From 281c7642fbcada2c3c599419006da004db51d9c3 Mon Sep 17 00:00:00 2001 From: aCaB Date: Thu, 7 Feb 2008 02:00:21 +0000 Subject: [PATCH] config git-svn-id: file:///var/lib/svn/clamav-devel/branches/newlimits@3592 77e5149b-7576-45b1-b177-96237e5ba77b --- clamd/server-th.c | 39 +++++++++++++++++++-------------------- clamscan/clamscan.c | 26 +++++++++++++++++--------- clamscan/clamscan_opt.h | 3 ++- clamscan/manager.c | 24 +++++++++++++++++++----- etc/clamd.conf | 27 ++++++++------------------- shared/cfgparser.c | 10 ++++------ 6 files changed, 69 insertions(+), 60 deletions(-) diff --git a/clamd/server-th.c b/clamd/server-th.c index dd37b15f6..3e60ffbda 100644 --- a/clamd/server-th.c +++ b/clamd/server-th.c @@ -309,27 +309,36 @@ int acceptloop_th(int *socketds, int nsockets, struct cl_engine *engine, unsigne logg("*Listening daemon: PID: %u\n", (unsigned int) mainpid); max_threads = cfgopt(copt, "MaxThreads")->numarg; - if(cfgopt(copt, "ScanArchive")->enabled) { + if(cfgopt(copt, "ScanArchive")->enabled) { /* FIXMELIMITS: unparsed if archives disabled! */ /* set up limits */ memset(&limits, 0, sizeof(struct cl_limits)); - if((limits.maxfilesize = cfgopt(copt, "ArchiveMaxFileSize")->numarg)) { - logg("Archive: Archived file size limit set to %lu bytes.\n", limits.maxfilesize); + logg("Archive support enabled.\n"); + options |= CL_SCAN_ARCHIVE; + + if((limits.maxfilesize = cfgopt(copt, "MaxScanSize")->numarg)) { + logg("Limits: Global size limit set to %lu bytes.\n", limits.maxscansize); + } else { + logg("^Limits: Global size limit protection disabled.\n"); + } + + if((limits.maxfilesize = cfgopt(copt, "MaxFileSize")->numarg)) { + logg("Limits: File size limit set to %lu bytes.\n", limits.maxfilesize); } else { - logg("^Archive: File size limit protection disabled.\n"); + logg("^Limits: File size limit protection disabled.\n"); } - if((limits.maxreclevel = cfgopt(copt, "ArchiveMaxRecursion")->numarg)) { - logg("Archive: Recursion level limit set to %u.\n", limits.maxreclevel); + if((limits.maxreclevel = cfgopt(copt, "MaxRecursion")->numarg)) { + logg("Limits: Recursion level limit set to %u.\n", limits.maxreclevel); } else { - logg("^Archive: Recursion level limit protection disabled.\n"); + logg("^Limits: Recursion level limit protection disabled.\n"); } - if((limits.maxfiles = cfgopt(copt, "ArchiveMaxFiles")->numarg)) { - logg("Archive: Files limit set to %u.\n", limits.maxfiles); + if((limits.maxfiles = cfgopt(copt, "MaxFiles")->numarg)) { + logg("Limits: Files limit set to %u.\n", limits.maxfiles); } else { - logg("^Archive: Files limit protection disabled.\n"); + logg("^Limits: Files limit protection disabled.\n"); } if(cfgopt(copt, "ArchiveLimitMemoryUsage")->enabled) { @@ -338,22 +347,12 @@ int acceptloop_th(int *socketds, int nsockets, struct cl_engine *engine, unsigne } else { limits.archivememlim = 0; } - } - - if(cfgopt(copt, "ScanArchive")->enabled) { - logg("Archive support enabled.\n"); - options |= CL_SCAN_ARCHIVE; if(cfgopt(copt, "ArchiveBlockEncrypted")->enabled) { logg("Archive: Blocking encrypted archives.\n"); options |= CL_SCAN_BLOCKENCRYPTED; } - if(cfgopt(copt, "ArchiveBlockMax")->enabled) { - logg("Archive: Blocking archives that exceed limits.\n"); - options |= CL_SCAN_BLOCKMAX; - } - } else { logg("Archive support disabled.\n"); } diff --git a/clamscan/clamscan.c b/clamscan/clamscan.c index 20a81bea7..6f3ef8cf4 100644 --- a/clamscan/clamscan.c +++ b/clamscan/clamscan.c @@ -144,11 +144,22 @@ int main(int argc, char **argv) /* validate some numerical options */ - if(opt_check(opt, "max-space")) { - pt = opt_arg(opt, "max-space"); + if(opt_check(opt, "max-scansize")) { + pt = opt_arg(opt, "max-scansize"); if(!strchr(pt, 'M') && !strchr(pt, 'm')) { if(!isnumb(pt)) { - logg("!--max-space requires a natural number\n"); + logg("!--max-scansize requires a natural number\n"); + opt_free(opt); + return 40; + } + } + } + + if(opt_check(opt, "max-filesize")) { + pt = opt_arg(opt, "max-filesize"); + if(!strchr(pt, 'M') && !strchr(pt, 'm')) { + if(!isnumb(pt)) { + logg("!--max-filesize requires a natural number\n"); opt_free(opt); return 40; } @@ -311,14 +322,11 @@ void help(void) mprintf(" --block-max Block archives that exceed limits\n"); mprintf(" --mail-follow-urls Download and scan URLs\n"); mprintf("\n"); - mprintf(" --max-space=#n Only extract first #n kilobytes from\n"); - mprintf(" archived files\n"); - mprintf(" --max-files=#n Only extract first #n files from\n"); - mprintf(" archives\n"); - mprintf(" --max-ratio=#n Maximum compression ratio limit\n"); + mprintf(" --max-scansize=#n FIXMELIMITS\n"); + mprintf(" --max-filesize=#n FIXMELIMITS\n"); + mprintf(" --max-files=#n FIXMELIMITS\n"); mprintf(" --max-recursion=#n Maximum archive recursion level\n"); mprintf(" --max-dir-recursion=#n Maximum directory recursion level\n"); - mprintf(" --max-mail-recursion=#n Maximum mail recursion level\n"); mprintf(" --unzip[=FULLPATH] Enable support for .zip files\n"); mprintf(" --unrar[=FULLPATH] Enable support for .rar files\n"); mprintf(" --arj[=FULLPATH] Enable support for .arj files\n"); diff --git a/clamscan/clamscan_opt.h b/clamscan/clamscan_opt.h index 115df6422..695dca35f 100644 --- a/clamscan/clamscan_opt.h +++ b/clamscan/clamscan_opt.h @@ -54,7 +54,8 @@ static struct option clamscan_longopt[] = { {"include", 1, 0, 0}, {"include-dir", 1, 0, 0}, {"max-files", 1, 0, 0}, - {"max-space", 1, 0, 0}, + {"max-filesize", 1, 0, 0}, + {"max-scansize", 1, 0, 0}, {"max-recursion", 1, 0, 0}, {"max-dir-recursion", 1, 0, 0}, {"detect-pua", 0, 0, 0}, diff --git a/clamscan/manager.c b/clamscan/manager.c index b157a0335..54254d91f 100644 --- a/clamscan/manager.c +++ b/clamscan/manager.c @@ -220,9 +220,22 @@ int scanmanager(const struct optstruct *opt) /* set limits */ memset(&limits, 0, sizeof(struct cl_limits)); - if(opt_check(opt, "max-space")) { + if(opt_check(opt, "max-scansize")) { char *cpy, *ptr; - ptr = opt_arg(opt, "max-space"); + ptr = opt_arg(opt, "max-scansize"); + if(tolower(ptr[strlen(ptr) - 1]) == 'm') { + cpy = calloc(strlen(ptr), 1); + strncpy(cpy, ptr, strlen(ptr) - 1); + limits.maxfilesize = atoi(cpy) * 1024 * 1024; + free(cpy); + } else + limits.maxscansize = atoi(ptr) * 1024; + } else + limits.maxscansize = 104857600; /* FIXMELIMITS */ + + if(opt_check(opt, "max-filesize")) { + char *cpy, *ptr; + ptr = opt_arg(opt, "max-filesize"); if(tolower(ptr[strlen(ptr) - 1]) == 'm') { cpy = calloc(strlen(ptr), 1); strncpy(cpy, ptr, strlen(ptr) - 1); @@ -231,7 +244,7 @@ int scanmanager(const struct optstruct *opt) } else limits.maxfilesize = atoi(ptr) * 1024; } else - limits.maxfilesize = 10485760; + limits.maxfilesize = 10485760; /* FIXMELIMITS */ if(opt_check(opt, "max-files")) limits.maxfiles = atoi(opt_arg(opt, "max-files")); @@ -412,9 +425,10 @@ static int clamav_unpack(const char *prog, const char **args, const char *tmpdir else maxfiles = 0; - if(opt_check(opt, "max-space")) { + /* FIXMELIMITS */ + if(opt_check(opt, "max-filesize")) { char *cpy, *ptr; - ptr = opt_arg(opt, "max-space"); + ptr = opt_arg(opt, "max-filesize"); if(tolower(ptr[strlen(ptr) - 1]) == 'm') { /* megabytes */ cpy = calloc(strlen(ptr), 1); strncpy(cpy, ptr, strlen(ptr) - 1); diff --git a/etc/clamd.conf b/etc/clamd.conf index 025ca3ef0..2b0dc46cd 100644 --- a/etc/clamd.conf +++ b/etc/clamd.conf @@ -224,10 +224,6 @@ LocalSocket /tmp/clamd.socket # Default: no #MailFollowURLs no -# Recursion level limit for the mail scanner. -# Default: 64 -#MailMaxRecursion 128 - # With this option enabled ClamAV will try to detect phishing attempts by using # signatures. # Default: yes @@ -270,28 +266,27 @@ LocalSocket /tmp/clamd.socket # The options below protect your system against Denial of Service attacks # using archive bombs. +# FIXMELIMITS +# Value of 0 disables the limit. +# Default: FIXMELIMITS +#MaxScanSize 15M + # Files in archives larger than this limit won't be scanned. # Value of 0 disables the limit. # Default: 10M -#ArchiveMaxFileSize 15M +#MaxFileSize 15M # Nested archives are scanned recursively, e.g. if a Zip archive contains a RAR # file, all files within it will also be scanned. This options specifies how # deeply the process should be continued. # Value of 0 disables the limit. # Default: 8 -#ArchiveMaxRecursion 10 +#MaxRecursion 10 # Number of files to be scanned within an archive. # Value of 0 disables the limit. # Default: 1000 -#ArchiveMaxFiles 1500 - -# If a file in an archive is compressed more than ArchiveMaxCompressionRatio -# times it will be marked as a virus (Oversized.ArchiveType, e.g. Oversized.Zip) -# Value of 0 disables the limit. -# Default: 250 -#ArchiveMaxCompressionRatio 300 +#MaxFiles 1500 # Use slower but memory efficient decompression algorithm. # only affects the bzip2 decompressor. @@ -302,12 +297,6 @@ LocalSocket /tmp/clamd.socket # Default: no #ArchiveBlockEncrypted no -# Mark archives as viruses (e.g. RAR.ExceededFileSize, Zip.ExceededFilesLimit) -# if ArchiveMaxFiles, ArchiveMaxFileSize, or ArchiveMaxRecursion limit is -# reached. -# Default: no -#ArchiveBlockMax no - ## ## Clamuko settings diff --git a/shared/cfgparser.c b/shared/cfgparser.c index 195b35275..b850125af 100644 --- a/shared/cfgparser.c +++ b/shared/cfgparser.c @@ -47,7 +47,6 @@ struct cfgoption cfg_options[] = { {"DetectBrokenExecutables", OPT_BOOL, 0, NULL, 0, OPT_CLAMD}, {"ScanMail", OPT_BOOL, 1, NULL, 0, OPT_CLAMD}, {"MailFollowURLs", OPT_BOOL, 0, NULL, 0, OPT_CLAMD}, - {"MailMaxRecursion", OPT_NUM, 64, NULL, 0, OPT_CLAMD}, {"PhishingSignatures", OPT_BOOL, 1, NULL, 0, OPT_CLAMD}, {"PhishingScanURLs",OPT_BOOL, 1, NULL, 0, OPT_CLAMD}, /* these are FP prone options, if default isn't used */ @@ -61,13 +60,12 @@ struct cfgoption cfg_options[] = { {"ScanOLE2", OPT_BOOL, 1, NULL, 0, OPT_CLAMD}, {"ScanPDF", OPT_BOOL, 0, NULL, 0, OPT_CLAMD}, {"ScanArchive", OPT_BOOL, 1, NULL, 0, OPT_CLAMD}, - {"ArchiveMaxFileSize", OPT_COMPSIZE, 10485760, NULL, 0, OPT_CLAMD}, - {"ArchiveMaxRecursion", OPT_NUM, 8, NULL, 0, OPT_CLAMD}, - {"ArchiveMaxFiles", OPT_NUM, 1000, NULL, 0, OPT_CLAMD}, - {"ArchiveMaxCompressionRatio", OPT_NUM, 250, NULL, 0, OPT_CLAMD}, + {"MaxScanSize", OPT_COMPSIZE, 104857600, NULL, 0, OPT_CLAMD}, /* FIXMELIMITS */ + {"MaxFileSize", OPT_COMPSIZE, 10485760, NULL, 0, OPT_CLAMD}, + {"MaxRecursion", OPT_NUM, 8, NULL, 0, OPT_CLAMD}, + {"MaxFiles", OPT_NUM, 1000, NULL, 0, OPT_CLAMD}, {"ArchiveLimitMemoryUsage", OPT_BOOL, 0, NULL, 0, OPT_CLAMD}, {"ArchiveBlockEncrypted", OPT_BOOL, 0, NULL, 0, OPT_CLAMD}, - {"ArchiveBlockMax", OPT_BOOL, 0, NULL, 0, OPT_CLAMD}, {"DatabaseDirectory", OPT_QUOTESTR, -1, DATADIR, 0, OPT_CLAMD | OPT_FRESHCLAM}, {"TCPAddr", OPT_QUOTESTR, -1, NULL, 0, OPT_CLAMD}, {"TCPSocket", OPT_NUM, -1, NULL, 0, OPT_CLAMD},