@@ -1,3 +1,8 @@

+Wed Feb 13 02:49:38 CET 2008 (acab)

+-----------------------------------

+  * limits: Set new defaults, updated sample config files

+  	    More to come (documents update and final tweaks)

+

 Tue Feb 12 11:19:22 GMT 2008 (njh)

 ----------------------------------

   * libclamav/pdf.c:	Fix some warning messages and compilation error on

@@ -1890,8 +1890,6 @@ main(int argc, char **argv)

 			options |= CL_SCAN_DISABLERAR;*/

 		if(cfgopt(copt, "ArchiveBlockEncrypted")->enabled)

 			options |= CL_SCAN_BLOCKENCRYPTED;

-		if(cfgopt(copt, "ArchiveBlockMax")->enabled)

-			options |= CL_SCAN_BLOCKMAX;

 		if(cfgopt(copt, "ScanPE")->enabled)

 			options |= CL_SCAN_PE;

 		if(cfgopt(copt, "DetectBrokenExecutables")->enabled)

@@ -1905,31 +1903,27 @@ main(int argc, char **argv)

 		memset(&limits, '\0', sizeof(struct cl_limits));

-		if(((cpt = cfgopt(copt, "MailMaxRecursion")) != NULL) && cpt->enabled)

-			limits.maxmailrec = cpt->numarg;

-

-		if(cfgopt(copt, "ScanArchive")->enabled) {

-			options |= CL_SCAN_ARCHIVE;

-			if(((cpt = cfgopt(copt, "ArchiveMaxFileSize")) != NULL) && cpt->enabled)

-				limits.maxfilesize = cpt->numarg;

-			else

-				limits.maxfilesize = 10485760;

-

-			if(((cpt = cfgopt(copt, "ArchiveMaxRecursion")) != NULL) && cpt->enabled)

-				limits.maxreclevel = cpt->numarg;

-			else

-				limits.maxreclevel = 8;

+		if(((cpt = cfgopt(copt, "MaxScanSize")) != NULL) && cpt->enabled)

+			limits.maxscansize = cpt->numarg;

+		else

+			limits.maxscansize = 104857600;

+		if(((cpt = cfgopt(copt, "MaxFileSize")) != NULL) && cpt->enabled)

+			limits.maxfilesize = cpt->numarg;

+		else

+			limits.maxfilesize = 10485760;

-			if(((cpt = cfgopt(copt, "ArchiveMaxFiles")) != NULL) && cpt->enabled)

-				limits.maxfiles = cpt->numarg;

-			else

-				limits.maxfiles = 1000;

+		if(((cpt = cfgopt(copt, "MaxRecursion")) != NULL) && cpt->enabled)

+			limits.maxreclevel = cpt->numarg;

+		else

+			limits.maxreclevel = 8;

-			if(((cpt = cfgopt(copt, "ArchiveMaxCompressionRatio")) != NULL) && cpt->enabled)

-				limits.maxratio = cpt->numarg;

-			else

-				limits.maxratio = 250;

+		if(((cpt = cfgopt(copt, "MaxFiles")) != NULL) && cpt->enabled)

+			limits.maxfiles = cpt->numarg;

+		else

+			limits.maxfiles = 1000;

+		if(cfgopt(copt, "ScanArchive")->enabled) {

+			options |= CL_SCAN_ARCHIVE;

 			if(cfgopt(copt, "ArchiveLimitMemoryUsage")->enabled)

 				limits.archivememlim = 1;

 			else

@@ -321,13 +321,12 @@ void help(void)

     mprintf("    --no-archive                         Disable libclamav archive support\n");

     mprintf("    --detect-broken                      Try to detect broken executable files\n");

     mprintf("    --block-encrypted                    Block encrypted archives\n");

-    mprintf("    --block-max                          Block archives that exceed limits\n");

     mprintf("    --mail-follow-urls                   Download and scan URLs\n");

     mprintf("\n");

-    mprintf("    --max-scansize=#n                    FIXMELIMITS\n");

-    mprintf("    --max-filesize=#n                    FIXMELIMITS\n");

-    mprintf("    --max-files=#n                       FIXMELIMITS\n");

-    mprintf("    --max-recursion=#n                   Maximum archive recursion level\n");

+    mprintf("    --max-filesize=#n                    Files larger than this will be skipped and assumed clean\n");

+    mprintf("    --max-scansize=#n                    The maximum amount of data to scan for each container file (*)\n");

+    mprintf("    --max-files=#n                       The maximum number of files to scan for each container file (*)\n");

+    mprintf("    --max-recursion=#n                   Maximum archive recursion level for container file (*)\n");

     mprintf("    --max-dir-recursion=#n               Maximum directory recursion level\n");

     mprintf("    --unzip[=FULLPATH]                   Enable support for .zip files\n");

     mprintf("    --unrar[=FULLPATH]                   Enable support for .rar files\n");

@@ -338,4 +337,6 @@ void help(void)

     mprintf("    --tar[=FULLPATH]                     Enable support for .tar files\n");

     mprintf("    --deb[=FULLPATH to ar]               Enable support for .deb files\n");

     mprintf("    --tgz[=FULLPATH]                     Enable support for .tar.gz, .tgz files\n\n");

+    mprintf("(*) Certain files (e.g. documents, archives, etc.) may in turn contain other files inside.\n");

+    mprintf("    The above options ensure safe processing of this kind of data.\n\n");

 }

@@ -231,7 +231,7 @@ int scanmanager(const struct optstruct *opt)

 	} else

 	    limits.maxscansize = atoi(ptr) * 1024;

     } else

-	limits.maxscansize = 104857600;  /* FIXMELIMITS */

+	limits.maxscansize = 104857600;

     if(opt_check(opt, "max-filesize")) {

 	char *cpy, *ptr;

@@ -244,17 +244,17 @@ int scanmanager(const struct optstruct *opt)

 	} else

 	    limits.maxfilesize = atoi(ptr) * 1024;

     } else

-	limits.maxfilesize = 10485760;  /* FIXMELIMITS */

+	limits.maxfilesize = 26214400;

     if(opt_check(opt, "max-files"))

 	limits.maxfiles = atoi(opt_arg(opt, "max-files"));

     else

-        limits.maxfiles = 500;

+        limits.maxfiles = 10000;

     if(opt_check(opt, "max-recursion"))

         limits.maxreclevel = atoi(opt_arg(opt, "max-recursion"));

     else

-        limits.maxreclevel = 8;

+        limits.maxreclevel = 16;

     /* set options */

@@ -416,29 +416,27 @@ static int clamav_unpack(const char *prog, const char **args, const char *tmpdir

 {

 	pid_t pid;

 	int status, wret, fdevnull;

-	unsigned int maxfiles, maxspace;

+	unsigned int maxfiles, maxscansize;

 	struct s_du n;

     if(opt_check(opt, "max-files"))

 	maxfiles = atoi(opt_arg(opt, "max-files"));

     else

-	maxfiles = 0;

+	maxfiles = 10000;

-    /* FIXMELIMITS */

-    if(opt_check(opt, "max-filesize")) {

+    if(opt_check(opt, "max-scansize")) {

 	    char *cpy, *ptr;

-	ptr = opt_arg(opt, "max-filesize");

+	ptr = opt_arg(opt, "max-scansize");

 	if(tolower(ptr[strlen(ptr) - 1]) == 'm') { /* megabytes */

 	    cpy = calloc(strlen(ptr), 1);

 	    strncpy(cpy, ptr, strlen(ptr) - 1);

-	    maxspace = atoi(cpy) * 1024;

+	    maxscansize = atoi(cpy) * 1024;

 	    free(cpy);

 	} else /* default - kilobytes */

-	    maxspace = atoi(ptr);

+	    maxscansize = atoi(ptr);

     } else

-	maxspace = 0;

-

+	maxscansize = 104857600;

     switch(pid = fork()) {

 	case -1:

@@ -490,12 +488,12 @@ static int clamav_unpack(const char *prog, const char **args, const char *tmpdir

 	    break;

 	default:

-	    if(maxfiles || maxspace) {

+	    if(maxscansize || maxfiles) {

 		while(!(wret = waitpid(pid, &status, WNOHANG))) {

 		    memset(&n, 0, sizeof(struct s_du));

 		    if(!du(tmpdir, &n))

-			if((maxfiles && n.files > maxfiles) || (maxspace && n.space > maxspace)) {

+			if((maxfiles && n.files > maxfiles) || (maxscansize && n.space > maxscansize)) {

 			    logg("*n.files: %u, n.space: %lu\n", n.files, n.space);

 			    kill(pid, 9); /* stop it immediately */

 			}

@@ -266,26 +266,36 @@ LocalSocket /tmp/clamd.socket

 # The options below protect your system against Denial of Service attacks

 # using archive bombs.

-# FIXMELIMITS

-# Value of 0 disables the limit.

-# Default: FIXMELIMITS

+# This option sets the maximum amount of data to be scanned for each input file.

+# Archives and other containers are recursively extracted and scanned up to this

+# value.

+# Value of 0 disables the limit

+# Note: disabling this limit or setting it too high may result in severe damage

+# to the system.

+# Default: 100M

 #MaxScanSize 15M

-# Files in archives larger than this limit won't be scanned.

+# Files larger than this limit won't be scanned.

 # Value of 0 disables the limit.

-# Default: 10M

+# Note: disabling this limit or setting it too high may result in severe damage

+# to the system.

+# Default: 25M

 #MaxFileSize 15M

 # Nested archives are scanned recursively, e.g. if a Zip archive contains a RAR

 # file, all files within it will also be scanned. This options specifies how

 # deeply the process should be continued.

+# Note: disabling this limit or setting it too high may result in severe damage

+# to the system.

 # Value of 0 disables the limit.

-# Default: 8

+# Default: 16

 #MaxRecursion 10

-# Number of files to be scanned within an archive.

+# Number of files to be scanned within an archive, a document, ecc.

 # Value of 0 disables the limit.

-# Default: 1000

+# Note: disabling this limit or setting it too high may result in severe damage

+# to the system.

+# Default: 10000

 #MaxFiles 1500

 # Use slower but memory efficient decompression algorithm.

@@ -60,10 +60,10 @@ struct cfgoption cfg_options[] = {

     {"ScanOLE2", OPT_BOOL, 1, NULL, 0, OPT_CLAMD},

     {"ScanPDF", OPT_BOOL, 0, NULL, 0, OPT_CLAMD},

     {"ScanArchive", OPT_BOOL, 1, NULL, 0, OPT_CLAMD},

-    {"MaxScanSize", OPT_COMPSIZE, 104857600, NULL, 0, OPT_CLAMD}, /* FIXMELIMITS */

-    {"MaxFileSize", OPT_COMPSIZE, 10485760, NULL, 0, OPT_CLAMD},

-    {"MaxRecursion", OPT_NUM, 8, NULL, 0, OPT_CLAMD},

-    {"MaxFiles", OPT_NUM, 1000, NULL, 0, OPT_CLAMD},

+    {"MaxScanSize", OPT_COMPSIZE, 104857600, NULL, 0, OPT_CLAMD},

+    {"MaxFileSize", OPT_COMPSIZE, 26214400, NULL, 0, OPT_CLAMD},

+    {"MaxRecursion", OPT_NUM, 16, NULL, 0, OPT_CLAMD},

+    {"MaxFiles", OPT_NUM, 10000, NULL, 0, OPT_CLAMD},

     {"ArchiveLimitMemoryUsage", OPT_BOOL, 0, NULL, 0, OPT_CLAMD},

     {"ArchiveBlockEncrypted", OPT_BOOL, 0, NULL, 0, OPT_CLAMD},

     {"DatabaseDirectory", OPT_QUOTESTR, -1, DATADIR, 0, OPT_CLAMD | OPT_FRESHCLAM},