This patch modifies the 'virusaction' function in clamd/others.c, as well as all code that refers to this function (since the prototype changed).
Basically, it is an attempt to resurrect %f support for clam VirusEvents, in a more secure way -- the environment!
A new set of environemnt variables is placed in the environment just before the VirusEvent script is executed.
CLAM_VIRUSEVENT_FILENAME -- the filename of the infected file (yay! %f-like support without the insecurity!)
CLAM_VIRUSEVENT_VIRUSNAME -- the virus name (equivalent to %v support in command-line).
More variables can be added in the future using this mechanism...
I will also create a sample script to use this new feature, so that it can be added to the contrib/ directory.
-Calin
diff -ur clamav-devel/clamd/clamuko.c clamav-devel-modified/clamd/clamuko.c
--- clamav-devel/clamd/clamuko.c 2005-03-09 12:32:41.156896336 -0500
+++ clamav-devel-modified/clamd/clamuko.c 2005-03-09 12:17:53.000000000
-0500
@@ -173,7 +173,7 @@
if(scan && cl_scanfile(acc->filename, &virname, NULL, tharg->root,
tharg->limits, tharg->options) == CL_VIRUS) {
logg("Clamuko: %s: %s FOUND\n", acc->filename, virname);
- virusaction(virname, tharg->copt);
+ virusaction(acc->filename, virname, tharg->copt);
acc->deny = 1;
} else
acc->deny = 0;
diff -ur clamav-devel/clamd/others.c clamav-devel-modified/clamd/others.c
--- clamav-devel/clamd/others.c 2005-03-09 12:32:41.393860312 -0500
+++ clamav-devel-modified/clamd/others.c 2005-03-09 12:16:14.000000000
-0500
@@ -69,7 +69,11 @@
#include "cfgparser.h"
#include "session.h"
-void virusaction(const char *virname, const struct cfgstruct *copt)
+#define ENV_PREFIX "CLAM_VIRUSEVENT_"
+#define ENV_FILENAME (ENV_PREFIX "FILENAME")
+#define ENV_VIRUSNAME (ENV_PREFIX "VIRUSNAME")
+
+void virusaction(const char *filename, const char *virname, const struct
cfgstruct *copt)
{
char *buffer, *pt, *cmd;
struct cfgstruct *cpt;
@@ -90,10 +94,21 @@
cmd = strdup(buffer);
free(buffer);
}
+ /* NB: %f support is insecure due to exploits involving malformed
+ filenames, so please don't rewrite this code to support %f, however
+ env. var. support isn't insecure... so filenames go in the env. */
+ unsetenv(ENV_FILENAME); /*< in case setenv fails below.. */
+ unsetenv(ENV_VIRUSNAME);
+ setenv(ENV_FILENAME, filename, 1);
+ setenv(ENV_VIRUSNAME, virname, 1);
/* WARNING: this is uninterruptable ! */
system(cmd);
+ /* clear the env again, to be polite... */
+ unsetenv(ENV_FILENAME);
+ unsetenv(ENV_VIRUSNAME);
+
free(cmd);
}
diff -ur clamav-devel/clamd/others.h clamav-devel-modified/clamd/others.h
--- clamav-devel/clamd/others.h 2005-03-09 12:32:41.397859704 -0500
+++ clamav-devel-modified/clamd/others.h 2005-03-09 12:16:53.000000000
-0500
@@ -28,7 +28,7 @@
int poll_fd(int fd, int timeout_sec);
int is_fd_connected(int fd);
-void virusaction(const char *virname, const struct cfgstruct *copt);
+void virusaction(const char *filename, const char *virname, const struct
cfgstruct *copt);
int writen(int fd, void *buff, unsigned int count);
#if defined(HAVE_RECVMSG) && (defined(HAVE_ACCRIGHTS_IN_MSGHDR) ||
defined(HAVE_CONTROL_IN_MSGHDR)) && !defined(C_CYGWIN) && !defined(C_OS2)
diff -ur clamav-devel/clamd/scanner.c clamav-devel-modified/clamd/scanner.c
--- clamav-devel/clamd/scanner.c 2005-03-09 12:32:41.433854232 -0500
+++ clamav-devel-modified/clamd/scanner.c 2005-03-09 12:27:45.000000000
-0500
@@ -159,7 +159,7 @@
mdprintf(odesc, "%s: %s FOUND\n", fname,
*virname);
logg("%s: %s FOUND\n", fname, *virname);
- virusaction(*virname, copt);
+ virusaction(fname, *virname, copt);
if(!contscan) {
closedir(dd);
free(fname);
@@ -237,7 +237,7 @@
if(ret == CL_VIRUS) {
mdprintf(odesc, "%s: %s FOUND\n", filename, virname);
logg("%s: %s FOUND\n", filename, virname);
- virusaction(virname, copt);
+ virusaction(filename, virname, copt);
} else if(ret != CL_CLEAN) {
mdprintf(odesc, "%s: %s ERROR\n", filename, cl_strerror(ret));
logg("%s: %s ERROR\n", filename, cl_strerror(ret));
@@ -266,6 +266,7 @@
int ret;
const char *virname;
struct stat statbuf;
+ char fdstr[32];
if(fstat(fd, &statbuf) == -1)
@@ -274,19 +275,21 @@
if(!S_ISREG(statbuf.st_mode))
return -1;
+ snprintf(fdstr, sizeof(fdstr), "fd[%d]", fd);
+
ret = cl_scandesc(fd, &virname, scanned, root, limits, options);
if(ret == CL_VIRUS) {
- mdprintf(odesc, "fd[%d]: %s FOUND\n", fd, virname);
- logg("fd[%d]: %s FOUND\n", fd, virname);
- virusaction(virname, copt);
+ mdprintf(odesc, "%s: %s FOUND\n", fdstr, virname);
+ logg("%s: %s FOUND\n", fdstr, virname);
+ virusaction(fdstr, virname, copt);
} else if(ret != CL_CLEAN) {
- mdprintf(odesc, "fd[%d]: %s ERROR\n", fd, cl_strerror(ret));
- logg("fd[%d]: %s ERROR\n", fd, cl_strerror(ret));
+ mdprintf(odesc, "%s: %s ERROR\n", fdstr, cl_strerror(ret));
+ logg("%s: %s ERROR\n", fdstr, cl_strerror(ret));
} else {
- mdprintf(odesc, "fd[%d]: OK\n", fd);
+ mdprintf(odesc, "%s: OK\n", fdstr);
if(logok)
- logg("fd[%d]: OK\n", fd);
+ logg("%s: OK\n", fdstr);
}
return ret;
@@ -467,7 +470,7 @@
if(ret == CL_VIRUS) {
mdprintf(odesc, "stream: %s FOUND\n", virname);
logg("stream: %s FOUND\n", virname);
- virusaction(virname, copt);
+ virusaction("stream", virname, copt);
} else if(ret != CL_CLEAN) {
mdprintf(odesc, "stream: %s ERROR\n", cl_strerror(ret));
logg("stream: %s ERROR\n", cl_strerror(ret));
_______________________________________________ http://lurker.clamav.net/list/clamav-devel.html
