clamd: add AllowAllMatchScan config option for permit/deny ALLMATCHSCAN command

clamd/session.c

@@ -362,13 +362,18 @@ int command(client_conn_t *conn, int *virus)
 	     cli_unlink(conn->filename);
 	     return ret;
 	 case COMMAND_ALLMATCHSCAN:
-	     thrmgr_setactivetask(NULL, "ALLMATCHSCAN");
-	     scandata.options |= CL_SCAN_ALLMATCHES;
-	     type = TYPE_SCAN;
-	     break;
+	     if (!optget(opts, "AllowAllMatchScan")->enabled) {
+		logg("$Rejecting ALLMATCHSCAN command.\n");
+		conn_reply(conn, conn->filename, "ALLMATCHSCAN command disabled by clamd configuration.", "ERROR");
+		return 1;
+	    }
+	    thrmgr_setactivetask(NULL, "ALLMATCHSCAN");
+	    scandata.options |= CL_SCAN_ALLMATCHES;
+	    type = TYPE_SCAN;
+	    break;
 	 default:
-	     logg("!Invalid command distpached: %d\n", conn->cmdtype);
-	     return 1;
+	    logg("!Invalid command dispatched: %d\n", conn->cmdtype);
+	    return 1;
      }
 
      scandata.type = type;

etc/clamd.conf.sample

@@ -212,6 +212,11 @@ Example
 # Default: no
 #LeaveTemporaryFiles yes
 
+# Permit use of the ALLMATCHSCAN command. If set to no, clamd will reject
+# any ALLMATCHSCAN command as invalid.
+# Default: yes
+#AllowAllMatchScan no
+
 # Detect Possibly Unwanted Applications.
 # Default: no
 #DetectPUA yes

shared/optparser.c

@@ -253,6 +253,8 @@ const struct clam_option __clam_options[] = {
 
     { "ExitOnOOM", NULL, 0, TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD, "Stop the daemon when libclamav reports an out of memory condition.", "yes" },
 
+    { "AllowAllMatchScan", NULL, 0, TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD, "Permit use of the ALLMATCHSCAN command.", "yes" },
+
     { "Foreground", NULL, 0, TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD | OPT_FRESHCLAM | OPT_MILTER, "Don't fork into background.", "no" },
 
     { "Debug", NULL, 0, TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD | OPT_FRESHCLAM, "Enable debug messages in libclamav.", "no" },