contents:
1: an observation and caution regarding the cl_scanfile() return value
2: a question about JIT and SElinux
===
1: cl_scanfile()
The php function cl_scanfile() returns an int, where 0 means the file is
clean, and a nonzero value indicates an infection of some sort. The
actual ints are abstracted behind constants such as CL_VIRUS and
CL_CLEAN, and the documentation shows the following (edited) example
usage (note the == comparison):
$retcode = cl_scanfile($file, $virusname);
if ($retcode == CL_VIRUS)
{ // do "infected file" stuff
}
else
{ // do "clean file" stuff
}
However, if cl_scanfile() is refused permission to run at all (such as
by a misconfigured SElinux), then the return value is a boolean (FALSE).
When compared to the int value CL_VIRUS using a "double equal" operator,
the boolean FALSE is converted to an int zero, and the file looks clean
rather than unscanned!
Always check for boolean FALSE, and consider when to use double and
triple equal comparisons with this in mind.
Better would be:
$retcode = cl_scanfile($file, $virusname);
if ($retcode === FALSE)
{ // do "file wasn't scanned" stuff
}
elseif ($retcode == CL_VIRUS)
{ // do "infected file" stuff
}
elseif ($retcode === CL_CLEAN)
{ // do "clean file" stuff
}
else
{ // you should never get here
// do "program has a bug" stuff
}
====
2: Question about JIT and SElinux
It appears to me that if I use JIT, and want to scan file uploads from
within php then I also have to tell SElinux to allow httpd (Apache) to
use exec, something I'd just as soon not do. If I disable JIT and
disable Apache's access to exec in SElinux, I can still scan files
(presumably with a performance hit, which is why JIT is there in the
first place).
So my two questions are:
A: Considering I'm calling the virus scanner from within a php script
already, does JIT make that much of a performance difference?
B: And (how) can I set cl_scanfile() to use JIT without letting Apache
use exec?
Thanks.
Jose
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
