git-svn-id: file:///var/lib/svn/clamav-devel/trunk/clamav-devel@557 77e5149b-7576-45b1-b177-96237e5ba77b
Nigel Horne authored on 2004/05/12 20:22:07... | ... |
@@ -1,3 +1,7 @@ |
1 |
+Wed May 12 12:20:50 BST 2004 (njh) |
|
2 |
+---------------------------------- |
|
3 |
+ * libclamav/mbox.c: More bounce false positives removed |
|
4 |
+ |
|
1 | 5 |
Wed May 12 01:27:56 CEST 2004 (tk) |
2 | 6 |
---------------------------------- |
3 | 7 |
* libclamav: initial PE parser/dumper (not yet activated). It will be |
... | ... |
@@ -17,6 +17,9 @@ |
17 | 17 |
* |
18 | 18 |
* Change History: |
19 | 19 |
* $Log: mbox.c,v $ |
20 |
+ * Revision 1.72 2004/05/12 11:20:37 nigelhorne |
|
21 |
+ * More bounce message false positives handled |
|
22 |
+ * |
|
20 | 23 |
* Revision 1.71 2004/05/10 11:35:11 nigelhorne |
21 | 24 |
* No need to update mbox.c for cli_filetype problem |
22 | 25 |
* |
... | ... |
@@ -201,7 +204,7 @@ |
201 | 201 |
* Compilable under SCO; removed duplicate code with message.c |
202 | 202 |
* |
203 | 203 |
*/ |
204 |
-static char const rcsid[] = "$Id: mbox.c,v 1.71 2004/05/10 11:35:11 nigelhorne Exp $"; |
|
204 |
+static char const rcsid[] = "$Id: mbox.c,v 1.72 2004/05/12 11:20:37 nigelhorne Exp $"; |
|
205 | 205 |
|
206 | 206 |
#if HAVE_CONFIG_H |
207 | 207 |
#include "clamav-config.h" |
... | ... |
@@ -1436,14 +1439,32 @@ parseEmailBody(message *messageIn, blob **blobsIn, int nBlobs, text *textIn, con |
1436 | 1436 |
blobDestroy(b); |
1437 | 1437 |
} |
1438 | 1438 |
} else if((encodingLine(mainMessage) != NULL) && |
1439 |
- ((t_line = bounceBegin(mainMessage)) != NULL)) { |
|
1439 |
+ ((t_line = bounceBegin(mainMessage)) != NULL)) { |
|
1440 |
+ const text *t; |
|
1441 |
+ static const char encoding[] = "Content-Transfer-Encoding"; |
|
1440 | 1442 |
/* |
1441 | 1443 |
* Attempt to save the original (unbounced) |
1442 | 1444 |
* message - clamscan will find that in the |
1443 | 1445 |
* directory and call us again (with any luck) |
1444 | 1446 |
* having found an e-mail message to handle |
1447 |
+ * |
|
1448 |
+ * This finds a lot of false positives, the |
|
1449 |
+ * search that an encoding line is in the |
|
1450 |
+ * bounce (i.e. it's after the bounce header) |
|
1451 |
+ * helps a bit, but at the expense of scanning |
|
1452 |
+ * the entire message. messageAddLine |
|
1453 |
+ * optimisation could help here, but needs |
|
1454 |
+ * careful thought, do it with line numbers |
|
1455 |
+ * would be best, since the current method in |
|
1456 |
+ * messageAddLine of checking encoding first |
|
1457 |
+ * must remain otherwise non bounce messages |
|
1458 |
+ * won't be scanned |
|
1445 | 1459 |
*/ |
1446 |
- if((b = textToBlob(t_line, NULL)) != NULL) { |
|
1460 |
+ for(t = t_line; t; t = t->t_next) |
|
1461 |
+ if((strncasecmp(t->t_text, encoding, sizeof(encoding) - 1) == 0) && |
|
1462 |
+ (strstr(t->t_text, "7bit") == NULL)) |
|
1463 |
+ break; |
|
1464 |
+ if(t && ((b = textToBlob(t_line, NULL)) != NULL)) { |
|
1447 | 1465 |
cli_dbgmsg("Found a bounce message\n"); |
1448 | 1466 |
|
1449 | 1467 |
saveFile(b, dir); |
... | ... |
@@ -1466,7 +1487,10 @@ parseEmailBody(message *messageIn, blob **blobsIn, int nBlobs, text *textIn, con |
1466 | 1466 |
else if((t_line = encodingLine(mainMessage)) != NULL) { |
1467 | 1467 |
/* |
1468 | 1468 |
* Some bounces include the message |
1469 |
- * body without the headers |
|
1469 |
+ * body without the headers. |
|
1470 |
+ * Unfortunately this generates a |
|
1471 |
+ * lot of false positives that a bounce |
|
1472 |
+ * has been found when it hasn't. |
|
1470 | 1473 |
*/ |
1471 | 1474 |
if((b = blobCreate()) != NULL) { |
1472 | 1475 |
cli_dbgmsg("Found a bounce message with no header\n"); |
... | ... |
@@ -1479,14 +1503,13 @@ parseEmailBody(message *messageIn, blob **blobsIn, int nBlobs, text *textIn, con |
1479 | 1479 |
blobDestroy(b); |
1480 | 1480 |
} |
1481 | 1481 |
saveIt = FALSE; |
1482 |
- } else { |
|
1482 |
+ } else |
|
1483 | 1483 |
/* |
1484 | 1484 |
* Save the entire text portion, |
1485 |
- * since it it may be an HTML |
|
1486 |
- * file with a JavaScript virus |
|
1485 |
+ * since it it may be an HTML file with |
|
1486 |
+ * a JavaScript virus |
|
1487 | 1487 |
*/ |
1488 | 1488 |
saveIt = TRUE; |
1489 |
- } |
|
1490 | 1489 |
|
1491 | 1490 |
if(saveIt) { |
1492 | 1491 |
cli_dbgmsg("Saving text part to scan\n"); |
... | ... |
@@ -1827,6 +1850,11 @@ saveTextPart(message *m, const char *dir) |
1827 | 1827 |
|
1828 | 1828 |
/* |
1829 | 1829 |
* Save some data as a unique file in the given directory. |
1830 |
+ * |
|
1831 |
+ * TODO: don't save archive files if archive scanning is disabled, or |
|
1832 |
+ * OLE2 files if that is disabled or pattern match --exclude, but |
|
1833 |
+ * we need access to the command line options/clamav.conf here to |
|
1834 |
+ * be able to do that |
|
1830 | 1835 |
*/ |
1831 | 1836 |
static bool |
1832 | 1837 |
saveFile(const blob *b, const char *dir) |