@@ -1,3 +1,8 @@

+Tue Mar  3 20:40:07 CET 2009 (acab)

+-----------------------------------

+ * clamav-milter: Allow custom rejection messages, workaround ancient

+	systems without strerror_r (bb#1439), remove double syslog include

+

 Tue Mar  3 18:58:06 CET 2009 (tk)

 ---------------------------------

  * libclamav/unarj.c: downgrade error message (bb#1444)

@@ -28,7 +28,6 @@

 #include <pwd.h>

 #include <grp.h>

 #include <string.h>

-#include <syslog.h>

 #ifdef USE_SYSLOG

 #include <syslog.h>

 #endif

@@ -27,6 +27,7 @@

 #include <string.h>

 #include <sys/types.h>

 #include <unistd.h>

+#include <ctype.h>

 #include <libmilter/mfapi.h>

@@ -49,6 +50,7 @@ uint64_t maxfilesize;

 static sfsistat FailAction;

 static sfsistat (*CleanAction)(SMFICTX *ctx);

 static sfsistat (*InfectedAction)(SMFICTX *ctx);

+static char *rejectfmt = NULL;

 int addxvirus = 0;

 char xvirushdr[255];

@@ -57,6 +59,7 @@ char xvirushdr[255];

 struct CLAMFI {

     char buffer[CLAMFIBUFSZ];

+    const char *virusname;

     int local;

     int main;

     int alt;

@@ -236,18 +239,23 @@ sfsistat clamfi_eom(SMFICTX *ctx) {

 	if(addxvirus) add_x_header(ctx, "Clean");

 	ret = CleanAction(ctx);

     } else if (len>7 && !strcmp(reply + len - 7, " FOUND\n")) {

-	if(addxvirus) {

+	cf->virusname = NULL;

+	if(addxvirus || rejectfmt) {

 	    char *vir;

 	    reply[len-7] = '\0';

 	    vir = strrchr(reply, ' ');

 	    if(vir) {

-		char msg[255];

-

 		vir++;

-		snprintf(msg, sizeof(msg), "Infected (%s)", vir);

-		msg[sizeof(msg)-1] = '\0';

-		add_x_header(ctx, msg);

+

+		if(rejectfmt) {

+		    cf->virusname = vir;

+		} else {

+		    char msg[255];

+		    snprintf(msg, sizeof(msg), "Infected (%s)", vir);

+		    msg[sizeof(msg)-1] = '\0';

+		    add_x_header(ctx, msg);

+		}

 	    }

 	}

 	ret = InfectedAction(ctx);

@@ -320,6 +328,18 @@ static sfsistat action_quarantine(SMFICTX *ctx) {

     }

     return SMFIS_ACCEPT;

 }

+static sfsistat action_reject_msg(SMFICTX *ctx) {

+    struct CLAMFI *cf;

+    char buf[1024];

+

+    if(!rejectfmt || !(cf = (struct CLAMFI *)smfi_getpriv(ctx)))

+	return SMFIS_REJECT;

+

+    snprintf(buf, sizeof(buf), rejectfmt, cf->virusname);

+    buf[sizeof(buf)-1] = '\0';

+    smfi_setreply(ctx, "550", NULL, buf);

+    return SMFIS_REJECT;

+}

 int init_actions(struct optstruct *opts) {

     const struct optstruct *opt;

@@ -336,7 +356,7 @@ int init_actions(struct optstruct *opts) {

 	    FailAction = SMFIS_REJECT;

 	    break;

 	default:

-	    logg("!Invalid action %s for option OnFail", opt->strarg);

+	    logg("!Invalid action %s for option OnFail\n", opt->strarg);

 	    return 1;

 	}

     } else FailAction = SMFIS_TEMPFAIL;

@@ -359,7 +379,7 @@ int init_actions(struct optstruct *opts) {

 	    CleanAction = action_quarantine;

 	    break;

 	default:

-	    logg("!Invalid action %s for option OnClean", opt->strarg);

+	    logg("!Invalid action %s for option OnClean\n", opt->strarg);

 	    return 1;

 	}

     } else CleanAction = action_accept;

@@ -372,15 +392,49 @@ int init_actions(struct optstruct *opts) {

 	case 1:

 	    InfectedAction = action_defer;

 	    break;

-	case 2:

-	    InfectedAction = action_reject;

-	    break;

 	case 3:

 	    InfectedAction = action_blackhole;

 	    break;

 	case 4:

 	    InfectedAction = action_quarantine;

 	    break;

+	case 2:

+	    InfectedAction = action_reject_msg;

+	    if((opt = optget(opts, "RejectMsg"))->enabled) {

+		const char *src = opt->strarg;

+		char *dst, c;

+		int gotpctv = 0;

+

+		rejectfmt = dst = malloc(strlen(src) * 4 + 1);

+		if(!dst) {

+		    logg("!Failed to allocate memory for RejectMsg\n");

+		    return 1;

+		}

+		while ((c = *src++)) {

+		    if(!isprint(c)) {

+			logg("!RejectMsg contains non printable characters\n");

+			free(rejectfmt);

+			return 1;

+		    }

+		    *dst++ = c;

+		    if(c == '%') {

+			if(*src == 'v') {

+			    if(gotpctv) {

+				logg("!%%v may appear at most once in RejectMsg\n");

+				free(rejectfmt);

+				return 1;

+			    }

+			    gotpctv |= 1;

+			    src++;

+			    *dst++ = 's';

+			} else {

+			    dst[0] = dst[1] = dst[2] = '%';

+			    dst += 3;

+			}

+		    }

+		}

+		*dst = '\0';

+	    }

 	default:

 	    logg("!Invalid action %s for option OnInfected", opt->strarg);

 	    return 1;

@@ -40,12 +40,18 @@

 #include <netdb.h>

 #include <sys/uio.h>

-

 #include "shared/output.h"

 #include "shared/optparser.h"

 #include "libclamav/others.h"

 #include "netcode.h"

+#ifdef HAVE_STRERROR_R

+#define strerror_print(msg) \

+	strerror_r(errno, er, sizeof(er)); \

+	logg(msg": %s\n", er);

+#else

+	logg(msg"\n");

+#endif

 enum {

     NON_SMTP,

@@ -75,21 +81,18 @@ static int nc_socket(struct CP_ENTRY *cpe) {

     char er[256];

     if (s == -1) {

-	strerror_r(errno, er, sizeof(er));

-	logg("!Failed to create socket: %s\n", er);

+	strerror_print("!Failed to create socket");

 	return -1;

     }

     flags = fcntl(s, F_GETFL, 0);

     if (flags == -1) {

-	strerror_r(errno, er, sizeof(er));

-	logg("!fcntl_get failed: %s\n", er);

+	strerror_print("!fcntl_get failed");

 	close(s);

 	return -1;

     }

     flags |= O_NONBLOCK;

     if (fcntl(s, F_SETFL, flags) == -1) {

-	strerror_r(errno, er, sizeof(er));

-	logg("!fcntl_set failed: %s\n", er);

+	strerror_print("!fcntl_set failed");

 	close(s);

 	return -1;

     }

@@ -105,8 +108,7 @@ static int nc_connect(int s, struct CP_ENTRY *cpe) {

     if (!res) return 0;

     if (errno != EINPROGRESS) {

-	strerror_r(errno, er, sizeof(er));

-	logg("*connect failed: %s\n", er);

+	strerror_print("*connect failed");

 	close(s);

 	return -1;

     }

@@ -158,8 +160,7 @@ int nc_send(int s, const void *buff, size_t len) {

 	    continue;

 	}

 	if(errno != EAGAIN && errno != EWOULDBLOCK) {

-	    strerror_r(errno, er, sizeof(er));

-	    logg("!send failed: %s\n", er);

+	    strerror_print("!send failed");

 	    close(s);

 	    return 1;

 	}

@@ -219,8 +220,7 @@ int nc_sendmsg(int s, int fd) {

     if((ret = sendmsg(s, &msg, 0)) == -1) {

 	char er[256];

-	strerror_r(errno, er, sizeof(er));

-	logg("!clamfi_eom: FD send failed (%s)\n", er);

+	strerror_print("!clamfi_eom: FD send failed");

 	close(s);

     }

     return ret;

@@ -257,8 +257,7 @@ char *nc_recv(int s) {

 	res = recv(s, &buf[len], sizeof(buf) - len, 0);

 	if(res==-1) {

 	    char er[256];

-	    strerror_r(errno, er, sizeof(er));

-	    logg("!recv failed after successful select: %s\n", er);

+	    strerror_print("!recv failed after successful select");

 	    close(s);

 	    return NULL;

 	}

@@ -145,6 +145,12 @@ Example

 # Default Defer

 #OnFail Defer

+# This option allows to set a specific rejection reason for infected messages

+# and it's therefore only useful together with "OnInfected Reject"

+# The string "%v", if present, will be replaced with the virus name.

+# Default: MTA specific

+#RejectMsg 

+

 # If this option is set to Yes, an "X-Virus-Scanned" and an "X-Virus-Status"

 # headers will be attached to each processed message, possibly replacing

 # existing headers. 

@@ -373,6 +373,8 @@ const struct clam_option clam_options[] = {

     { "OnFail", NULL, 0, TYPE_STRING, "^(Accept|Reject|Defer)$", -1, "Defer", 0, OPT_MILTER, "Action to be performed on error conditions (this includes failure to\nallocate data structures, no scanners available, network timeouts, unknown\nscanner replies and the like).\nThe following actions are available:\nAccept: the message is accepted for delievery;\nReject: immediately refuse delievery (a 5xx error is returned to the peer);\nDefer: return a temporary failure message (4xx) to the peer.", "Defer" },

+    { "RejectMsg", NULL, 0, TYPE_STRING, NULL, -1, NULL, 0, OPT_MILTER, "This option allows to set a specific rejection reason for infected messages\nand it's therefore only useful together with \"OnInfected Reject\"\nThe string \"%v\", if present, will be replaced with the virus name.", "MTA specific" },

+

     { "AddHeader", NULL, 0, TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_MILTER, "If this option is set to Yes, an \"X-Virus-Scanned\" and an \"X-Virus-Status\"\nheaders will be attached to each processed message, possibly replacing\nexisting headers.", "Yes" },

     { "Chroot", NULL, 0, TYPE_STRING, NULL, -1, NULL, 0, OPT_MILTER, "Chroot to the specified directory.\nChrooting is performed just after reading the config file and before\ndropping privileges.", "/newroot" },