <Christophe.Poujol*atosorigin.com>

 Thomas Quinot <thomas*cuivre.fr.eu.org>

 Brian A. Reiter <breiter*wolfereiter.com>

 Hector M. Rulot Segovia <Hector.Rulot*uv.es>

@@ -1,3 +1,11 @@

+Mon Sep 13 03:31:58 CEST 2004 (tk)

+----------------------------------

+  * libclamav: CL_BLOCKMAX: allow blocking (i.e. marking as viruses) of

+	       archives that exceed limits (in std mode they're only ignored).

+	       Patch by Christophe Poujol <Christophe.Poujol*atosorigin.com>.

+  * clamd: new directive ArchiveBlockMax

+  * clamscan: new option --block-max

+

 Mon Sep 13 02:22:31 CEST 2004 (tk)

 ----------------------------------

   * clamscan: fix miscounting when trying to scan inaccessible archives

@@ -296,17 +296,22 @@ int acceptloop_th(int socketd, struct cl_node *root, const struct cfgstruct *cop

 	options |= CL_ARCHIVE;

 	if(cfgopt(copt, "ScanRAR")) {

-	    logg("RAR support enabled.\n");

+	    logg("Archive: RAR support enabled.\n");

 	} else {

-	    logg("RAR support disabled.\n");

+	    logg("Archive: RAR support disabled.\n");

 	    options |= CL_DISABLERAR;

 	}

 	if(cfgopt(copt, "ArchiveBlockEncrypted")) {

-	    logg("Blocking encrypted archives.\n");

+	    logg("Archive: Blocking encrypted archives.\n");

 	    options |= CL_ENCRYPTED;

 	}

+	if(cfgopt(copt, "ArchiveBlockMax")) {

+	    logg("Archive: Blocking archives that exceed limits.\n");

+	    options |= CL_BLOCKMAX;

+	}

+

     } else {

 	logg("Archive support disabled.\n");

     }

@@ -228,6 +228,7 @@ void help(void)

     mprintf("    --no-archive                         Disable libclamav archive support\n");

     mprintf("    --detect-broken                      Try to detect broken executable files\n");

     mprintf("    --block-encrypted                    Block encrypted archives\n");

+    mprintf("    --block-max                          Block archives that exceed limits\n");

     mprintf("    --mail-follow-urls                   Download and scan URLs\n");

     mprintf("\n");

@@ -173,6 +173,9 @@ int scanmanager(const struct optstruct *opt)

     if(optl(opt, "block-encrypted"))

 	options |= CL_ENCRYPTED;

+    if(optl(opt, "block-max"))

+	options |= CL_BLOCKMAX;

+

     if(optl(opt, "no-pe"))

 	options &= ~CL_PE;

     else

@@ -91,6 +91,7 @@ int main(int argc, char **argv)

 	    {"no-archive", 0, 0, 0},

 	    {"detect-broken", 0, 0, 0},

 	    {"block-encrypted", 0, 0, 0},

+	    {"block-max", 0, 0, 0},

 	    {"no-pe", 0, 0, 0},

 	    {"no-ole2", 0, 0, 0},

 	    {"no-html", 0, 0, 0},

@@ -228,6 +228,11 @@ Mark encrypted archives as viruses (Encrypted.Zip, Encrypted.RAR).

 .br 

 Default: disabled

 .TP 

+\fBArchiveBlockMax\fR

+Mark archives as viruses if ArchiveMaxFiles, ArchiveMaxFileSize, or ArchiveMaxRecursion limit is reached.

+.br 

+Default: disabled

+.TP 

 \fBClamukoScanOnLine\fR

 Enable Clamuko \- on\-access scanner for Linux. Dazuko must be already running.

 .br 

@@ -87,6 +87,9 @@ Mark broken executables as viruses (Broken.Executable).

 \fB\-\-block\-encrypted\fR

 Mark encrypted archives as viruses (Encrypted.Zip, Encrypted.RAR).

 .TP 

+\fB\-\-block\-max\fR

+Mark archives as viruses if max\-files, max\-space, or max\-recursion is reached.

+.TP 

 \fB\-\-mail\-follow\-urls\fR

 If an email contains URLs ClamAV can download and scan them. \fBWARNING: This option may open your system to a DoS attack. Never use it on loaded servers.\fR

 .TP 

@@ -219,11 +219,15 @@ ArchiveMaxCompressionRatio 200

 # Mark encrypted archives as viruses (Encrypted.Zip, Encrypted.RAR).

 #ArchiveBlockEncrypted

+# Mark archives as viruses if ArchiveMaxFiles, ArchiveMaxFileSize, or

+# ArchiveMaxRecursion limit is reached.

+#ArchiveBlockMax

+

 ##

 ## Clamuko settings

 ## WARNING: This is experimental software. It is very likely it will hang

-##	    up your system !!!

+##	    up your system!!!

 ##

 # Enable Clamuko. Dazuko (/dev/dazuko) must be configured and running.

@@ -76,6 +76,8 @@ extern "C"

 #define CL_PE		64

 #define CL_BROKEN	128

 #define CL_MAILURL	256

+#define CL_BLOCKMAX	512

+

 /* recommended options */

 #define CL_STDOPT	(CL_ARCHIVE | CL_MAIL | CL_OLE2 | CL_HTML | CL_PE) 

@@ -83,10 +83,10 @@ extern int cli_mbox(const char *dir, int desc, unsigned int options); /* FIXME *

 #define SCAN_PE		    (options & CL_PE)

 #define DISABLE_RAR	    (options & CL_DISABLERAR)

 #define DETECT_ENCRYPTED    (options & CL_ENCRYPTED)

+#define BLOCKMAX	    (options & CL_BLOCKMAX)

 #define MAX_MAIL_RECURSION  15

-

 static int cli_scanfile(const char *filename, const char **virname, unsigned long int *scanned, const struct cl_node *root, const struct cl_limits *limits, int options, int *arec, int *mrec);

@@ -141,17 +141,35 @@ static int cli_scanrar(int desc, const char **virname, long int *scanned, const

 	}

 	if(limits) {

+

+	    if(limits->maxratio && rarlist->item.UnpSize && rarlist->item.PackSize) {

+		if((unsigned int) rarlist->item.UnpSize / (unsigned int) rarlist->item.PackSize >= limits->maxratio) {

+		    cli_dbgmsg("RAR: Max ratio reached (normal: %d, compressed: %d, max: %ld)\n", (int) rarlist->item.UnpSize, (int) rarlist->item.PackSize, limits->maxratio);

+		    *virname = "Oversized.RAR";

+		    ret = CL_VIRUS;

+		    break;

+		}

+	    }

+

 	    if(limits->maxfilesize && (rarlist->item.UnpSize > (unsigned int) limits->maxfilesize)) {

 		cli_dbgmsg("RAR: %s: Size exceeded (%u, max: %lu)\n", rarlist->item.Name, (unsigned int) rarlist->item.UnpSize, limits->maxfilesize);

 		rarlist = rarlist->next;

 		files++;

-		/* ret = CL_EMAXSIZE; */

+		if(BLOCKMAX) {

+		    *virname = "RAR.ExceededFileSize";

+		    ret = CL_VIRUS;

+		    break;

+		}

 		continue;

 	    }

 	    if(limits->maxfiles && (files > limits->maxfiles)) {

 		cli_dbgmsg("RAR: Files limit reached (max: %d)\n", limits->maxfiles);

-		/* ret = CL_EMAXFILES; */

+		if(BLOCKMAX) {

+		    *virname = "RAR.ExceededFilesLimit";

+		    ret = CL_VIRUS;

+		    break;

+		}

 		break;

 	    }

 	}

@@ -318,12 +336,21 @@ static int cli_scanzip(int desc, const char **virname, long int *scanned, const

 		cli_dbgmsg("Zip: %s: Size exceeded (%d, max: %ld)\n", zdirent.d_name, zdirent.st_size, limits->maxfilesize);

 		files++;

 		/* ret = CL_EMAXSIZE; */

-		continue; /* this is not a bug */

+		if(BLOCKMAX) {

+		    *virname = "Zip.ExceededFileSize";

+		    ret = CL_VIRUS;

+		    break;

+		}

+		continue; /* continue scanning */

 	    }

 	    if(limits->maxfiles && (files > limits->maxfiles)) {

 		cli_dbgmsg("Zip: Files limit reached (max: %d)\n", limits->maxfiles);

-		/* ret = CL_EMAXFILES; */

+		if(BLOCKMAX) {

+		    *virname = "Zip.ExceededFilesLimit";

+		    ret = CL_VIRUS;

+		    break;

+		}

 		break;

 	    }

 	}

@@ -76,6 +76,7 @@ struct cfgstruct *parsecfg(const char *cfgfile, int messages)

 	    {"ArchiveMaxCompressionRatio", OPT_NUM},

 	    {"ArchiveLimitMemoryUsage", OPT_NOARG},

 	    {"ArchiveBlockEncrypted", OPT_NOARG},

+	    {"ArchiveBlockMax", OPT_NOARG},

 	    {"DataDirectory", OPT_STR}, /* obsolete */

 	    {"DatabaseDirectory", OPT_STR}, /* clamd + freshclam */

 	    {"TCPAddr", OPT_STR},