int cli_matchmeta(cli_ctx *ctx, const char *fname, size_t fsizec, size_t fsizer, int encrypted, unsigned int filepos, int res1, void *res2)
{
const struct cli_cdb *cdb;
unsigned int viruses_found = 0;
cli_dbgmsg("CDBNAME:%s:%llu:%s:%llu:%llu:%d:%u:%u:%p\n",
cli_ftname(ctx->container_type), (long long unsigned)fsizec, fname, (long long unsigned)fsizec, (long long unsigned)fsizer,
encrypted, filepos, res1, res2);
if (ctx->engine && ctx->engine->cb_meta)
if (ctx->engine->cb_meta(cli_ftname(ctx->container_type), fsizec, fname, fsizer, encrypted, filepos, ctx->cb_ctx) == CL_VIRUS) {
cli_dbgmsg("inner file blacklisted by callback: %s\n", fname);
cli_append_virus(ctx, "Detected.By.Callback");
viruses_found++;
if(!SCAN_ALL)
return CL_VIRUS;
}
if(!ctx->engine || !(cdb = ctx->engine->cdb))
return CL_CLEAN;
do {
if(cdb->ctype != CL_TYPE_ANY && cdb->ctype != ctx->container_type)
continue;
if(cdb->encrypted != 2 && cdb->encrypted != encrypted)
continue;
if(cdb->res1 && (cdb->ctype == CL_TYPE_ZIP || cdb->ctype == CL_TYPE_RAR) && cdb->res1 != res1)
continue;
#define CDBRANGE(field, val) \
if(field[0] != CLI_OFF_ANY) { \
if(field[0] == field[1] && field[0] != val) \
continue; \
else if(field[0] != field[1] && ((field[0] && field[0] > val) ||\
(field[1] && field[1] < val))) \
continue; \
}
CDBRANGE(cdb->csize, ctx->container_size);
CDBRANGE(cdb->fsizec, fsizec);
CDBRANGE(cdb->fsizer, fsizer);
CDBRANGE(cdb->filepos, filepos);
if(cdb->name.re_magic && (!fname || cli_regexec(&cdb->name, fname, 0, NULL, 0) == REG_NOMATCH))
continue;
cli_append_virus(ctx, cdb->virname);
viruses_found++;
if(!SCAN_ALL)
return CL_VIRUS;
} while((cdb = cdb->next));
if (SCAN_ALL && viruses_found)
return CL_VIRUS;
return CL_CLEAN;
}
static int isTLD(const struct phishcheck* pchk,const char* str,int len)
{
if (!str)
return 0;
else {
char* s = cli_malloc(len+1);
int rc;
if(!s)
return CL_EMEM;
strncpy(s,str,len);
s[len]='\0';
rc = !cli_regexec(&pchk->preg_tld,s,0,NULL,0);
free(s);
return rc ? 1 : 0;
}
}
static int url_get_host(const struct phishcheck* pchk, struct url_check* url,struct url_check* host_url,int isReal,int* phishy)
{
const char *start, *end;
struct string* host = isReal ? &host_url->realLink : &host_url->displayLink;
const char* URL = isReal ? url->realLink.data : url->displayLink.data;
int rc;
if ((rc = get_host(pchk, URL, isReal, phishy, &start, &end))) {
return rc;
}
if(!start || !end) {
string_assign_null(host);
}
else {
if(( rc = string_assign_dup(host,start,end) ))
return rc;
}
cli_dbgmsg("Phishcheck:host:%s\n", host->data);
if(!isReal) {
url->pre_fixup.host_start = start - URL;
url->pre_fixup.host_end = end - URL;
}
if(!host->data)
return CL_PHISH_CLEANUP_OK;
if(*phishy&REAL_IS_MAILTO)
return CL_PHISH_MAILTO_OK;
if(strchr(host->data,' ')) {
string_free(host);
return CL_PHISH_TEXTURL;
}
if(url->flags&CHECK_CLOAKING && !cli_regexec(&pchk->preg_hexurl,host->data,0,NULL,0)) {
/* uses a regex here, so that we don't accidentally block 0xacab.net style hosts */
string_free(host);
return CL_PHISH_HEX_URL;
}
if(isReal && host->data[0]=='\0')
return CL_PHISH_CLEAN;/* link without domain, such as: href="/isapi.dll?... */
if(isNumeric(host->data)) {
*phishy |= PHISHY_NUMERIC_IP;
}
return CL_PHISH_NODECISION;
}
static int isCountryCode(const struct phishcheck* s,const char* str)
{
return str ? !cli_regexec(&s->preg_cctld,str,0,NULL,0) : 0;
}
static int isNumericURL(const struct phishcheck* pchk,const char* URL)
{
return URL ? !cli_regexec(&pchk->preg_numeric,URL,0,NULL,0) : 0;
}
/*
* Check if this is a real URL, which basically means to check if it has a known URL scheme (http,https,ftp).
* This prevents false positives with outbind:// and blocked:: links.
*/
static int isRealURL(const struct phishcheck* pchk,const char* URL)
{
return URL ? !cli_regexec(&pchk->preg_realurl,URL,0,NULL,0) : 0;
}
