int cli_matchmeta(cli_ctx *ctx, const char *fname, size_t fsizec, size_t fsizer, int encrypted, unsigned int filepos, int res1, void *res2) { const struct cli_cdb *cdb; unsigned int viruses_found = 0; cli_dbgmsg("CDBNAME:%s:%llu:%s:%llu:%llu:%d:%u:%u:%p\n", cli_ftname(ctx->container_type), (long long unsigned)fsizec, fname, (long long unsigned)fsizec, (long long unsigned)fsizer, encrypted, filepos, res1, res2); if (ctx->engine && ctx->engine->cb_meta) if (ctx->engine->cb_meta(cli_ftname(ctx->container_type), fsizec, fname, fsizer, encrypted, filepos, ctx->cb_ctx) == CL_VIRUS) { cli_dbgmsg("inner file blacklisted by callback: %s\n", fname); cli_append_virus(ctx, "Detected.By.Callback"); viruses_found++; if(!SCAN_ALL) return CL_VIRUS; } if(!ctx->engine || !(cdb = ctx->engine->cdb)) return CL_CLEAN; do { if(cdb->ctype != CL_TYPE_ANY && cdb->ctype != ctx->container_type) continue; if(cdb->encrypted != 2 && cdb->encrypted != encrypted) continue; if(cdb->res1 && (cdb->ctype == CL_TYPE_ZIP || cdb->ctype == CL_TYPE_RAR) && cdb->res1 != res1) continue; #define CDBRANGE(field, val) \ if(field[0] != CLI_OFF_ANY) { \ if(field[0] == field[1] && field[0] != val) \ continue; \ else if(field[0] != field[1] && ((field[0] && field[0] > val) ||\ (field[1] && field[1] < val))) \ continue; \ } CDBRANGE(cdb->csize, ctx->container_size); CDBRANGE(cdb->fsizec, fsizec); CDBRANGE(cdb->fsizer, fsizer); CDBRANGE(cdb->filepos, filepos); if(cdb->name.re_magic && (!fname || cli_regexec(&cdb->name, fname, 0, NULL, 0) == REG_NOMATCH)) continue; cli_append_virus(ctx, cdb->virname); viruses_found++; if(!SCAN_ALL) return CL_VIRUS; } while((cdb = cdb->next)); if (SCAN_ALL && viruses_found) return CL_VIRUS; return CL_CLEAN; }
static int isTLD(const struct phishcheck* pchk,const char* str,int len) { if (!str) return 0; else { char* s = cli_malloc(len+1); int rc; if(!s) return CL_EMEM; strncpy(s,str,len); s[len]='\0'; rc = !cli_regexec(&pchk->preg_tld,s,0,NULL,0); free(s); return rc ? 1 : 0; } }
static int url_get_host(const struct phishcheck* pchk, struct url_check* url,struct url_check* host_url,int isReal,int* phishy) { const char *start, *end; struct string* host = isReal ? &host_url->realLink : &host_url->displayLink; const char* URL = isReal ? url->realLink.data : url->displayLink.data; int rc; if ((rc = get_host(pchk, URL, isReal, phishy, &start, &end))) { return rc; } if(!start || !end) { string_assign_null(host); } else { if(( rc = string_assign_dup(host,start,end) )) return rc; } cli_dbgmsg("Phishcheck:host:%s\n", host->data); if(!isReal) { url->pre_fixup.host_start = start - URL; url->pre_fixup.host_end = end - URL; } if(!host->data) return CL_PHISH_CLEANUP_OK; if(*phishy&REAL_IS_MAILTO) return CL_PHISH_MAILTO_OK; if(strchr(host->data,' ')) { string_free(host); return CL_PHISH_TEXTURL; } if(url->flags&CHECK_CLOAKING && !cli_regexec(&pchk->preg_hexurl,host->data,0,NULL,0)) { /* uses a regex here, so that we don't accidentally block 0xacab.net style hosts */ string_free(host); return CL_PHISH_HEX_URL; } if(isReal && host->data[0]=='\0') return CL_PHISH_CLEAN;/* link without domain, such as: href="/isapi.dll?... */ if(isNumeric(host->data)) { *phishy |= PHISHY_NUMERIC_IP; } return CL_PHISH_NODECISION; }
static int isCountryCode(const struct phishcheck* s,const char* str) { return str ? !cli_regexec(&s->preg_cctld,str,0,NULL,0) : 0; }
static int isNumericURL(const struct phishcheck* pchk,const char* URL) { return URL ? !cli_regexec(&pchk->preg_numeric,URL,0,NULL,0) : 0; }
/* * Check if this is a real URL, which basically means to check if it has a known URL scheme (http,https,ftp). * This prevents false positives with outbind:// and blocked:: links. */ static int isRealURL(const struct phishcheck* pchk,const char* URL) { return URL ? !cli_regexec(&pchk->preg_realurl,URL,0,NULL,0) : 0; }