Browse code
add img url link-type filtering
| ... | ... |
@@ -1,3 +1,7 @@ |
| 1 |
+Fri Jan 12 18:35:02 CET 2007 (tk) |
|
| 2 |
+--------------------------------- |
|
| 3 |
+ * libclamav/phishcheck.c: add img url link-type filtering (patch from Edwin) |
|
| 4 |
+ |
|
| 1 | 5 |
Fri Jan 12 18:18:43 CET 2007 (tk) |
| 2 | 6 |
--------------------------------- |
| 3 | 7 |
* libclamav: phishing patch from Edwin (closes bb#157, #174, #222, #224) |
| ... | ... |
@@ -19,6 +19,9 @@ |
| 19 | 19 |
* MA 02110-1301, USA. |
| 20 | 20 |
* |
| 21 | 21 |
* $Log: phishcheck.c,v $ |
| 22 |
+ * Revision 1.18 2007/01/12 17:36:53 tkojm |
|
| 23 |
+ * add img url link-type filtering |
|
| 24 |
+ * |
|
| 22 | 25 |
* Revision 1.17 2007/01/12 17:29:09 tkojm |
| 23 | 26 |
* phishing patch from Edwin (closes bb#157, #174, #222, #224) |
| 24 | 27 |
* |
| ... | ... |
@@ -952,8 +955,12 @@ int phishingScan(message* m,const char* dir,cli_ctx* ctx,tag_arguments_t* hrefs) |
| 952 | 952 |
struct url_check urls; |
| 953 | 953 |
enum phish_status rc; |
| 954 | 954 |
urls.flags = strncmp((char*)hrefs->tag[i],href_text,href_text_len)? (CL_PHISH_ALL_CHECKS&~CHECK_SSL): CL_PHISH_ALL_CHECKS; |
| 955 |
- if (!(urls.flags&CHECK_IMG_URL) && !strncmp((char*)hrefs->tag[i],src_text,src_text_len)) |
|
| 955 |
+ urls.link_type = 0; |
|
| 956 |
+ if(!strncmp((char*)hrefs->tag[i],src_text,src_text_len)) {
|
|
| 957 |
+ if (!(urls.flags&CHECK_IMG_URL)) |
|
| 956 | 958 |
continue; |
| 959 |
+ urls.link_type |= LINKTYPE_IMAGE; |
|
| 960 |
+ } |
|
| 957 | 961 |
if (ctx->options&CL_SCAN_PHISHING_DOMAINLIST) |
| 958 | 962 |
urls.flags |= DOMAINLIST_REQUIRED; |
| 959 | 963 |
if (ctx->options & CL_SCAN_PHISHING_BLOCKSSL) {
|
| ... | ... |
@@ -1282,6 +1289,7 @@ enum phish_status phishingCheck(const struct cl_engine* engine,struct url_check* |
| 1282 | 1282 |
* so defer phishing decisions till we know if host is listed*/ |
| 1283 | 1283 |
} |
| 1284 | 1284 |
|
| 1285 |
+ |
|
| 1285 | 1286 |
url_check_init(&host_url); |
| 1286 | 1287 |
|
| 1287 | 1288 |
if((rc = url_get_host(pchk, urls,&host_url,DOMAIN_DISPLAY,&phishy))) {
|
| ... | ... |
@@ -1301,6 +1309,10 @@ enum phish_status phishingCheck(const struct cl_engine* engine,struct url_check* |
| 1301 | 1301 |
} |
| 1302 | 1302 |
} |
| 1303 | 1303 |
|
| 1304 |
+ /* link type filtering must occur after last domainlist_match */ |
|
| 1305 |
+ if(urls->link_type & LINKTYPE_IMAGE && !(urls->flags&CHECK_IMG_URL)) |
|
| 1306 |
+ return CL_PHISH_HOST_NOT_LISTED;/* its listed, but this link type is filtered */ |
|
| 1307 |
+ |
|
| 1304 | 1308 |
if(urls->flags & DOMAINLIST_REQUIRED && !(phishy & DOMAIN_LISTED) ) {
|
| 1305 | 1309 |
urls->flags &= urls->always_check_flags; |
| 1306 | 1310 |
if(!urls->flags) {
|
| ... | ... |
@@ -1313,7 +1325,7 @@ enum phish_status phishingCheck(const struct cl_engine* engine,struct url_check* |
| 1313 | 1313 |
/*Checks if URL is cloaked. |
| 1314 | 1314 |
Should we check if it containts another http://, https://? |
| 1315 | 1315 |
No because we might get false positives from redirect services.*/ |
| 1316 |
- if(strchr(urls->realLink.data,'\0x1')) {
|
|
| 1316 |
+ if(strchr(urls->realLink.data,0x1)) {
|
|
| 1317 | 1317 |
free_if_needed(&host_url); |
| 1318 | 1318 |
return CL_PHISH_CLOAKED_NULL; |
| 1319 | 1319 |
} |
| ... | ... |
@@ -48,6 +48,7 @@ enum phish_status {CL_PHISH_NODECISION=0,CL_PHISH_CLEAN=CL_PHISH_BASE, CL_PHISH_
|
| 48 | 48 |
#define DOMAINLIST_REQUIRED 512 |
| 49 | 49 |
/* img checking disabled by default */ |
| 50 | 50 |
|
| 51 |
+#define LINKTYPE_IMAGE 1 |
|
| 51 | 52 |
|
| 52 | 53 |
#define CL_PHISH_ALL_CHECKS (CLEANUP_URL|DOMAIN_SUFFICIENT|CHECK_SSL|CHECK_CLOAKING|DOMAINLIST_REQUIRED|CHECK_IMG_URL) |
| 53 | 54 |
|
| ... | ... |
@@ -72,6 +73,7 @@ struct url_check {
|
| 72 | 72 |
struct string displayLink; |
| 73 | 73 |
unsigned short flags; |
| 74 | 74 |
unsigned short always_check_flags; |
| 75 |
+ unsigned short link_type; |
|
| 75 | 76 |
}; |
| 76 | 77 |
|
| 77 | 78 |
int phishingScan(message* m,const char* dir,cli_ctx* ctx,tag_arguments_t* hrefs); |