git-svn: trunk@2553
Tomasz Kojm authored on 2006/12/12 23:00:13... | ... |
@@ -1,3 +1,9 @@ |
1 |
+Tue Dec 12 14:57:11 CET 2006 (tk) |
|
2 |
+--------------------------------- |
|
3 |
+ * libclamav: add separate limit value for mail recursion level |
|
4 |
+ * clamscan: new option --max-mail-recursion |
|
5 |
+ * clamd: new option MailMaxRecursion |
|
6 |
+ |
|
1 | 7 |
Tue Dec 12 12:36:28 CET 2006 (tk) |
2 | 8 |
--------------------------------- |
3 | 9 |
* libclamav/scanners.c: fix debug message (bb#160), patch from |
... | ... |
@@ -398,6 +398,12 @@ int acceptloop_th(int *socketds, int nsockets, struct cl_node *root, unsigned in |
398 | 398 |
options |= CL_SCAN_MAILURL; |
399 | 399 |
} |
400 | 400 |
|
401 |
+ if((limits.maxmailrec = cfgopt(copt, "MailMaxRecursion")->numarg)) { |
|
402 |
+ logg("Mail: Recursion level limit set to %u.\n", limits.maxmailrec); |
|
403 |
+ } else { |
|
404 |
+ logg("^Mail: Recursion level limit protection disabled.\n"); |
|
405 |
+ } |
|
406 |
+ |
|
401 | 407 |
} else { |
402 | 408 |
logg("Mail files support disabled.\n"); |
403 | 409 |
} |
... | ... |
@@ -156,6 +156,14 @@ int main(int argc, char **argv) |
156 | 156 |
} |
157 | 157 |
} |
158 | 158 |
|
159 |
+ if(opt_check(opt, "max-mail-recursion")) { |
|
160 |
+ if(!isnumb(opt_arg(opt, "max-mail-recursion"))) { |
|
161 |
+ logg("!--max-mail-recursion requires a natural number\n"); |
|
162 |
+ opt_free(opt); |
|
163 |
+ return 40; |
|
164 |
+ } |
|
165 |
+ } |
|
166 |
+ |
|
159 | 167 |
if(opt_check(opt, "max-dir-recursion")) { |
160 | 168 |
if(!isnumb(opt_arg(opt, "max-dir-recursion"))) { |
161 | 169 |
logg("!--max-dir-recursion requires a natural number\n"); |
... | ... |
@@ -275,9 +283,10 @@ void help(void) |
275 | 275 |
mprintf(" archived files\n"); |
276 | 276 |
mprintf(" --max-files=#n Only extract first #n files from\n"); |
277 | 277 |
mprintf(" archives\n"); |
278 |
- mprintf(" --max-recursion=#n Maximum archive recursion level\n"); |
|
279 | 278 |
mprintf(" --max-ratio=#n Maximum compression ratio limit\n"); |
279 |
+ mprintf(" --max-recursion=#n Maximum archive recursion level\n"); |
|
280 | 280 |
mprintf(" --max-dir-recursion=#n Maximum directory recursion level\n"); |
281 |
+ mprintf(" --max-mail-recursion=#n Maximum mail recursion level\n"); |
|
281 | 282 |
mprintf(" --unzip[=FULLPATH] Enable support for .zip files\n"); |
282 | 283 |
mprintf(" --unrar[=FULLPATH] Enable support for .rar files\n"); |
283 | 284 |
mprintf(" --arj[=FULLPATH] Enable support for .arj files\n"); |
... | ... |
@@ -160,6 +160,11 @@ int scanmanager(const struct optstruct *opt) |
160 | 160 |
else |
161 | 161 |
limits->maxreclevel = 8; |
162 | 162 |
|
163 |
+ if(opt_check(opt, "max-mail-recursion")) |
|
164 |
+ limits->maxmailrec = atoi(opt_arg(opt, "max-mail-recursion")); |
|
165 |
+ else |
|
166 |
+ limits->maxmailrec = 64; |
|
167 |
+ |
|
163 | 168 |
if(opt_check(opt, "max-ratio")) |
164 | 169 |
limits->maxratio = atoi(opt_arg(opt, "max-ratio")); |
165 | 170 |
else |
... | ... |
@@ -228,6 +228,11 @@ Default: enabled |
228 | 228 |
If an email contains URLs ClamAV can download and scan them. \fBWARNING: This option may open your system to a DoS attack. Never use it on loaded servers.\fR |
229 | 229 |
.br |
230 | 230 |
Default: disabled |
231 |
+.TP |
|
232 |
+\fBMailMaxRecursion\fR |
|
233 |
+Recursion level limit for the mail scanner. |
|
234 |
+.br |
|
235 |
+Default: 64 |
|
231 | 236 |
.TP |
232 | 237 |
\fBDetectPhishing\fR |
233 | 238 |
With this option enabled ClamAV will try to detect phishing attempts. |
... | ... |
@@ -120,6 +120,9 @@ Set archive recursion level limit. This option protects your system against DoS |
120 | 120 |
.TP |
121 | 121 |
\fB\-\-max\-ratio=#n\fR |
122 | 122 |
Set maximum archive compression ratio limit. This option protects your system against DoS attacks (default: 250). |
123 |
+.TP |
|
124 |
+\fB\-\-max\-mail\-recursion=#n\fR |
|
125 |
+Recursion level limit for the internal mail scanner. |
|
123 | 126 |
.TP |
124 | 127 |
\fB\-\-max\-dir\-recursion=#n\fR |
125 | 128 |
Maximum depth directories are scanned at (default: 15). |
... | ... |
@@ -213,6 +213,10 @@ LocalSocket /tmp/clamd |
213 | 213 |
# Default: no |
214 | 214 |
#MailFollowURLs no |
215 | 215 |
|
216 |
+# Recursion level limit for the mail scanner. |
|
217 |
+# Default: 64 |
|
218 |
+#MailMaxRecursion 128 |
|
219 |
+ |
|
216 | 220 |
# With this option enabled ClamAV will try to detect phishing attempts (using signatures). |
217 | 221 |
# Default: yes |
218 | 222 |
#DetectPhishing yes |
... | ... |
@@ -80,7 +80,8 @@ int main(int argc, char **argv) |
80 | 80 |
* file (files exceeding this limit |
81 | 81 |
* will be ignored) |
82 | 82 |
*/ |
83 |
- limits.maxreclevel = 5; /* maximum recursion level */ |
|
83 |
+ limits.maxreclevel = 5; /* maximum recursion level for archives */ |
|
84 |
+ limits.maxmailrec = 64; /* maximum recursion level for mail files */ |
|
84 | 85 |
limits.maxratio = 200; /* maximum compression ratio */ |
85 | 86 |
|
86 | 87 |
/* scan file descriptor */ |
... | ... |
@@ -189,10 +189,11 @@ struct cl_engine { |
189 | 189 |
}; |
190 | 190 |
|
191 | 191 |
struct cl_limits { |
192 |
- unsigned int maxreclevel; /* maximum recursion level */ |
|
192 |
+ unsigned int maxreclevel; /* maximum recursion level for archives */ |
|
193 | 193 |
unsigned int maxfiles; /* maximum number of files to be scanned |
194 | 194 |
* within a single archive |
195 | 195 |
*/ |
196 |
+ unsigned int maxmailrec; /* maximum recursion level for mail files */ |
|
196 | 197 |
unsigned int maxratio; /* maximum compression ratio */ |
197 | 198 |
unsigned short archivememlim; /* limit memory usage for some unpackers */ |
198 | 199 |
unsigned long int maxfilesize; /* compressed files larger than this limit |
... | ... |
@@ -48,6 +48,7 @@ struct cfgoption cfg_options[] = { |
48 | 48 |
{"DetectBrokenExecutables", OPT_BOOL, 0, NULL, 0, OPT_CLAMD}, |
49 | 49 |
{"ScanMail", OPT_BOOL, 1, NULL, 0, OPT_CLAMD}, |
50 | 50 |
{"MailFollowURLs", OPT_BOOL, 0, NULL, 0, OPT_CLAMD}, |
51 |
+ {"MailMaxRecursion", OPT_NUM, 64, NULL, 0, OPT_CLAMD}, |
|
51 | 52 |
{"DetectPhishing", OPT_BOOL, 1, NULL, 0, OPT_CLAMD}, |
52 | 53 |
#ifdef CL_EXPERIMENTAL |
53 | 54 |
{"PhishingScanURLs",OPT_BOOL, 1, NULL, 0, OPT_CLAMD}, |