Add support for CL_BLOCKMAX

git-svn: trunk@848

clamav-devel/AUTHORS

@@ -127,6 +127,7 @@ Ed Phillips <ed*UDel.Edu>
 Pierre <pierrezero*fastmail.fm>
 Andreas Piesk <Andreas.Piesk*heise.de>
 Ant La Porte <ant*dvere.net>
+Christophe Poujol <Christophe.Poujol*atosorigin.com>
 Thomas Quinot <thomas*cuivre.fr.eu.org>
 Brian A. Reiter <breiter*wolfereiter.com>
 Hector M. Rulot Segovia <Hector.Rulot*uv.es>

clamav-devel/ChangeLog

@@ -1,3 +1,11 @@
+Mon Sep 13 03:31:58 CEST 2004 (tk)
+----------------------------------
+  * libclamav: CL_BLOCKMAX: allow blocking (i.e. marking as viruses) of
+	       archives that exceed limits (in std mode they're only ignored).
+	       Patch by Christophe Poujol <Christophe.Poujol*atosorigin.com>.
+  * clamd: new directive ArchiveBlockMax
+  * clamscan: new option --block-max
+
 Mon Sep 13 02:22:31 CEST 2004 (tk)
 ----------------------------------
   * clamscan: fix miscounting when trying to scan inaccessible archives

clamav-devel/clamd/server-th.c

@@ -296,17 +296,22 @@ int acceptloop_th(int socketd, struct cl_node *root, const struct cfgstruct *cop
 	options |= CL_ARCHIVE;
 
 	if(cfgopt(copt, "ScanRAR")) {
-	    logg("RAR support enabled.\n");
+	    logg("Archive: RAR support enabled.\n");
 	} else {
-	    logg("RAR support disabled.\n");
+	    logg("Archive: RAR support disabled.\n");
 	    options |= CL_DISABLERAR;
 	}
 
 	if(cfgopt(copt, "ArchiveBlockEncrypted")) {
-	    logg("Blocking encrypted archives.\n");
+	    logg("Archive: Blocking encrypted archives.\n");
 	    options |= CL_ENCRYPTED;
 	}
 
+	if(cfgopt(copt, "ArchiveBlockMax")) {
+	    logg("Archive: Blocking archives that exceed limits.\n");
+	    options |= CL_BLOCKMAX;
+	}
+
     } else {
 	logg("Archive support disabled.\n");
     }

clamav-devel/clamscan/clamscan.c

@@ -228,6 +228,7 @@ void help(void)
     mprintf("    --no-archive                         Disable libclamav archive support\n");
     mprintf("    --detect-broken                      Try to detect broken executable files\n");
     mprintf("    --block-encrypted                    Block encrypted archives\n");
+    mprintf("    --block-max                          Block archives that exceed limits\n");
     mprintf("    --mail-follow-urls                   Download and scan URLs\n");
 
     mprintf("\n");

clamav-devel/clamscan/manager.c

@@ -173,6 +173,9 @@ int scanmanager(const struct optstruct *opt)
     if(optl(opt, "block-encrypted"))
 	options |= CL_ENCRYPTED;
 
+    if(optl(opt, "block-max"))
+	options |= CL_BLOCKMAX;
+
     if(optl(opt, "no-pe"))
 	options &= ~CL_PE;
     else

clamav-devel/clamscan/options.c

@@ -91,6 +91,7 @@ int main(int argc, char **argv)
 	    {"no-archive", 0, 0, 0},
 	    {"detect-broken", 0, 0, 0},
 	    {"block-encrypted", 0, 0, 0},
+	    {"block-max", 0, 0, 0},
 	    {"no-pe", 0, 0, 0},
 	    {"no-ole2", 0, 0, 0},
 	    {"no-html", 0, 0, 0},

clamav-devel/docs/man/clamav.conf.5

@@ -228,6 +228,11 @@ Mark encrypted archives as viruses (Encrypted.Zip, Encrypted.RAR).
 .br 
 Default: disabled
 .TP 
+\fBArchiveBlockMax\fR
+Mark archives as viruses if ArchiveMaxFiles, ArchiveMaxFileSize, or ArchiveMaxRecursion limit is reached.
+.br 
+Default: disabled
+.TP 
 \fBClamukoScanOnLine\fR
 Enable Clamuko \- on\-access scanner for Linux. Dazuko must be already running.
 .br 

clamav-devel/docs/man/clamscan.1

@@ -87,6 +87,9 @@ Mark broken executables as viruses (Broken.Executable).
 \fB\-\-block\-encrypted\fR
 Mark encrypted archives as viruses (Encrypted.Zip, Encrypted.RAR).
 .TP 
+\fB\-\-block\-max\fR
+Mark archives as viruses if max\-files, max\-space, or max\-recursion is reached.
+.TP 
 \fB\-\-mail\-follow\-urls\fR
 If an email contains URLs ClamAV can download and scan them. \fBWARNING: This option may open your system to a DoS attack. Never use it on loaded servers.\fR
 .TP 

clamav-devel/etc/clamav.conf

@@ -219,11 +219,15 @@ ArchiveMaxCompressionRatio 200
 # Mark encrypted archives as viruses (Encrypted.Zip, Encrypted.RAR).
 #ArchiveBlockEncrypted
 
+# Mark archives as viruses if ArchiveMaxFiles, ArchiveMaxFileSize, or
+# ArchiveMaxRecursion limit is reached.
+#ArchiveBlockMax
+
 
 ##
 ## Clamuko settings
 ## WARNING: This is experimental software. It is very likely it will hang
-##	    up your system !!!
+##	    up your system!!!
 ##
 
 # Enable Clamuko. Dazuko (/dev/dazuko) must be configured and running.

clamav-devel/libclamav/clamav.h

@@ -76,6 +76,8 @@ extern "C"
 #define CL_PE		64
 #define CL_BROKEN	128
 #define CL_MAILURL	256
+#define CL_BLOCKMAX	512
+
 
 /* recommended options */
 #define CL_STDOPT	(CL_ARCHIVE | CL_MAIL | CL_OLE2 | CL_HTML | CL_PE) 

clamav-devel/libclamav/scanners.c

@@ -83,10 +83,10 @@ extern int cli_mbox(const char *dir, int desc, unsigned int options); /* FIXME *
 #define SCAN_PE		    (options & CL_PE)
 #define DISABLE_RAR	    (options & CL_DISABLERAR)
 #define DETECT_ENCRYPTED    (options & CL_ENCRYPTED)
+#define BLOCKMAX	    (options & CL_BLOCKMAX)
 
 #define MAX_MAIL_RECURSION  15
 
-
 static int cli_scanfile(const char *filename, const char **virname, unsigned long int *scanned, const struct cl_node *root, const struct cl_limits *limits, int options, int *arec, int *mrec);
 
 
@@ -141,17 +141,35 @@ static int cli_scanrar(int desc, const char **virname, long int *scanned, const
 	}
 
 	if(limits) {
+
+	    if(limits->maxratio && rarlist->item.UnpSize && rarlist->item.PackSize) {
+		if((unsigned int) rarlist->item.UnpSize / (unsigned int) rarlist->item.PackSize >= limits->maxratio) {
+		    cli_dbgmsg("RAR: Max ratio reached (normal: %d, compressed: %d, max: %ld)\n", (int) rarlist->item.UnpSize, (int) rarlist->item.PackSize, limits->maxratio);
+		    *virname = "Oversized.RAR";
+		    ret = CL_VIRUS;
+		    break;
+		}
+	    }
+
 	    if(limits->maxfilesize && (rarlist->item.UnpSize > (unsigned int) limits->maxfilesize)) {
 		cli_dbgmsg("RAR: %s: Size exceeded (%u, max: %lu)\n", rarlist->item.Name, (unsigned int) rarlist->item.UnpSize, limits->maxfilesize);
 		rarlist = rarlist->next;
 		files++;
-		/* ret = CL_EMAXSIZE; */
+		if(BLOCKMAX) {
+		    *virname = "RAR.ExceededFileSize";
+		    ret = CL_VIRUS;
+		    break;
+		}
 		continue;
 	    }
 
 	    if(limits->maxfiles && (files > limits->maxfiles)) {
 		cli_dbgmsg("RAR: Files limit reached (max: %d)\n", limits->maxfiles);
-		/* ret = CL_EMAXFILES; */
+		if(BLOCKMAX) {
+		    *virname = "RAR.ExceededFilesLimit";
+		    ret = CL_VIRUS;
+		    break;
+		}
 		break;
 	    }
 	}
@@ -318,12 +336,21 @@ static int cli_scanzip(int desc, const char **virname, long int *scanned, const
 		cli_dbgmsg("Zip: %s: Size exceeded (%d, max: %ld)\n", zdirent.d_name, zdirent.st_size, limits->maxfilesize);
 		files++;
 		/* ret = CL_EMAXSIZE; */
-		continue; /* this is not a bug */
+		if(BLOCKMAX) {
+		    *virname = "Zip.ExceededFileSize";
+		    ret = CL_VIRUS;
+		    break;
+		}
+		continue; /* continue scanning */
 	    }
 
 	    if(limits->maxfiles && (files > limits->maxfiles)) {
 		cli_dbgmsg("Zip: Files limit reached (max: %d)\n", limits->maxfiles);
-		/* ret = CL_EMAXFILES; */
+		if(BLOCKMAX) {
+		    *virname = "Zip.ExceededFilesLimit";
+		    ret = CL_VIRUS;
+		    break;
+		}
 		break;
 	    }
 	}

clamav-devel/shared/cfgparser.c

@@ -76,6 +76,7 @@ struct cfgstruct *parsecfg(const char *cfgfile, int messages)
 	    {"ArchiveMaxCompressionRatio", OPT_NUM},
 	    {"ArchiveLimitMemoryUsage", OPT_NOARG},
 	    {"ArchiveBlockEncrypted", OPT_NOARG},
+	    {"ArchiveBlockMax", OPT_NOARG},
 	    {"DataDirectory", OPT_STR}, /* obsolete */
 	    {"DatabaseDirectory", OPT_STR}, /* clamd + freshclam */
 	    {"TCPAddr", OPT_STR},