git-svn: trunk@3624
aCaB authored on 2008/02/13 11:06:19... | ... |
@@ -1,3 +1,8 @@ |
1 |
+Wed Feb 13 02:49:38 CET 2008 (acab) |
|
2 |
+----------------------------------- |
|
3 |
+ * limits: Set new defaults, updated sample config files |
|
4 |
+ More to come (documents update and final tweaks) |
|
5 |
+ |
|
1 | 6 |
Tue Feb 12 11:19:22 GMT 2008 (njh) |
2 | 7 |
---------------------------------- |
3 | 8 |
* libclamav/pdf.c: Fix some warning messages and compilation error on |
... | ... |
@@ -1890,8 +1890,6 @@ main(int argc, char **argv) |
1890 | 1890 |
options |= CL_SCAN_DISABLERAR;*/ |
1891 | 1891 |
if(cfgopt(copt, "ArchiveBlockEncrypted")->enabled) |
1892 | 1892 |
options |= CL_SCAN_BLOCKENCRYPTED; |
1893 |
- if(cfgopt(copt, "ArchiveBlockMax")->enabled) |
|
1894 |
- options |= CL_SCAN_BLOCKMAX; |
|
1895 | 1893 |
if(cfgopt(copt, "ScanPE")->enabled) |
1896 | 1894 |
options |= CL_SCAN_PE; |
1897 | 1895 |
if(cfgopt(copt, "DetectBrokenExecutables")->enabled) |
... | ... |
@@ -1905,31 +1903,27 @@ main(int argc, char **argv) |
1905 | 1905 |
|
1906 | 1906 |
memset(&limits, '\0', sizeof(struct cl_limits)); |
1907 | 1907 |
|
1908 |
- if(((cpt = cfgopt(copt, "MailMaxRecursion")) != NULL) && cpt->enabled) |
|
1909 |
- limits.maxmailrec = cpt->numarg; |
|
1910 |
- |
|
1911 |
- if(cfgopt(copt, "ScanArchive")->enabled) { |
|
1912 |
- options |= CL_SCAN_ARCHIVE; |
|
1913 |
- if(((cpt = cfgopt(copt, "ArchiveMaxFileSize")) != NULL) && cpt->enabled) |
|
1914 |
- limits.maxfilesize = cpt->numarg; |
|
1915 |
- else |
|
1916 |
- limits.maxfilesize = 10485760; |
|
1917 |
- |
|
1918 |
- if(((cpt = cfgopt(copt, "ArchiveMaxRecursion")) != NULL) && cpt->enabled) |
|
1919 |
- limits.maxreclevel = cpt->numarg; |
|
1920 |
- else |
|
1921 |
- limits.maxreclevel = 8; |
|
1908 |
+ if(((cpt = cfgopt(copt, "MaxScanSize")) != NULL) && cpt->enabled) |
|
1909 |
+ limits.maxscansize = cpt->numarg; |
|
1910 |
+ else |
|
1911 |
+ limits.maxscansize = 104857600; |
|
1912 |
+ if(((cpt = cfgopt(copt, "MaxFileSize")) != NULL) && cpt->enabled) |
|
1913 |
+ limits.maxfilesize = cpt->numarg; |
|
1914 |
+ else |
|
1915 |
+ limits.maxfilesize = 10485760; |
|
1922 | 1916 |
|
1923 |
- if(((cpt = cfgopt(copt, "ArchiveMaxFiles")) != NULL) && cpt->enabled) |
|
1924 |
- limits.maxfiles = cpt->numarg; |
|
1925 |
- else |
|
1926 |
- limits.maxfiles = 1000; |
|
1917 |
+ if(((cpt = cfgopt(copt, "MaxRecursion")) != NULL) && cpt->enabled) |
|
1918 |
+ limits.maxreclevel = cpt->numarg; |
|
1919 |
+ else |
|
1920 |
+ limits.maxreclevel = 8; |
|
1927 | 1921 |
|
1928 |
- if(((cpt = cfgopt(copt, "ArchiveMaxCompressionRatio")) != NULL) && cpt->enabled) |
|
1929 |
- limits.maxratio = cpt->numarg; |
|
1930 |
- else |
|
1931 |
- limits.maxratio = 250; |
|
1922 |
+ if(((cpt = cfgopt(copt, "MaxFiles")) != NULL) && cpt->enabled) |
|
1923 |
+ limits.maxfiles = cpt->numarg; |
|
1924 |
+ else |
|
1925 |
+ limits.maxfiles = 1000; |
|
1932 | 1926 |
|
1927 |
+ if(cfgopt(copt, "ScanArchive")->enabled) { |
|
1928 |
+ options |= CL_SCAN_ARCHIVE; |
|
1933 | 1929 |
if(cfgopt(copt, "ArchiveLimitMemoryUsage")->enabled) |
1934 | 1930 |
limits.archivememlim = 1; |
1935 | 1931 |
else |
... | ... |
@@ -321,13 +321,12 @@ void help(void) |
321 | 321 |
mprintf(" --no-archive Disable libclamav archive support\n"); |
322 | 322 |
mprintf(" --detect-broken Try to detect broken executable files\n"); |
323 | 323 |
mprintf(" --block-encrypted Block encrypted archives\n"); |
324 |
- mprintf(" --block-max Block archives that exceed limits\n"); |
|
325 | 324 |
mprintf(" --mail-follow-urls Download and scan URLs\n"); |
326 | 325 |
mprintf("\n"); |
327 |
- mprintf(" --max-scansize=#n FIXMELIMITS\n"); |
|
328 |
- mprintf(" --max-filesize=#n FIXMELIMITS\n"); |
|
329 |
- mprintf(" --max-files=#n FIXMELIMITS\n"); |
|
330 |
- mprintf(" --max-recursion=#n Maximum archive recursion level\n"); |
|
326 |
+ mprintf(" --max-filesize=#n Files larger than this will be skipped and assumed clean\n"); |
|
327 |
+ mprintf(" --max-scansize=#n The maximum amount of data to scan for each container file (*)\n"); |
|
328 |
+ mprintf(" --max-files=#n The maximum number of files to scan for each container file (*)\n"); |
|
329 |
+ mprintf(" --max-recursion=#n Maximum archive recursion level for container file (*)\n"); |
|
331 | 330 |
mprintf(" --max-dir-recursion=#n Maximum directory recursion level\n"); |
332 | 331 |
mprintf(" --unzip[=FULLPATH] Enable support for .zip files\n"); |
333 | 332 |
mprintf(" --unrar[=FULLPATH] Enable support for .rar files\n"); |
... | ... |
@@ -338,4 +337,6 @@ void help(void) |
338 | 338 |
mprintf(" --tar[=FULLPATH] Enable support for .tar files\n"); |
339 | 339 |
mprintf(" --deb[=FULLPATH to ar] Enable support for .deb files\n"); |
340 | 340 |
mprintf(" --tgz[=FULLPATH] Enable support for .tar.gz, .tgz files\n\n"); |
341 |
+ mprintf("(*) Certain files (e.g. documents, archives, etc.) may in turn contain other files inside.\n"); |
|
342 |
+ mprintf(" The above options ensure safe processing of this kind of data.\n\n"); |
|
341 | 343 |
} |
... | ... |
@@ -231,7 +231,7 @@ int scanmanager(const struct optstruct *opt) |
231 | 231 |
} else |
232 | 232 |
limits.maxscansize = atoi(ptr) * 1024; |
233 | 233 |
} else |
234 |
- limits.maxscansize = 104857600; /* FIXMELIMITS */ |
|
234 |
+ limits.maxscansize = 104857600; |
|
235 | 235 |
|
236 | 236 |
if(opt_check(opt, "max-filesize")) { |
237 | 237 |
char *cpy, *ptr; |
... | ... |
@@ -244,17 +244,17 @@ int scanmanager(const struct optstruct *opt) |
244 | 244 |
} else |
245 | 245 |
limits.maxfilesize = atoi(ptr) * 1024; |
246 | 246 |
} else |
247 |
- limits.maxfilesize = 10485760; /* FIXMELIMITS */ |
|
247 |
+ limits.maxfilesize = 26214400; |
|
248 | 248 |
|
249 | 249 |
if(opt_check(opt, "max-files")) |
250 | 250 |
limits.maxfiles = atoi(opt_arg(opt, "max-files")); |
251 | 251 |
else |
252 |
- limits.maxfiles = 500; |
|
252 |
+ limits.maxfiles = 10000; |
|
253 | 253 |
|
254 | 254 |
if(opt_check(opt, "max-recursion")) |
255 | 255 |
limits.maxreclevel = atoi(opt_arg(opt, "max-recursion")); |
256 | 256 |
else |
257 |
- limits.maxreclevel = 8; |
|
257 |
+ limits.maxreclevel = 16; |
|
258 | 258 |
|
259 | 259 |
/* set options */ |
260 | 260 |
|
... | ... |
@@ -416,29 +416,27 @@ static int clamav_unpack(const char *prog, const char **args, const char *tmpdir |
416 | 416 |
{ |
417 | 417 |
pid_t pid; |
418 | 418 |
int status, wret, fdevnull; |
419 |
- unsigned int maxfiles, maxspace; |
|
419 |
+ unsigned int maxfiles, maxscansize; |
|
420 | 420 |
struct s_du n; |
421 | 421 |
|
422 | 422 |
|
423 | 423 |
if(opt_check(opt, "max-files")) |
424 | 424 |
maxfiles = atoi(opt_arg(opt, "max-files")); |
425 | 425 |
else |
426 |
- maxfiles = 0; |
|
426 |
+ maxfiles = 10000; |
|
427 | 427 |
|
428 |
- /* FIXMELIMITS */ |
|
429 |
- if(opt_check(opt, "max-filesize")) { |
|
428 |
+ if(opt_check(opt, "max-scansize")) { |
|
430 | 429 |
char *cpy, *ptr; |
431 |
- ptr = opt_arg(opt, "max-filesize"); |
|
430 |
+ ptr = opt_arg(opt, "max-scansize"); |
|
432 | 431 |
if(tolower(ptr[strlen(ptr) - 1]) == 'm') { /* megabytes */ |
433 | 432 |
cpy = calloc(strlen(ptr), 1); |
434 | 433 |
strncpy(cpy, ptr, strlen(ptr) - 1); |
435 |
- maxspace = atoi(cpy) * 1024; |
|
434 |
+ maxscansize = atoi(cpy) * 1024; |
|
436 | 435 |
free(cpy); |
437 | 436 |
} else /* default - kilobytes */ |
438 |
- maxspace = atoi(ptr); |
|
437 |
+ maxscansize = atoi(ptr); |
|
439 | 438 |
} else |
440 |
- maxspace = 0; |
|
441 |
- |
|
439 |
+ maxscansize = 104857600; |
|
442 | 440 |
|
443 | 441 |
switch(pid = fork()) { |
444 | 442 |
case -1: |
... | ... |
@@ -490,12 +488,12 @@ static int clamav_unpack(const char *prog, const char **args, const char *tmpdir |
490 | 490 |
break; |
491 | 491 |
default: |
492 | 492 |
|
493 |
- if(maxfiles || maxspace) { |
|
493 |
+ if(maxscansize || maxfiles) { |
|
494 | 494 |
while(!(wret = waitpid(pid, &status, WNOHANG))) { |
495 | 495 |
memset(&n, 0, sizeof(struct s_du)); |
496 | 496 |
|
497 | 497 |
if(!du(tmpdir, &n)) |
498 |
- if((maxfiles && n.files > maxfiles) || (maxspace && n.space > maxspace)) { |
|
498 |
+ if((maxfiles && n.files > maxfiles) || (maxscansize && n.space > maxscansize)) { |
|
499 | 499 |
logg("*n.files: %u, n.space: %lu\n", n.files, n.space); |
500 | 500 |
kill(pid, 9); /* stop it immediately */ |
501 | 501 |
} |
... | ... |
@@ -266,26 +266,36 @@ LocalSocket /tmp/clamd.socket |
266 | 266 |
# The options below protect your system against Denial of Service attacks |
267 | 267 |
# using archive bombs. |
268 | 268 |
|
269 |
-# FIXMELIMITS |
|
270 |
-# Value of 0 disables the limit. |
|
271 |
-# Default: FIXMELIMITS |
|
269 |
+# This option sets the maximum amount of data to be scanned for each input file. |
|
270 |
+# Archives and other containers are recursively extracted and scanned up to this |
|
271 |
+# value. |
|
272 |
+# Value of 0 disables the limit |
|
273 |
+# Note: disabling this limit or setting it too high may result in severe damage |
|
274 |
+# to the system. |
|
275 |
+# Default: 100M |
|
272 | 276 |
#MaxScanSize 15M |
273 | 277 |
|
274 |
-# Files in archives larger than this limit won't be scanned. |
|
278 |
+# Files larger than this limit won't be scanned. |
|
275 | 279 |
# Value of 0 disables the limit. |
276 |
-# Default: 10M |
|
280 |
+# Note: disabling this limit or setting it too high may result in severe damage |
|
281 |
+# to the system. |
|
282 |
+# Default: 25M |
|
277 | 283 |
#MaxFileSize 15M |
278 | 284 |
|
279 | 285 |
# Nested archives are scanned recursively, e.g. if a Zip archive contains a RAR |
280 | 286 |
# file, all files within it will also be scanned. This options specifies how |
281 | 287 |
# deeply the process should be continued. |
288 |
+# Note: disabling this limit or setting it too high may result in severe damage |
|
289 |
+# to the system. |
|
282 | 290 |
# Value of 0 disables the limit. |
283 |
-# Default: 8 |
|
291 |
+# Default: 16 |
|
284 | 292 |
#MaxRecursion 10 |
285 | 293 |
|
286 |
-# Number of files to be scanned within an archive. |
|
294 |
+# Number of files to be scanned within an archive, a document, ecc. |
|
287 | 295 |
# Value of 0 disables the limit. |
288 |
-# Default: 1000 |
|
296 |
+# Note: disabling this limit or setting it too high may result in severe damage |
|
297 |
+# to the system. |
|
298 |
+# Default: 10000 |
|
289 | 299 |
#MaxFiles 1500 |
290 | 300 |
|
291 | 301 |
# Use slower but memory efficient decompression algorithm. |
... | ... |
@@ -60,10 +60,10 @@ struct cfgoption cfg_options[] = { |
60 | 60 |
{"ScanOLE2", OPT_BOOL, 1, NULL, 0, OPT_CLAMD}, |
61 | 61 |
{"ScanPDF", OPT_BOOL, 0, NULL, 0, OPT_CLAMD}, |
62 | 62 |
{"ScanArchive", OPT_BOOL, 1, NULL, 0, OPT_CLAMD}, |
63 |
- {"MaxScanSize", OPT_COMPSIZE, 104857600, NULL, 0, OPT_CLAMD}, /* FIXMELIMITS */ |
|
64 |
- {"MaxFileSize", OPT_COMPSIZE, 10485760, NULL, 0, OPT_CLAMD}, |
|
65 |
- {"MaxRecursion", OPT_NUM, 8, NULL, 0, OPT_CLAMD}, |
|
66 |
- {"MaxFiles", OPT_NUM, 1000, NULL, 0, OPT_CLAMD}, |
|
63 |
+ {"MaxScanSize", OPT_COMPSIZE, 104857600, NULL, 0, OPT_CLAMD}, |
|
64 |
+ {"MaxFileSize", OPT_COMPSIZE, 26214400, NULL, 0, OPT_CLAMD}, |
|
65 |
+ {"MaxRecursion", OPT_NUM, 16, NULL, 0, OPT_CLAMD}, |
|
66 |
+ {"MaxFiles", OPT_NUM, 10000, NULL, 0, OPT_CLAMD}, |
|
67 | 67 |
{"ArchiveLimitMemoryUsage", OPT_BOOL, 0, NULL, 0, OPT_CLAMD}, |
68 | 68 |
{"ArchiveBlockEncrypted", OPT_BOOL, 0, NULL, 0, OPT_CLAMD}, |
69 | 69 |
{"DatabaseDirectory", OPT_QUOTESTR, -1, DATADIR, 0, OPT_CLAMD | OPT_FRESHCLAM}, |