Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # $Id: ASSP_AFC.pm,v 4.46 2017/02/28 09:30:00 TE Exp $
- # Author: Thomas Eckardt Thomas.Eckardt@thockar.com
- # This is a ASSP-Plugin for full Attachment detection and ClamAV-scan.
- # Designed for ASSP v 2.4.5 build 15264 and above
- #
- # compressed attachment handling is sponsored by:
- # the International Bridge, Inc.
- # and the Devonshire Networking Group (Peter Hinman)
- package ASSP_AFC;
- use threads 1.69 ('yield');
- use threads::shared 1.18;
- our $VSTR;
- BEGIN {
- $VSTR = $];
- $VSTR =~ s/^(5\.)0(\d\d).+$/$1$2/o;
- }
- use 5.010;
- use feature ":$VSTR"; # <- turn on the available version features
- use strict qw(vars subs);
- use Encode;
- use vars qw($VERSION);
- no warnings qw(uninitialized);
- our $CanFileType;
- our $CanZIPCheck;
- our $CanRARCheck;
- our $Can7zCheck;
- our $CanLACheck;
- our $CanSMIME;
- our $CanNetSSLeay;
- our $ZIPLevel;
- our $formatsRe;
- our $z7zRe;
- our $LibArchRe;
- our $LibArchVer;
- BEGIN {
- $z7zRe = '7z|7zip|AR|ARJ|BZ2|BZIP2|CAB|CHM|CPIO|CramFS|';
- $z7zRe .= 'DMG|EAR|EXT|FAT|GPT|GZIP|GZ|HFS|IHEX|ISO|JAR|';
- $z7zRe .= 'LBR|LHA|LRZ|LZ|LZ4|LZH|LZMA|LZR|';
- $z7zRe .= 'MBR|MSI|NSIS|NTFS|';
- $z7zRe .= 'PAR|QCOW2|RAR|RPM|SquashFS|';
- $z7zRe .= 'TAR|TBZ|TBZ2|UDF|UEFI|';
- $z7zRe .= 'VDI|VHD|VMDK|WAR|WIM|XAR|Z|ZIP';
- $LibArchRe = '7z|7zip|AR|ARJ|BZ2|BZIP2|CPIO|';
- $LibArchRe .= 'EAR|EXT|GZIP|GZ|IHEX|ISO|JAR|';
- $LibArchRe .= 'LBR|LHA|LRZ|LZ|LZ4|LZH|LZMA|LZR|';
- $LibArchRe .= 'NSIS|';
- $LibArchRe .= 'PAR|PAX|QCOW2|RAR|RPM|SquashFS|';
- $LibArchRe .= 'TAR|TBZ|TBZ2|UDF|';
- $LibArchRe .= 'WAR|XAR|Z|ZIP';
- if ($CanSMIME = eval('use Crypt::SMIME();Crypt::SMIME->VERSION;')) {
- $CanNetSSLeay = eval('use Net::SSLeay();1;');
- }
- if ($CanFileType = eval('use File::Type(); use MIME::Types(); 1;')) {
- $CanZIPCheck = eval('use Archive::Zip(); use Archive::Extract(); $Archive::Extract::WARN = 0; 1;');
- $formatsRe = 'TGZ|TAR|GZ|ZIP|BZ2|TBZ|Z|LZMA|XZ|TXZ' if $CanZIPCheck;
- if (eval('use Archive::Rar::Passthrough(); 1;')) {
- $CanRARCheck = eval('my $r = Archive::Rar::Passthrough->new( rar => \'rar\' );
- $r->get_binary;
- ')
- || eval('use Archive::Rar::Passthrough();
- my $r = Archive::Rar::Passthrough->new( rar => \'unrar\' );
- $r->get_binary;
- ');
- # print "rar - $CanRARCheck\n";
- $formatsRe .= '|RAR' if $CanRARCheck;
- # Archive::Rar::Passthrough may give back a RAR command incase 7z is not found - ignore this
- $Can7zCheck = eval('my $r = Archive::Rar::Passthrough->new( rar => \'7z\' );
- $r->get_binary;
- ');
- # print "7z - $Can7zCheck\n";
- $Can7zCheck = undef if $Can7zCheck !~ /p7zip|(?:7z(?:a|ip)?)(?:\.(?:exe|bat|cmd))?$/io;
- $Can7zCheck ||= eval('my $r = Archive::Rar::Passthrough->new( rar => \'7za\' );
- $r->get_binary;
- ');
- # print "7za - $Can7zCheck\n";
- $Can7zCheck = undef if $Can7zCheck !~ /p7zip|(?:7z(?:a|ip)?)(?:\.(?:exe|bat|cmd))?$/io;
- $Can7zCheck ||= eval('my $r = Archive::Rar::Passthrough->new( rar => \'7zip\' );
- $r->get_binary;
- ');
- # print "7zip - $Can7zCheck\n";
- $Can7zCheck = undef if $Can7zCheck !~ /p7zip|(?:7z(?:a|ip)?)(?:\.(?:exe|bat|cmd))?$/io;
- $Can7zCheck ||= eval('my $r = Archive::Rar::Passthrough->new( rar => \'p7zip\' );
- $r->get_binary;
- ');
- # print "p7zip - $Can7zCheck\n";
- $Can7zCheck = undef if $Can7zCheck !~ /p7zip|(?:7z(?:a|ip)?)(?:\.(?:exe|bat|cmd))?$/io;
- $formatsRe = $z7zRe if $Can7zCheck;
- }
- if (eval('use Archive::Libarchive::XS qw( :all ); $LibArchVer = ARCHIVE_VERSION_NUMBER; 1;')) { # Libarchive
- $LibArchVer =~ s/(\d+)(\d{3})(\d{3})$/$1.$2.$3/o;
- $LibArchVer =~ s/\.0{1,2}/./go;
- $CanLACheck = 1;
- $formatsRe = $LibArchRe;
- } else { # set dummy constants in case Archive::Libarchive::XS is not available
- for (qw (
- ARCHIVE_EOF
- ARCHIVE_OK
- ARCHIVE_WARN
- ARCHIVE_FAILED
- ARCHIVE_FATAL
- ARCHIVE_EXTRACT_TIME
- ARCHIVE_EXTRACT_PERM
- ARCHIVE_EXTRACT_ACL
- ARCHIVE_EXTRACT_FFLAGS
- ARCHIVE_EXTRACT_NO_OVERWRITE
- ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS
- ARCHIVE_EXTRACT_SECURE_NODOTDOT
- ARCHIVE_EXTRACT_SECURE_SYMLINKS
- )
- )
- {
- eval("use constant $_ => 0;");
- print "$@\n" if $@;
- }
- }
- }
- }
- our $old_CheckAttachments;
- our @attre;
- our @attZipre;
- our $userbased;
- our %SMIMEcfg;
- our %SMIMEcert;
- our %SMIMEkey;
- our %SMIMEuser:shared;
- our %skipSMIME;
- $VERSION = $1 if('$Id: ASSP_AFC.pm,v 4.46 2017/02/28 09:30:00 TE Exp $' =~ /,v ([\d.]+) /);
- our $MINBUILD = '(15264)';
- our $MINASSPVER = '2.4.5'.$MINBUILD;
- our $plScan = 0;
- $main::ModuleList{'Plugins::ASSP_AFC'} = $VERSION.'/'.$VERSION;
- $main::ModuleList{'Crypt::SMIME'} = $CanSMIME.'/0.13';
- $main::ModuleStat{'Crypt::SMIME'} = $CanSMIME ? 'enabled' : 'is not installed';
- $main::PluginFiles{__PACKAGE__ .'SMIME'} = 1;
- $main::licmap->{'100'} = 'SMIME signing';
- $main::reglic->{'100'} = {};
- sub new {
- ###################################################################
- # this lines should not (or only very carful) be changed #
- # they are for initializing the varables #
- ###################################################################
- my $class = shift;
- $class = ref $class || $class;
- my $ASSPver = "$main::version$main::modversion";
- $ASSPver =~ s/RC\s*//o;
- if ($MINASSPVER gt $ASSPver or $MINBUILD gt $main::modversion) {
- mlog(0,"error: minimum ASSP-version $MINASSPVER is needed for version $VERSION of ASSP_AFC");
- return undef;
- }
- bless my $self = {}, $class;
- $self->{myName} = __PACKAGE__;
- my $mainVarName = 'main::Do'.$self->{myName};
- eval{$self->{DoMe} = $$mainVarName};
- $mainVarName = 'main::'.$self->{myName}.'Priority';
- eval{$self->{priority} = $$mainVarName};
- $self->{input} = 2; # 0 , 1 , 2 # call/run level
- $self->{output} = 0; # 0 , 1 # 0 = returns boolean 1 = returns boolean an data
- my @runlevel = ('\'SMTP-handshake\'','\'mail header\'','\'complete mail\'');
- $self->{runlevel} = @runlevel[$self->{input}];
- ###### END #####
- # from here initialize your own variables
- $mainVarName = 'main::'.$self->{myName}.'Select';
- eval{$self->{select} = $$mainVarName};
- $mainVarName = 'main::'.$self->{myName}.'ReplBadAttach';
- eval{$self->{ra} = $$mainVarName};
- $mainVarName = 'main::'.$self->{myName}.'ReplBadAttachText';
- eval{$self->{ratext} = $$mainVarName};
- $mainVarName = 'main::'.$self->{myName}.'ReplViriParts';
- eval{$self->{rv} = $$mainVarName};
- $mainVarName = 'main::'.$self->{myName}.'ReplViriPartsText';
- eval{$self->{rvtext} = $$mainVarName};
- $mainVarName = 'main::'.$self->{myName}.'MSGSIZEscore';
- eval{$self->{score} = $$mainVarName};
- $self->{score} =~ s/\s//go;
- $mainVarName = 'main::'.$self->{myName}.'DetectSpamAttachReRE';
- eval{$self->{DetectSpamAttach} = $$mainVarName};
- $mainVarName = 'main::'.$self->{myName}.'blockEncryptedZIP';
- eval{$self->{blockEncryptedZIP} = $$mainVarName};
- $mainVarName = 'main::'.$self->{myName}.'MaxZIPLevel';
- eval{$ZIPLevel = $self->{MaxZIPLevel} = $$mainVarName};
- $mainVarName = 'main::'.$self->{myName}.'WebScript';
- eval{$self->{script} = $$mainVarName};
- $mainVarName = 'main::'.$self->{myName}.'outsize';
- eval{$self->{outsize} = $$mainVarName};
- $mainVarName = 'main::'.$self->{myName}.'insize';
- eval{$self->{insize} = $$mainVarName};
- $mainVarName = 'main::'.$self->{myName}.'SMIME';
- eval{$self->{SMIME} = $$mainVarName};
- $self->{outsize} =~ s/^\s+//o;
- $self->{outsize} =~ s/\s+$//o;
- $self->{outsize} *= 1024;
- $self->{insize} =~ s/^\s+//o;
- $self->{insize} =~ s/\s+$//o;
- $self->{insize} *= 1024;
- $self->{script} =~ s/^\s+//o;
- $self->{script} =~ s/\s+$//o;
- $userbased = 0;
- return $self; # do not change this line!
- }
- sub get_config {
- my $self = shift;
- my $f;
- $main::licmap->{'100'} = 'SMIME signing';
- $main::reglic->{'100'} = {};
- $f = $1 if $main::Config{UserAttach} =~ /^\s*file:\s*(.+)\s*$/o;
- my $formats = $formatsRe || 'no compression format available';
- $formats =~ s/\|/, /go;
- my $exe = $CanRARCheck;
- $exe .= ' , ' if $CanRARCheck && $Can7zCheck;
- $exe .= $Can7zCheck;
- $exe .= ' , ' if $exe;
- $exe .= "libarchive $LibArchVer" if $CanLACheck;
- $exe ||= 'no executable found';
- my @Config=(
- # except for the heading lines, all config lines have the following:
- # $name,$nicename,$size,$func,$default,$valid,$onchange,$description(,CssAdition)
- # name is the variable name that holds the data - from here accessable as $main::varable
- # nicename is a human readable pretty display name (oh how nice!)
- # size is the appropriate input box size
- # func is a function called to render the config item - always use main:: in front
- # default is the default value
- # valid is a regular expression used to clean and validate the input -- no match is an error and $1 is the desired result
- # onchange is a function to be called when this value is changed -- usually undef; just updating the value is enough
- # group is the heading group belonged to.
- # description is text displayed to help the user figure what to put in the entry
- # CssAddition (optional) adds the string to the CSS-name for nicename Style
- # The following ConfigParms are tested by ASSP and it will not load the Plugin
- # if any of them is not valid
- [0,0,0,'heading',$self->{myName}.'-Plugin'],
- ['Do'.$self->{myName},'Do the '.$self->{myName}.' Plugin','0:disabled|1:enabled',\&main::listbox,0,'(\d*)',\&configChangeDoMe,
- 'This plugin is an addon to the default attachment- and ClamAV- engine of ASSP. The default engines only scannes the first MaxBytes/ClamAVBytes of an email. If you enable this plugin, the complete mail will be scanned for bad attachments and/or viruses!<br />
- The default engine(s) will be disabled by this enhanced version. Before you enable this plugin, please go to the configuration section(s) and configure the values for attachments and/or ClamAV! This plugin requires an installed <a href="http://search.cpan.org/search?query=Email::MIME" rel="external">Email::MIME</a> module in PERL.<br />
- This plugin is designed for- and running in call/run level '.$self->{runlevel}.'!',undef,undef,'msg100000','msg100001'],
- [$self->{myName}.'Select','Select the '.$self->{myName}.' Plugin Action','1:do attachments|2:do ClamAV and FileScan|3:do both',\&main::listbox,3,'(\d*)',\&configChangeSelect,
- 'If you enable one or both options of this plugin, the complete mail will be scanned for bad attachments and/or viruses!',undef,undef,'msg100010','msg100011'],
- [$self->{myName}.'Priority','the priority of the Plugin',5,\&main::textinput,'6','(\d+)',undef,
- 'Sets the priority of this Plugin within the call/run-level '.$self->{runlevel}.'. The Plugin with the lowest priority value is processed first!',undef,undef,'msg100020','msg100021'],
- [$self->{myName}.'blockEncryptedZIP','Block Encrypted Compressed Attachments',0,\&main::checkbox,0,'(.*)',undef,
- 'If set, encrypted or password protected compressed attachments will be blocked or replaced according to ASSP_AFCSelect and ASSP_AFCReplBadAttach . This setting is a general switch - an override can be done using UserAttach !<br />
- <hr />
- <br />
- <div class="shadow">
- <div class="optionTitle">
- Analyzing Compressed Attachments
- </div></div>
- Independend from the setting of '.$self->{myName}.'blockEncryptedZIP this plugin provides several mechanism to analyze compressed attachments.<br />
- To enable the compressed attachment processing, UserAttach has to be configured!<br >
- To analyze compressed attachments, configure \'UserAttach\'. This plugin enhances the definiton options for UserAttach. In addition to the existing options, the following syntax could be used:<br />
- For example:<br />
- zip:user@domain.tld => good => ai|asc|bhx|dat|doc|eps|zip<br />
- zip:*@domain.tld => good => ai|asc|bhx , good-out => eps|gif , good-in => htm|html , block => pdf|ppt , block-out => rar|rpt , block-in => xls|exe\-bin|:MSOM|crypt\-zip|encrypt<br /><br />
- Those definitions (notice the leading zip:) are only used inside compressed files.<br />
- The extension \'crypt-zip\' could be used to allow or deni encrypted compressed attachments for users at any compression level.<br />
- The extension \'encrypt\' could be used to allow or deni encrypted (eg. aes) for users.<br /><br />
- If \'exe-bin\' is defined, the Plugin will detect executable files based on there binary content. Detected will be all executables, libraries and scripts for DOS and Windows (except .com files), MS office macros(VBA), MAC-OS and linux ELF (for all processor architectures).<br />
- If you want to skip the detection for a specific executable type, specify exe-bin (which detects all executables) and then add exceptions to exclude specific types:Example: \'exe-bin|:MSOM|:WSH\' - notice the single leading collon for the exceptions! This example will block all detected executable files except for MS Office Macro files (:MSOM) and Windows Shell Scripts (:WSH)<br /><br />
- :WIN - windows executables<br />
- :MOS - Mach-O executables<br />
- :PEF - Classic MacOS executables<br />
- :ELF - ELF (linux) executables<br />
- :WSH - windows shell scripts<br />
- :MMC - windows MMC Console Files<br />
- :ARC - static library (linux,unix)<br />
- :CSC - common scripts (basic,java,perl,php,powershell....)<br />
- :MSOM - microsoft office macros<br /><br />
- The following compression formats are supported by the common perl module Archive::Extract: tar.gz,tgz,gz,tar,zip,jar,ear,war,par,tbz,tbz2,tar.bz,tar.bz2,bz2,Z,lzma,txz,tar.xz,xz.<br />
- The detection of compressed files is done content based not filename extension based. The perl modules File::Type and MIME::Types are required in every case!<br />
- Depending on your Perl distribution, it could be possible that you must install additionally \'IO::Compress::...\' (for example: IO::Compress:Lzma) modules to support the compression methodes with Archive::Extract.<br />
- If the perl module Archive::Rar and a rar or unrar binary for your OS are installed (in PATH), the RAR format is also supported.<br />
- If the perl module Archive::Rar and a 7z/7za/7zip or p7zip executable is available at the system (in PATH), the following formats are supported: 7z, XZ, BZIP2, BZ2, GZIP, GZ, TAR.GZ, TAR, ZIP, WIM, AR, ARJ, CAB, CHM, CPIO, CramFS, DMG, EXT, FAT, GPT, HFS, IHEX, ISO, LHA, LZH, LZMA, MBR, MSI, NSIS, NTFS, QCOW2, RAR, RPM, SquashFS, UDF, UEFI, VDI, VHD, VMDK, WIM, XAR, Z.<br />
- If the perl module Archive::Libarchive::XS is available , the following formats are supported: 7z, XZ, BZIP2, BZ2, GZIP, GZ, TAR.GZ, TAR, ZIP, WIM, AR, ARJ, CPIO, EXT, IHEX, ISO, LHA, LZH, LZMA, NSIS, QCOW2, RAR, RPM, SquashFS, UDF, XAR, Z.<br /><br />
- For performance reasons it is strongly recommended to install the module Archive::Libarchive::XS!<br />
- Currently supported compression formats are: '.$formats.'<br />
- Detected decompression executables are: '.$exe.'<br />
- If multiple options are available to decompress a file, ASSP_AFC will use the following order: first Archive::Libarchive::XS, than Archive::Extract, than Archive::Rar + rar/unrar and last Archive::Rar + 7z. <br />
- Notice: you need to restart assp after installing any perl module and/or exexutable, to get them activated!<br />'.
- ($f ? '<input type="button" value="User-Attach-File" onclick="javascript:popFileEditor(\''.$f.'\',1);" />' : '' ),undef,undef,'msg100120','msg100121'],
- [$self->{myName}.'MaxZIPLevel','Maximum Decompression Level',10,\&main::textinput,10,'([1-9]\d*)',undef,
- 'The maximum decompression cycles use on a compressed attachment (eg: zip in zip in zip ...). Default value is 10 - zero is not allowed to be used!',undef,undef,'msg100130','msg100131'],
- [$self->{myName}.'ReplBadAttach','Replace Bad Attachments',0,\&main::checkbox,0,'(.*)',undef,
- 'If set and AttachmentBlocking is set to block, the mail will not be blocked but the bad attachment will be replaced with a text!',undef,undef,'msg100030','msg100031'],
- [$self->{myName}.'ReplBadAttachText','Replace Bad Attachments Text',100,\&main::textinput,'The attached file (FILENAME) was removed from this email by ASSP for policy reasons! The file was detected as REASON .','(.*)',undef,
- 'The text which replaces the bad attachment. The litteral FILENAME will be replaced with the name of the bad attachment! The litteral REASON will be replaced with the reason, because the attachment was rejected!',undef,undef,'msg100040','msg100041'],
- [$self->{myName}.'ReplViriParts','Replace Virus Parts',0,\&main::checkbox,0,'(.*)',undef,
- 'If set and virus scanning (UseClamAV) is enabled, the mail will not be blocked but the bad attachment or mail part will be replaced with a text!',undef,undef,'msg100050','msg100051'],
- [$self->{myName}.'ReplViriPartsText','Replace Virus Parts Text',100,\&main::textinput,'There was a virus (VIRUS) removed from this email (attachment FILENAME) by ASSP!','(.*)',undef,
- 'The text which replaces the bad mailparts that contains a virus. The litteral FILENAME will be replaced with the name of a bad attachment! The litteral VIRUS will be replaced with the name of the virus!',undef,undef,'msg100060','msg100061'],
- [$self->{myName}.'MSGSIZEscore','Increase MSG-Score on MSG Size',100,\&main::textinput,'','(\s*\d+\s*\=\>\s*\d+\s*(?:,\s*\d+\s*\=\>\s*\d+\s*)*|)',undef,
- 'You can increase the message score of a mail because of its size (in byte). Define the size and scores in a comma separated list using the syntax \'size=>score[,othersize=>otherscore]\'. The list will be processed in reversed numerical order of the size value. If the size of a mail is equal or higher as the defined size, the associated message score will be added. An possible definition could be:<br /><br />
- 500000=>10,1000000=>5,1500000=>0<br /><br />
- which meens:
- if the message size is >= 1500000 byte no score will be added<br />
- if the message size is >= 1000000 byte and < 1500000 byte a score of 5 will be added<br />
- if the message size is >= 500000 byte and < 1000000 byte a score of 10 will be added<br />
- if the message size is < 500000 byte no score will be added.<br /><br />
- This feature will not process incomming mails, whitelisted mails and mail that are noprocessing - except mails, that are noprocessing only because of there message size (npSize).',undef,undef,'msg100070','msg100071'],
- [$self->{myName}.'DetectSpamAttachRe','Detect Spam Attachments*',40,\&main::textinput,'image\/','(.*)','ConfigCompileRe',
- 'An regular expression used on the "Content-Type" header tag to detect MIME parts that should be checked to be known spam or not. The rebuildspamdb task will build spamdb entries for these attachements and inlines (in assp build 12022 and higher). The plugin will block an email, if a bad attachment is found and was not removed/replaced by any other rule in this plugin. Leave this blank to disable the feature.<br />
- for example:<br /><br />
- image\/<br />
- application\/pd[ft]<br />
- application\/zip
- ',undef,undef,'msg100080','msg100081'],
- [$self->{myName}.'WebScript','Script to move large attachments to a web server',140,\&main::textinput,'','(.*)',undef,
- 'If the size of an undecoded attachment exceeds the '.$self->{myName}.'insize or '.$self->{myName}.'outsize parameter, assp will call this script and will replace the attachment with the text returned by this script or executable.<br />
- If no text is returned by the script (a warning is written to the maillog.txt) or the returned text begins with the word "error", the attachment will not be replaced.<br />
- The script has to write the resulting text or error to STDOUT.<br />
- The resulting text could be any of plain text or html code. The MIME-enconding and the Content-Type value of the resulting MIME-part will be set accordingly.<br />
- The text should contain the link to download the attachment, possibly some explanation (eg. download life time), web login information or a web-session-identifier - what ever is needed to fit the requirements of your web server.<br />
- You have to define the full path to the script and all parameters that should be pass to the script. The literal FILENAME will be replaced with the attachment filename (including the full path) that was stored in the /transfer folder. Any literal starting with an \'$\', will be replaced by the according connection hash value or the global variable with the name.<br /><br />
- for example:<br />
- $relayok will be replaced by $Con->{relayok} - which identifies if it is an incoming (1) or outgoing/local (0) mail<br /><br />
- So a possible definition of this parameter could be: <br />
- \'/usr/bin/move_attachment_to_web.sh $relayok FILENAME\' <br />
- or <br />
- \'c:/assp/move_attachment_to_web.cmd $relayok FILENAME\'<br /><br />
- The file has to be removed by the script. If not, assp will warn about this and will remove the file in the /transfer folder.<br />
- To keep the filenames unique, the assp message identifier is placed in front of the filename - like: M1-30438-02027_attachmentfilename. Notice: if the filename contains unicode characters, assp will pass this characters in UTF-8 to your script!<br />
- Keep in mind, that if this script terminates it\'s own process - ASSP will die!
- ',undef,undef,'msg100090','msg100091'],
- [$self->{myName}.'insize','Attachment size incoming',40,\&main::textinput,'1024','(\d*)',undef,
- 'The size in KB of an attachment in incoming mails that must be reached, to call the '.$self->{myName}.'WebScript. This parameter is ignored if left blank or set to zero.',undef,undef,'msg100100','msg100101'],
- [$self->{myName}.'outsize','Attachment size outgoing/local',40,\&main::textinput,'1024','(\d*)',undef,
- 'The size in KB of an attachment in outgoing or local mails that must be reached, to call the '.$self->{myName}.'WebScript. This parameter is ignored if left blank or set to zero.',undef,undef,'msg100110','msg100111'],
- [$self->{myName}.'SMIME','SMIME sign outgoing mails*',80,\&main::textinput,'file:files/smime_cfg.txt','(file:.+|)',\&configChangeSMIME,
- '<b>An "SMIME feature license" assigned to this host is required to use this feature!</b><br />
- Licenses are granted user based (10,50,100,250,500,1000) for a periode of two years.<br />
- An licensed user is an email address, that uses this feature at least one time, within the licensed periode.<br />
- For pricing information, please contact <a href="mailto:Thomas.Eckardt@thockar.com">Thomas Eckardt via email</a> or visit <a href="http://www.thockar.com" target="_blank">www.thockar.com</a> .<br /><br />
- <b>Feature description:</b><br />
- This feature requires an installed Perl module <a href="http://search.cpan.org/search?query=Crypt::SMIME" rel="external">Crypt::SMIME</a> .<br />
- If configured, outgoing mails will be digitaly signed according to the SMIME specifications provided by the installed OpenSSL and Crypt::SMIME version - this is S/MIME Version 3.1 (specification is in RFC 3851) , newer version may support S/MIME Version 3.2 (specification is in RFC 5751).<br />
- It is possible to configure privat and/or corporate signatures. In any case, the "file:" option must be used - specify one configuration per line.<br />
- The domain or user is separated by "=>" from the signing configuration/policy. It is possible to use group definitions of domains and users using the [ Groups ] option. Define one line per domain or user or group.<br />
- Configuration entries are separated by comma.<br />
- Configuration entry pairs (tag and value) are separated by "=".<br />
- File definitions for the certificate and privat key have to include the full path to the file! Certificate and privat key have to be provided in PEM format<br />
- If you exchange any certificate or key file, click "Edit file" and save the file again to force a reload of the internal certificate store.<br />
- The domain / user part accepts full email addresses , domains and groups - wildcards are supported and must be used for domain definitions.<br />
- The domain / user part is compaired to the envelope sender - the first matching entry (in reverse generic order) will be used. Entries starting with a minus sign, explicit exclude the domain/user/group from SMIME processing.<br /><br />
- certfile - is required and specifys the full path to the certificate to use. The subject of the certificate has to include a valid email address. In normal case, this email address is specified by the cert-subject-tag "emailAddress". The "FROM:" address in the mail header will be replaced by this email address and a "Reply-To:" line with the original sender is added (or replaced) to the mail header.<br />
- If the subject of the certificate specifys the email address in another tag, define this tag (NOT the email address) after "emailaddress=".<br /><br />
- keyfile - is required and specifys the full path to the file that contains the privat key<br /><br />
- keypass - the tag is required, the value is optional - defines the password required (or not) for the privat key<br /><br />
- emailaddress - is optional - please read "certfile"<br />
- rcpt - is optional - include/[-]exclude mails to specified users and/or domains (recipients) - to exclude addresses, write a minus in front - separate multiple entries by space<br /><br >
- examples:<br /><br />
- - (1) user@your.domain => certfile=/certs/user_cert.pem, keyfile=/certs/user_key.pem, keypass=, rcpt=-otheruser@other.domain<br />
- - (2) *your.domain => certfile=/certs/corporate_cert.pem, keyfile=/certs/corporate_key.pem, keypass=mypassword<br />
- - (3) *@your.domain => certfile=/certs/corporate_cert.pem, keyfile=/certs/corporate_key.pem, keypass= , emailaddress=Email<br />
- - (4) -user4@your.domain<br />
- - (5) -*@*.your.domain<br />
- - (6) -[no_smime]<br /><br />
- The first example specifys a privat signing policy which exclude the recipient otheruser@other.domain, the second and third example specifys a corporate signing policy (with and without subdomains). The fourth example excludes the user "user4@your.domain" from SMIME processing. The fives example excludes all subdomains of "your.domain" from SMIME processing. The last example excludes all domains, subdomains and users defined in the group "[no_smime]" from SMIME processing.<br /><br />
- corporate SMIME signing:<br /><br />
- Assume we define the following configuration line:<br >
- *@your.domain.com => certfile=/certs/corporate_cert.pem, keyfile=/certs/corporate_key.pem, keypass=<br />
- Now let\'s say, the subject of the specified certificate (corporate_cert.pem) contains .../emailAddress=central.office@your.domain.com/...<br />
- Your local user "mark.schmitz@your.domain.com" sends a mail to an external recipient. The related mail header is:<br /><br />
- From: "Mark Schmitz" <mark.schmitz@your.domain.com><br />
- Disposition-Notification-To: <mark.schmitz@your.domain.com><br /><br />
- After SMIME signing the mail, the related mail headers are the following:<br /><br />
- From: "Mark Schmitz" <central.office@your.domain.com><br />
- Disposition-Notification-To: <mark.schmitz@your.domain.com><br />
- Reply-To: <mark.schmitz@your.domain.com><br />
- References: assp-corp-smime-mark.schmitz@your.domain.com<br /><br />
- The mail client of the recipient will validate the signature against the "From" address - which corresponds to the email address specified in the subject of the certificate -> VALID<br />
- Pressing the "REPLY/ANSWER" button, the mail client will provide "mark.schmitz@your.domain.com" as recipient address (To:) for the answer, using the entry in the "Reply-To:" header.<br />
- Notice, that some bad and/or older mail clients are ignoring the "Reply-To:" header tag - in such case an answered mail will go to "central.office@your.domain.com".<br />
- ASSP will help you a bit to prevent this. In addition to the required mail header changes, assp will add or enhance the "References:" mail header tag with a value of "assp-corp-smime-EMAILADDRESS" , where EMAILADDRESS is the original sender address.<br />
- If assp receives an answered mail, it will look for such an entry in the mail header and will add the found email address to the "To" header, if it is not already found there.
- ',undef,undef,'msg100140','msg100141']
- #######
- );
- $main::preMakeRE{'ASSP_AFCDetectSpamAttachReRE'} = 1;
- return @Config;
- }
- sub configChangeDoMe {
- my ($name, $old, $new, $init)=@_;
- mlog(0,"AdminUpdate: $name updated from '$old' to '$new'") unless $init || $new eq $old;
- $main::attachLogNoPL = 1;
- if ($new == 1) {
- $main::attachLogNoPL = 0 if ($main::ASSP_AFCSelect != 2);
- }
- $main::Config{$name} = $new;
- ${"main::$name"} = $new;
- return '';
- }
- sub configChangeSelect {
- my ($name, $old, $new, $init)=@_;
- mlog(0,"AdminUpdate: $name updated from '$old' to '$new'") unless $init || $new eq $old;
- $main::attachLogNoPL = 1;
- if ($new != 2) {
- $main::attachLogNoPL = 0 if $main::DoASSP_AFC;
- }
- $main::Config{$name} = $new;
- ${"main::$name"} = $new;
- return '';
- }
- sub configChangeSMIME {
- my ($name, $old, $new, $init)=@_;
- mlog(0,"AdminUpdate: $name updated from '$old' to '$new'") unless $init || $new eq $old;
- return if ($new =~ /^(?:[a-fA-F0-9]{2}){5,}$/o);
- $main::Config{$name} = $new;
- ${"main::$name"} = $new;
- my @new = &main::checkOptionList($new,$name,$init);
- %SMIMEcfg = ();
- %SMIMEcert = ();
- %SMIMEkey = ();
- %skipSMIME = ();
- my $ret;
- if ($new[0] =~ s/^\x00\xff //o) {
- ${$name} = $main::Config{$name} = $old;
- return &main::ConfigShowError(1,$new[0]);
- }
- if (! $CanSMIME) {
- $ret .= &main::ConfigShowError(1,"$name: missing Perl module Crypt::SMIME - SMIME processing is not available") if $main::WorkerNumber == 0;
- return $ret;
- }
- if (! $CanNetSSLeay) {
- $ret .= &main::ConfigShowError(1,"$name: missing Perl module Net::SSLeay - SMIME processing is not available") if $main::WorkerNumber == 0;
- return $ret;
- }
- s/^\s+//o for @new;
- @new = reverse sort @new;
- while ( @new ) {
- my $entry = shift @new;
- next if ($entry =~ /^\s*$/o);
- if ( $entry =~ s/^(-)?\s*\[\s*([A-Za-z0-9.\-_]+)\s*\]s*/\[$2\]/o) {
- my $minus = $1;
- $ret .= &main::ConfigRegisterGroupWatch(\$entry,$name,'SMIME');
- my @ne = split(/\|/o,$entry);
- @ne = map {my $t = $minus . $_ ; $t} @ne if $minus;
- push @new , @ne;
- @new = reverse sort @new;
- next;
- }
- my ($domain,$values) = split(/\s*=>\s*/io,$entry);
- $entry =~ s/keypass\s*=\s*\S*//go;
- my $skip = $domain =~ s/^-\s*//o;
- if (! $domain || (! $skip && ! $values) || (! $init && $domain !~ /(?:\*|(?:\*|\w\w+)\.$main::TLDSRE)$/o)) {
- $ret .= &main::ConfigShowError(1,"$name: invalid entry '$entry' is ignored - check the syntax") if $main::WorkerNumber == 0;
- next;
- }
- my $dd = $domain = lc $domain;
- if ($skip) {
- $skipSMIME{$domain} = 1;
- mlog(0,"info: skip domain/user '$dd' from SMIME processing") if $main::WorkerNumber == 0;
- next;
- }
- my $how = $dd =~ /^($main::EmailAdrRe\@$main::EmailDomainRe)$/o ? 'privat' : 'corporate';
- $domain =~ s/\@/\\@/og;
- my $i = -1;
- my %e = map {my $t = $_; ++$i % 2 ? $t : lc $t;} split(/\s*[,=]\s*/o,$values);
- if (! exists $e{'certfile'}) {
- $ret .= &main::ConfigShowError(1,"$name: missing 'certfile' in '$entry' - entry is ignored") if $main::WorkerNumber == 0;
- next;
- }
- if (! $main::eF->($e{'certfile'})) {
- $ret .= &main::ConfigShowError(1,"$name: can't find 'certfile' ".$e{'certfile'}." in '$entry' - entry is ignored") if $main::WorkerNumber == 0;
- next;
- }
- if (! exists $e{'keyfile'} && exists $e{'keypass'}) {
- $ret .= &main::ConfigShowError(1,"$name: missing 'keyfile' in '$entry' - entry is ignored") if $main::WorkerNumber == 0;
- next;
- }
- if (exists $e{'keyfile'} && ! $main::eF->($e{'keyfile'})) {
- $ret .= &main::ConfigShowError(1,"$name: can't find 'keyfile' ".$e{'keyfile'}." in '$entry' - entry is ignored") if $main::WorkerNumber == 0;
- next;
- }
- my ($fullout, $out, $nbn, $nbt, $nan, $nat, @keyusage);
- # get the subject of the cert and do some additionaly checks
- eval {
- my $bio = Net::SSLeay::BIO_new_file($e{'certfile'}, 'rb');
- my $x509 = Net::SSLeay::PEM_read_bio_X509($bio);
- my $subj_name = Net::SSLeay::X509_get_subject_name($x509);
- $fullout = $out = Net::SSLeay::X509_NAME_print_ex($subj_name)."\n";
- $nbn = $nbt = Net::SSLeay::P_ASN1_TIME_get_isotime(Net::SSLeay::X509_get_notBefore($x509));
- $nan = $nat = Net::SSLeay::P_ASN1_TIME_get_isotime(Net::SSLeay::X509_get_notAfter($x509));
- $nbn =~ s/(\d{4}\-\d{2}\-\d{2})T(\d{2}\:\d{2}\:\d{2})Z/&main::timeval("$1,$2")/eo;
- $nan =~ s/(\d{4}\-\d{2}\-\d{2})T(\d{2}\:\d{2}\:\d{2})Z/&main::timeval("$1,$2")/eo;
- @keyusage = Net::SSLeay::P_X509_get_key_usage($x509);
- Net::SSLeay::BIO_free($bio);
- };
- if ($@) {
- $ret .= &main::ConfigShowError(1,"$name: error while processing the certificate '$e{certfile}' - $@") if $main::WorkerNumber == 0;
- next;
- }
- if ($nbn > time) {
- $ret .= &main::ConfigShowError(1,"$name: the certificate '$e{certfile}' is not yet valid - notBefore: $nbt") if $main::WorkerNumber == 0;
- next;
- }
- if ($nan < time) {
- $ret .= &main::ConfigShowError(1,"$name: the certificate '$e{certfile}' is no longer valid - notAfter: $nat") if $main::WorkerNumber == 0;
- next;
- }
- if (! grep(/digitalSignature/io,@keyusage)) {
- $ret .= &main::ConfigShowError(1,"$name: the certificate '$e{certfile}' is not valid for SMIME signing - available key usages are: '@keyusage'") if $main::WorkerNumber == 0;
- next;
- }
- my %cert = split(/\/|=/o,lc $out);
- $cert{emailaddress} ||= $cert{$e{emailaddress}};
- delete $cert{$e{emailaddress}} if $e{emailaddress} ne 'emailaddress' && delete $e{emailaddress};
- ($cert{emailaddress}) = $cert{emailaddress} =~ /($main::EmailAdrRe\@$main::EmailDomainRe)/o;
- if ( ! $cert{emailaddress} ) {
- $ret .= &main::ConfigShowError(1,"$name: the subject of the certificate '$e{certfile}' contains no valid email address 'emailAddress' - $fullout") if $main::WorkerNumber == 0;
- next;
- }
- if (!($SMIMEcert{$e{'certfile'}} = ${readCertFile($e{'certfile'})})) {
- $ret .= &main::ConfigShowError(1,"$name: no content read from the certificate file '$e{certfile}'") if $main::WorkerNumber == 0;
- delete $SMIMEcert{$e{'certfile'}};
- next;
- }
- if (!($SMIMEkey{$e{'keyfile'}} = ${readCertFile($e{'keyfile'})})) {
- $ret .= &main::ConfigShowError(1,"$name: no content read from the key file '$e{keyfile}'") if $main::WorkerNumber == 0;
- delete $SMIMEkey{$e{'keyfile'}};
- next;
- }
- my %en = %e;
- delete $en{$_} for ('certfile', 'keyfile', 'keypass', 'rcpt');
- foreach (keys %en) {
- delete $e{$_};
- mlog(0,"warning: $name: ignoring invalid/unused parameter '$_' in '$entry'") if $main::WorkerNumber == 0;
- }
- if ($e{'rcpt'}) {
- my @rcpt = split(/\s+/o,$e{'rcpt'});
- if (@rcpt) {
- delete $e{'rcpt'};
- $e{'rcpt'} = {};
- while (@rcpt) {
- my $r = shift(@rcpt);
- next unless $r;
- my $minus;
- if ($minus = ($r =~ s/^-//o)) {
- $r = shift(@rcpt) unless $r;
- next unless $r;
- }
- $r =~ s/\@/\\@/og;
- if ($minus) {
- $e{'rcpt'}->{'-'}->{$r} = 1;
- } else {
- $e{'rcpt'}->{'+'}->{$r} = 1;
- }
- }
- $e{'rcpt'}->{'+'}->{'*'} = 1 if exists $e{'rcpt'}->{'-'} && ! exists $e{'rcpt'}->{'+'};
- delete $e{'rcpt'} unless $e{'rcpt'}->{'-'} || $e{'rcpt'}->{'+'};
- } else {
- delete $e{'rcpt'};
- }
- }
- $out = runSMIME(\%e,'');
- if ( ! ref($out) ) {
- $ret .= &main::ConfigShowError(1,"$name: can't create SMIME signature for '$entry' - entry is ignored - $out") if $main::WorkerNumber == 0;
- next;
- }
- $SMIMEcfg{$domain} = \%e;
- $SMIMEcfg{$domain}->{emailaddress} = $cert{emailaddress};
- mlog(0,"info: registered domain/user '$dd' for SMIME $how signing with '$cert{emailaddress}'") if $main::WorkerNumber == 0;
- }
- $ret .= &main::ConfigShowError(1,"$name: There is no valid SMIME signing license installed for this installation - SMIME signing will not work!") if $main::WorkerNumber == 0 && $main::WorkerName ne 'startup' && eval{$main::L->($main::T[100])->{call}->{'100'}->('','');} == '0';
- return $ret;
- }
- sub runSMIME {
- my ($parm,$email,$this) = @_;
- my $smime = Crypt::SMIME->new() or return "internal error - unable to create a new Crypt::SMIME object";
- my $msg;
- eval{
- $smime->setPrivateKey(${&readCertFile($parm->{keyfile})}, ${&readCertFile($parm->{certfile})}, $parm->{keypass});
- $msg = $smime->sign($email ? $main::L->($main::T[100])->{xcall}->{'100'}->($email,$this) : "\r\n");
- };
- return ($msg =~ /protocol\s*=\s*"?application\/(?:x-)?pkcs7-signature/oi ? \$msg : "the body was not signed - $@");
- }
- sub readCertFile {
- my $file = shift;
- my $o = $SMIMEcert{$file} || $SMIMEkey{$file};
- return \$o if $o;
- open(my $f, '<', $file) || (mlog(0,"error: can't open file $file for reading - $!") && return);
- binmode $f;
- $o = join('',<$f>);
- close $f;
- return \$o;
- }
- sub get_input {
- my $self = shift;
- return $self->{input};
- }
- sub get_output {
- my $self = shift;
- return $self->{output};
- }
- sub get_MIME_parts {
- my ($self, $callback) = @_;
- my $walk_weak;
- my $walk = sub {
- my ($part) = @_;
- $callback->($part);
- for my $part ($part->subparts) {
- $walk_weak->($part);
- }
- return;
- };
- $walk_weak = $walk;
- Scalar::Util::weaken $walk_weak;
- $walk->($self);
- undef $walk;
- return;
- }
- sub process {
- ###################################################################
- # this lines should not (or only very carful) be changed #
- # they are for initializing the varables and to return the right #
- # values while ASSP is testing the Plugin #
- ###################################################################
- my $self = shift; # this we are self
- my $fh = shift; # this is the referenz to the filehandle from ASSP
- my $data = shift; # this is the referenz to the data to process
- $fh = $$fh if($fh); # dereferenz the handle
- my $this = $main::Con{$fh} if ($fh); # this sets $this to the client-connection hash
- $self->{result} = ''; # reset the return values
- $self->{tocheck} = '';
- $self->{errstr} = '';
- if ($$data =~ /ASSP_Plugin_TEST/) { # Plugin has to answer this, if ASSP makes tests on it
- configChangeDoMe('Do'.$self->{myName},$self->{DoMe},$self->{DoMe},'INIT');
- configChangeSelect($self->{myName}.'Select',$self->{select},$self->{select},'INIT');
- configChangeSMIME($self->{myName}.'SMIME',$self->{SMIME},$self->{SMIME},'INIT');
- $self->{result} = $$data;
- $self->{errstr} = "data processed";
- $self->{tocheck} = $$data;
- $self->{DoMe} = 9; # always set to 9 if the Plugin is tested
- mlog($fh,"$self->{myName}: Plugin successful called!") if $main::MaintenanceLog;
- if (! $CanFileType) {
- mlog($fh,"warning: all compressed attachment checks are disabled because any of the following Perl modules is missing: File::Type , MIME::Types");
- } else {
- if (! ($Can7zCheck || $CanZIPCheck || $CanLACheck)) {
- mlog($fh,"warning: common compressed attachment checks are disabled because a 7z executable and the module Archive::Rar::Passthrough is missing - and alternative - the following Perl modules are missing: Archive::Zip , Archive::Extract - and alternative - the following Perl modules is missing: Archive::Libarchive::XS");
- }
- if (! ($Can7zCheck || $CanRARCheck || $CanLACheck)) {
- mlog($fh,"warning: RAR compressed attachment checks are disabled because a 7z executable and the module Archive::Rar::Passthrough is missing - and alternative - a rar/unrar executable and the module Archive::Rar::Passthrough is missing - and alternative - the following Perl modules is missing: Archive::Libarchive::XS");
- }
- if (! ($Can7zCheck || $CanLACheck)) {
- mlog($fh,"warning: 7z compressed attachment checks are disabled because a 7z executable and the module Archive::Rar::Passthrough is missing - and alternative - the following Perl modules is missing: Archive::Libarchive::XS");
- }
- mlog(0,"info: Archive::Zip and Archive::Extract are available") if $CanZIPCheck;
- mlog(0,"info: Archive::Rar::Passthrough and rar executable are available") if $CanRARCheck;
- mlog(0,"info: Archive::Rar::Passthrough and 7z executable are available") if $Can7zCheck;
- mlog(0,"info: Archive::Libarchive::XS is available") if $CanLACheck;
- }
- mlog($fh,"warning: SMIME processing is disabled because the following Perl module is missing: Crypt::SMIME") unless $CanSMIME;
- mlog($fh,"warning: SMIME configuration will extensively call the openssl binary because the following Perl module is missing: Net::SSLeay") if $CanSMIME && ! $CanNetSSLeay;
- $old_CheckAttachments = \&main::CheckAttachments;
- *{"main::haveToScan"} = \&haveToScan;
- *{"main::haveToFileScan"} = \&haveToFileScan;
- *{"main::CheckAttachments"} = \&CheckAttachments;
- return 1;
- }
- ###### END #####
- # here should follow your code - this is ony an example
- return 1 unless $self->{DoMe};
- return 1 unless $this;
- $this->{prepend} = '';
- mlog($fh,"[Plugin] calling plugin $self->{myName}") if $main::AttachmentLog;
- if ($self->{score} && ! $this->{relayok} && ! $this->{whitelisted} && ! ($this->{noprocessing} & 1)) {
- my %size = map{split(/\=\>/o)} split(/,/o,$self->{score});
- foreach my $size (sort {$b <=> $a} keys %size) {
- if ($this->{maillength} >= $size) {
- $this->{prepend} = '[messageSize][score]';
- &main::pbAdd($fh,$this->{ip},$size{$size},'SIZE:'.$this->{maillength}."(>$size)",1) if $size{$size};
- last;
- }
- }
- }
- $this->{prepend} = '';
- $this->{attachcomment}="no bad attachments";
- $main::o_EMM_pm = 1;
- $this->{clamscandone}=0;
- $this->{filescandone}=0;
- $plScan = 1;
- if( ! &haveToScan($fh)
- && ! &haveToFileScan($fh)
- && ! $main::DoBlockExes
- && ! ($self->{script} && (($this->{relayok} && $self->{outsize}) || (! $this->{relayok} && $self->{insize})))
- && ! scalar keys(%SMIMEcfg)
- ){
- $this->{clamscandone}=1;
- $this->{filescandone}=1;
- $plScan = 0;
- return 1;
- }
- $this->{clamscandone}=1 if( ! &haveToScan($fh) );
- $this->{filescandone}=1 if( ! &haveToFileScan($fh) );
- $plScan = 0;
- my @name;
- my $ext;
- my $modified = 0;
- my $email;
- my @parts;
- my $child = {};
- my $parent = {};
- my $ret;
- my $attlog;
- my $virilog = $main::SpamVirusLog;
- my $attTestMode = $main::allTestMode ? $main::allTestMode : $main::attachTestMode;
- my $viriTestMode = $main::allTestMode;
- if (! $main::CanUseEMM) {
- mlog(0,"Warning: module Email::MIME is not installed, please disable the plugin ASSP_AFC or install the module!");
- return 1;
- }
- my $block;
- if ($this->{noprocessing} & 1) {
- $block = $main::BlockNPExes;
- $attlog = $main::npAttachLog;
- mlog($fh,"info: block set to BlockNPExes ($block) - attachlog set to npAttachLog ($attlog) - noprocessing") if $main::SessionLog > 2;
- } elsif ($this->{whitelisted}) {
- $block = $main::BlockWLExes;
- $attlog = $main::wlAttachLog;
- mlog($fh,"info: block set to BlockWLExes ($block) - attachlog set to wlAttachLog ($attlog) - whitelisted") if $main::SessionLog > 2;
- } elsif ($this->{relayok}) {
- $block = $main::BlockWLExes;
- $attlog = $main::wlAttachLog;
- mlog($fh,"info: block set to BlockWLExes ($block) - attachlog set to wlAttachLog ($attlog) - relayok") if $main::SessionLog > 2;
- } else {
- $block = $main::BlockExes;
- $attlog = $main::extAttachLog;
- mlog($fh,"info: block set to BlockExes ($block) - attachlog set to extAttachLog ($attlog) - default") if $main::SessionLog > 2;
- }
- my $privat;
- ($privat) = $this->{rcpt} =~ /(\S*)/o if ! $this->{relayok};
- my $domain = ($main::DoPrivatSpamdb > 1) ? lc $privat : '';
- $privat = ($main::DoPrivatSpamdb & 1) ? lc $privat : '';
- $domain =~ s/^[^\@]*\@/\@/o;
- my $badimage = 0;
- $ret = eval {
- $Email::MIME::ContentType::STRICT_PARAMS=0; # no output about invalid CT
- $this->{header} =~ s/\.[\r\n]+$//o;
- $email = Email::MIME->new($this->{header});
- if ($email->{ct}{composite} =~ /signed/i) {
- mlog($fh,"info: digital signed email found") if $main::AttachmentLog == 2;
- $this->{signed} = 1;
- }
- foreach my $part ($email->parts) {
- $parent->{$part} = $email; # remember the parent MIME part
- push @{$child->{$email}} , $part; # remember the subparts of a MIME part
- if ($part->parts > 1 || $part->subparts) {
- eval{get_MIME_parts($part, sub {my $p = shift;
- push @parts, $p;
- my @sp = $p->subparts;
- return unless @sp;
- for my $sp (@sp) {
- $parent->{$sp} = $p;
- push @{$child->{$p}} , $sp;
- }
- })};
- push @parts,$part if $@;
- } else {
- push @parts,$part;
- }
- }
- foreach my $part ( @parts ) {
- $this->{clamscandone}=0;
- $this->{filescandone}=0;
- $this->{attachdone}=0;
- $self->{exetype} = undef;
- $self->{skipBinEXE} = undef;
- $self->{skipZipBinEXE} = undef;
- @attre = ();
- @attZipre = ();
- $plScan = 1;
- $ZIPLevel = $self->{MaxZIPLevel};
- my $foundBadImage;
- my $filename = &main::attrHeader($part,'Content-Type','filename')
- || &main::attrHeader($part,'Content-Disposition','filename')
- || &main::attrHeader($part,'Content-Type','name')
- || &main::attrHeader($part,'Content-Disposition','name');
- if (! $this->{signed} && $part->header("Content-Type") =~ /application\/(?:(?:pgp|(?:x-)?pkcs7)-signature|pkcs7-mime)/io) {
- mlog($fh,"info: digital signature file $filename found, without related Content-Type definition 'multipart/signed'") if $main::AttachmentLog >= 2;
- $this->{signed} = 1;
- }
- my $orgname = $filename;
- my ($imghash,$imgprob);
- if ( $main::ASSP_AFCDetectSpamAttachRe
- && $main::baysProbability > 0
- && ! ($this->{noprocessing} & 1)
- && ! $this->{whitelisted}
- && ! $this->{relayok}
- && $part->header("Content-Type") =~ /($self->{DetectSpamAttach})/is
- && eval { mlog($fh,"info: spam attachment check ($1 - $orgname)") if $main::AttachmentLog > 1; 1; }
- && ($imghash = &main::AttachMD5Part($part))
- && ($imgprob = $main::Spamdb{ "$privat $imghash" } || $main::Spamdb{ "$domain $imghash" } || $main::Spamdb{ $imghash }) > $main::baysProbability)
- {
- $badimage++;
- $foundBadImage = 1;
- mlog($fh,"info: spam attachment ($1 - $orgname) found in MIME part - spam probability is $imgprob") if $main::AttachmentLog;
- }
- if ($main::DoBlockExes &&
- $filename &&
- isAttachment($part) &&
- ($self->{select} == 1 or $self->{select} == 3)) {
- my $attname = $filename;
- mlog($fh,"info: attachment $attname found for Level-$block") if ($main::AttachmentLog >= 2);
- Encode::_utf8_on($attname);
- push(@name,$attname);
- $userbased = 0;
- $self->{attRun} = sub { return
- ($block >= 1 && $block <= 3 && $_[0] =~ $main::badattachRE[$block] ) ||
- ( $main::GoodAttach && $block == 4 && $_[0] !~ $main::goodattachRE );
- };
- $self->{attZipRun} = sub { return 0; };
- if ($self->{detectBinEXE} = $self->{attRun}->('.exe-bin')) {
- setSkipExe($self,'attRun','skipBinEXE');
- }
- if (scalar keys %main::AttachRules) {
- my $rcpt = [split(/ /o,$this->{rcpt})]->[0];
- my $dir = ($this->{relayok}) ? 'out' : 'in';
- my $addr;
- $addr = &main::matchHashKey('main::AttachRules', &main::batv_remove_tag('',$this->{mailfrom},''), 1);
- $attre[0] = $main::AttachRules{$addr}->{'good'} . '|' . $main::AttachRules{$addr}->{'good-'.$dir} . '|' if $addr;
- $attre[1] = $main::AttachRules{$addr}->{'block'} . '|' . $main::AttachRules{$addr}->{'block-'.$dir} . '|' if $addr;
- $addr = &main::matchHashKey('main::AttachRules', &main::batv_remove_tag('',$rcpt,''), 1);
- $attre[0] .= $main::AttachRules{$addr}->{'good'} . '|' . $main::AttachRules{$addr}->{'good-'.$dir} . '|' if $addr;
- $attre[1] .= $main::AttachRules{$addr}->{'block'} . '|' . $main::AttachRules{$addr}->{'block-'.$dir} . '|' if $addr;
- $attre[0] =~ s/\|\|+/\|/go;
- $attre[1] =~ s/\|\|+/\|/go;
- $attre[0] =~ s/^\|//o;
- $attre[1] =~ s/^\|//o;
- $attre[0] =~ s/\|$//o;
- $attre[1] =~ s/\|$//o;
- if ($attre[0] || $attre[1]) {
- $attre[0] = qq[\\.(?:$attre[0])\$] if $attre[0];
- $attre[1] = qq[\\.(?:$attre[1])\$] if $attre[1];
- $self->{attRun} = sub { return
- ($attre[1] && $_[0] =~ /$attre[1]/i ) ||
- ($attre[0] && $_[0] !~ /$attre[0]/i );
- };
- mlog($fh,"info: using user based attachment check") if $main::AttachmentLog;
- $userbased = 1;
- $self->{skipBinEXE} = undef;
- if ($self->{detectBinEXE} = $self->{attRun}->('.exe-bin')) {
- setSkipExe($self,'attRun','skipBinEXE');
- }
- }
- }
- $self->{exetype} = '';
- delete $self->{typemismatch};
- delete $self->{fileList};
- delete $self->{isEncrypt};
- my $blockEncryptedZIP = $self->{blockEncryptedZIP}; # remember the config setting
- $self->{skipBin} = $self->{skipBinEXE};
- if ( ( $self->{exetype} = isAnEXE($self, \$part->body)) || $self->{attRun}->($attname)
- || ! isZipOK($self, $this, \$part->body, $attname)
- )
- {
- $orgname =~ /(\.[^\.]*)$/o;
- $ext = $1;
- $self->{blockEncryptedZIP} = $blockEncryptedZIP; # reset to config value
- $self->{exetype} = $self->{typemismatch}->{text} if $self->{typemismatch};
- my $exetype;
- if ($self->{exetype}) {
- $exetype = $self->{exetype};
- $self->{exetype} = " cause: '$self->{exetype}'";
- }
- $this->{prepend} = "[Attachment]";
- my $tlit="SPAM FOUND";
- $tlit = "[monitoring]" if ($main::DoBlockExes == 2);
- $tlit = "[scoring]" if ($main::DoBlockExes == 3);
- $main::Stats{viri}++ if ($main::DoBlockExes == 1);
- &main::delayWhiteExpire($fh) if ($main::DoBlockExes == 1 && ! $userbased);
- $this->{messagereason} = "bad attachment '$attname'$self->{exetype}";
- $this->{attachcomment} = $this->{messagereason};
- mlog( $fh, "$tlit $this->{messagereason}" ) if ($main::AttachmentLog);
- next if ($main::DoBlockExes == 2);
- &main::pbAdd( $fh, $this->{ip}, (defined($main::baValencePB[0]) ? 'baValencePB' : $main::baValencePB), 'BadAttachment' ) if ($main::DoBlockExes != 2 && ! $userbased);
- next if ($main::DoBlockExes == 3);
- if ($self->{ra}) {
- $modified = 1 unless $modified == 2;
- my $text = $self->{ratext};
- $text =~ s/FILENAME/$orgname/go;
- $text =~ s/REASON/$exetype/go;
- eval{
- $text = Encode::encode('UTF-8',$text);
- $text = $main::UTF8BOM . $text;
- };
- $orgname =~ s/$ext$/\.txt/;
- $attname =~ s/$ext$/\.txt/;
- $orgname = &main::encodeMimeWord(Encode::encode('UTF-8', $orgname),'Q','UTF-8');
- eval {
- $part->body_set('');
- $part->content_type_set('text/plain');
- $part->disposition_set('attachment');
- $part->filename_set($orgname);
- $part->name_set($orgname);
- $part->encoding_set('quoted-printable');
- $part->charset_set('UTF-8');
- $part->body_set($text);
- };
- if ($@) {
- mlog(0,"error: unable to change MIME attachment to - $text - $@");
- $part->body_set('The original attached file was removed from this email by ASSP for policy reasons!');
- eval{
- $part->filename_set( undef );
- $part->name_set( undef );
- };
- }
- mlog( $fh, "$tlit replaced $this->{messagereason} with '$attname'" ) if ($main::AttachmentLog);
- $badimage-- if $foundBadImage;
- next;
- } else {
- my $reply = $main::AttachmentError;
- $attname = &main::encodeMimeWord($attname,'Q','UTF-8') unless &main::is_7bit_clean($attname);
- # $attname =~ s/$main::NONPRINT//go;
- $reply =~ s/FILENAME/$attname/g;
- my $reason = $self->{exetype};
- $reason = &main::encodeMimeWord($reason,'Q','UTF-8') unless &main::is_7bit_clean($reason);
- $reply =~ s/REASON/$reason/g;
- $self->{errstr} = $reply;
- $self->{result} = "BadAttachment";
- $plScan = 0;
- $self->{logto} = $main::plLogTo = $attlog;
- $main::pltest = $attTestMode;
- correctHeader($this);
- return 0;
- }
- }
- $self->{blockEncryptedZIP} = $blockEncryptedZIP; # reset to config value
- next if ($self->{select} == 1);
- next if (&main::ClamScanOK($fh,\$part->body) && &main::FileScanOK($fh,\$part->body));
- if ($self->{rv}) {
- $modified = 2;
- my $text = $self->{rvtext};
- $text =~ s/FILENAME/$orgname/g;
- $text =~ s/VIRUS/$this->{averror}/g;
- eval{
- $text = Encode::encode('UTF-8',$text);
- $text = $main::UTF8BOM . $text;
- };
- my $oldname = $attname;
- $orgname =~ s/$ext$/\.txt/;
- $attname =~ s/$ext$/\.txt/;
- $orgname = &main::encodeMimeWord(Encode::encode('UTF-8', $orgname),'Q','UTF-8');
- eval {
- $part->body_set('');
- $part->content_type_set('text/plain');
- $part->disposition_set('attachment');
- $part->filename_set($orgname);
- $part->name_set($orgname);
- $part->encoding_set('quoted-printable');
- $part->charset_set('UTF-8');
- $part->body_set($text);
- };
- if ($@) {
- mlog(0,"error: unable to change MIME attachment to - $text - $@");
- $part->body_set('There was an attached virus removed from this email by ASSP!');
- eval{
- $part->filename_set( undef );
- $part->name_set( undef );
- };
- }
- mlog( $fh, "$this->{averror} - replaced attachment '$oldname' with '$attname'" ) if ($main::AttachmentLog);
- $badimage-- if $foundBadImage;
- next;
- }
- $this->{clamscandone}=1;
- $this->{filescandone}=1;
- $self->{errstr} = $this->{averror};
- $self->{result} = "VIRUS-found";
- $plScan = 0;
- $self->{logto} = $main::plLogTo = $virilog;
- $main::pltest = $viriTestMode;
- correctHeader($this);
- return 0;
- }
- next if ($self->{select} == 1);
- next if (&main::ClamScanOK($fh,\$part->body) && &main::FileScanOK($fh,\$part->body));
- if ($self->{rv}) {
- $modified = 2;
- my $text = $self->{rvtext};
- $text =~ s/FILENAME/MIME-TEXT.eml/g;
- eval{$part->body_set( $text );1;} or eval{$part->body_set( $self->{rvtext} );1;} or eval{$part->body_set( 'virus removed' );1;} or eval{$part->body_set( undef );1;};
- mlog( $fh,"$this->{averror} - replaced virus-mail-part with simple text");
- $badimage-- if $foundBadImage;
- next;
- }
- $this->{clamscandone}=1;
- $this->{filescandone}=1;
- $self->{errstr} = $this->{averror};
- $self->{result} = "VIRUS-found";
- $plScan = 0;
- $self->{logto} = $main::plLogTo = $virilog;
- $main::pltest = $viriTestMode;
- correctHeader($this);
- return 0;
- }
- correctHeader($this);
- return 1;
- };
- if ($@) {
- $this->{clamscandone}=1;
- $this->{filescandone}=1;
- $this->{attachdone}=1;
- mlog($fh,"error: unable to parse message for attachments - $@") unless $main::IgnoreMIMEErrors;
- correctHeader($this);
- return 1;
- }
- unless ($ret) {
- $self->{logto} = $main::plLogTo = $self->{result} eq "VIRUS-found" ? $virilog : $attlog;
- correctHeader($this);
- return 0;
- }
- if ($badimage > 0) {
- $this->{logalldone} = &main::MaillogRemove($this) if ($this->{maillogfilename});
- my $fn = $this->{maillogfilename};
- $fn = &main::Maillog($fh,'',$attlog) unless ($fn); # tell maillog what this is.
- delete $this->{logalldone};
- $fn=' -> '.$fn if $fn ne '';
- $fn='' if ! $main::fileLogging;
- my $logsub =
- ( $main::subjectLogging ? " $main::subjectStart$this->{originalsubject}$main::subjectEnd" : '' );
- mlog( $fh, "file path changed to $fn", 0, 2 ) if $fn;
- my $reason = 'spam attachment found';
- $this->{sayMessageOK} = 'already';
- $self->{errstr} = $reason;
- $self->{result} = 'SPAM-attachment';
- correctHeader($this);
- return 0;
- }
- $this->{clamscandone}=1;
- $this->{filescandone}=1;
- $this->{attachdone}=1;
- my $numatt = @name;
- my $s = 's' if ($numatt >1);
- mlog($fh,"info: $numatt attachment$s found for Level-$block") if ($main::DoBlockExes && $main::AttachmentLog == 1 && $numatt);
- $plScan = 0;
- if ($this->{noprocessing} & 1) {
- mlog( $fh, "message proxied without processing ($this->{attachcomment})", 0, 2 );
- } elsif ($this->{whitelisted}) {
- mlog( $fh, "whitelisted ($this->{attachcomment})", 0, 2 ) if !$this->{relayok};
- } else {
- mlog( $fh, "local ($this->{attachcomment})", 0, 2 ) if $this->{relayok};
- }
- if ($modified) {
- my %parentdone;
- for my $part (reverse @parts) { # process subparts first up to email
- next unless exists $parent->{$part}; # is not a subpart, it has no parent - only to be safe
- next if $parentdone{$parent->{$part}};
- $parent->{$part}->parts_set($child->{$parent->{$part}}); # set all parts of the parent
- $parentdone{$parent->{$part}} = 1; # don't do a parent twice
- }
- $this->{logalldone} = &main::MaillogRemove($this) if ($this->{maillogfilename});
- my $fn = &main::Maillog($fh,'', ($modified == 2) ? $virilog : $attlog); # tell maillog what this is.
- delete $this->{logalldone};
- $fn=' -> '.$fn if $fn ne '';
- $fn='' if ! $main::fileLogging;
- my $logsub =
- ( $main::subjectLogging ? " $main::subjectStart$this->{originalsubject}$main::subjectEnd" : '' );
- mlog( $fh, "file path changed to $fn", 0, 2 ) if $fn;
- my $reason = ($modified == 2) ? $this->{averror} : $this->{attachcomment};
- mlog( $fh, "[spam found] $reason $logsub$fn", 0, 2 );
- $this->{sayMessageOK} = 'already';
- $this->{header} = $email->as_string;
- correctHeader($this);
- mlog($fh,"info: sending modified message") if ($main::AttachmentLog == 2);
- }
- if ($self->{script} && (($this->{relayok} && $self->{outsize}) || (! $this->{relayok} && $self->{insize}))) {
- my $changed;
- foreach my $part (@parts) {
- if ( $part->header("Content-Disposition")=~ /attachment/io
- && (my $len = length($part->body)) > ($this->{relayok} ? $self->{outsize} : $self->{insize})
- && (my $filename = $part->filename || $part->name) )
- {
- my $file; my $text;
- if (($file = store_f($filename,$this,$part)) && ($text = call_s($self,$file,$this))) {
- if ($text =~ /^\s*error/io) {
- mlog(0,"error: WebScript returned: $text");
- next;
- }
- $part->body_set( $text );
- my $ct_subtype = ($text =~ /\<HTML\>/io) ? 'html' : 'plain';
- $part->content_type_set( "text/$ct_subtype" );
- $part->name_set( undef );
- $part->filename_set( undef );
- $part->disposition_set( undef );
- $part->charset_set('UTF-8');
- $part->encoding_set( (&main::is_7bit_clean(\$text)) ? '7bit' : 'quoted-printable');
- $changed = 1;
- mlog($fh,"attachment $filename with size of ".&main::formatNumDataSize($len).' was stored outside for download and replaced by script result.') if ($main::AttachmentLog);
- }
- }
- }
- if ($changed) {
- $email->parts_set( \@parts );
- $this->{header} = $email->as_string;
- correctHeader($this);
- }
- }
- my $smime;
- my $References;
- my $rcpt = (split(/ /o,$this->{rcpt}))->[0];
- if ( ! $this->{signed}
- && $CanSMIME
- && $this->{relayok}
- && scalar(keys(%SMIMEcfg))
- && &main::is_7bit_clean(\$this->{header})
- && ($smime = &main::matchHashKey(\%SMIMEcfg,$this->{mailfrom},'0 1 1'))
- && ! &main::matchHashKey(\%skipSMIME,$this->{mailfrom},'0 1 1')
- && checkrcpt($smime, $this)
- ) {
- my $out = eval{$main::L->($main::T[100])->{call}->{'100'}->($smime,$email,$this);};
- if (ref($out)) {
- $email = Email::MIME->new($$out);
- # replace the from: address
- my $from = my $newfrom = $email->header('from');
- $newfrom =~ s/$main::EmailAdrRe\@$main::EmailDomainRe/$smime->{emailaddress}/;
- $email->header_str_set( 'From' => $newfrom );
- # set the Reply-To MIME header tag
- $email->header_str_set( 'Reply-To' => $from ) unless $email->header('Reply-To');
- if (lc $from ne lc $newfrom) {
- $References = $email->header('references');
- if ($References !~ /<assp-corp-smime-\Q$from\E>/i) {
- $from =~ s/^.*?($main::EmailAdrRe\@$main::EmailDomainRe).*$/$1/o;
- $References .= " <assp-corp-smime-$from>";
- $email->header_str_set('References' => $References);
- }
- }
- $this->{header} = $email->as_string;
- mlog(0,"info: added SMIME signature for '$newfrom'") if $main::SessionLog;
- $this->{signed} = 1;
- } elsif ($out eq '0') {
- mlog(0,"info: possible missing SMIME license") if $main::SessionLog > 2;
- } else {
- mlog(0,"warning: unable to add SMIME signature - $out") if $main::SessionLog;
- }
- } elsif ( $CanSMIME
- && ! $this->{relayok}
- && scalar(keys(%SMIMEcfg))
- && ($References = $email->header('references'))
- && $References =~ /assp-corp-smime-($main::EmailAdrRe\@$main::EmailDomainRe)/oi
- && &main::localmailaddress($fh,$1)
- && $email->header('to') !~ /<\Q$rcpt\E>/i
- && ! &main::matchHashKey(\%skipSMIME,$this->{mailfrom},'0 1 1') )
- {
- $email->header_str_set('to' => $email->header('to') . " <$rcpt>" );
- $this->{header} = $email->as_string;
- mlog(0,"info: mail from $this->{mailfrom} in reply to SMIME signed mail found - added recipient $rcpt") if $main::SessionLog > 1;
- }
- correctHeader($this);
- return 1;
- }
- sub checkrcpt {
- my ($smime, $this) = @_;
- return 1 if ! exists $smime->{'rcpt'};
- my $rcpt = (split(/ /o,$this->{rcpt}))->[0];
- if (exists $smime->{'rcpt'}->{'+'} && ! &main::matchHashKey($smime->{'rcpt'}->{'+'},$rcpt,'0 1 1')) {
- return 0;
- }
- if (exists $smime->{'rcpt'}->{'-'} && &main::matchHashKey($smime->{'rcpt'}->{'-'},$rcpt,'0 1 1')) {
- return 0;
- }
- return 1;
- }
- sub correctHeader {
- my $this = shift;
- $this->{header} =~ s/\r?\n\.(?:\r?\n)+$//o;
- $this->{header} .= "\r\n.\r\n";
- $this->{maillength} = length($this->{header});
- }
- sub store_f {
- my ($file,$this,$part) = @_;
- -d $main::base.'/transfer' or (mkdir $main::base.'/transfer', 0775) or return;
- $file = $main::base."/transfer/$this->{msgtime}_$file";
- my $dis = $part->header("Content-Type") || '';
- my $attrs = $dis =~ s/^[^;]*;//o ? Email::MIME::ContentType::_parse_attributes($dis) : {};
- my $charset = $attrs->{charset} || $part->{ct}{attributes}{charset};
- $charset = Encode::resolve_alias(uc($charset)) if $charset;
- $main::open->(my $F, '>', $file) or return;
- binmode $F;
- my $body = $part->body;
- $body = Encode::decode($charset,$body) if $charset;
- print $F $body;
- close $F;
- return $file;
- }
- sub call_s {
- my ($self,$ofile,$this) = @_;
- my $file = ($^O eq 'MSWin32') ? "\"$ofile\"" : "'$ofile'";
- my $cmd = $self->{script};
- while ($self->{script} =~ /(\$(\S+))/og) {
- my ($f1, $f2) = ($1, $2);
- if (! exists $this->{$f2} && ! defined $$f2 && ! defined ${'main::'.$f2}) {
- mlog(0,"error: AFC-WebScript - don't know what to do with $f1 - no such internal variable!");
- return;
- }
- $f2 = $this->{$f2} || $$f2 || ${'main::'.$f2} || 0;
- $cmd =~ s/\Q$f1\E/$f2/o;
- }
- $cmd =~ s/FILENAME/$file/go;
- $cmd =~ s/\//\\/go if $^O eq "MSWin32";
- $cmd = runCMD($cmd);
- mlog(0,"warning: WebScript returned no result for file '$ofile'") if $cmd !~ /\S/o;
- mlog(0,"warning: file '$ofile' was not removed by WebScript - it is now removed by assp") if $main::unlink->($ofile);
- return $cmd;
- }
- sub runCMD {
- my $cmd = shift;
- my ($o,$e);
- if ($main::SAVEOUT && $main::SAVEERR) {
- open(STDOUT, '>', \$o);
- open(STDERR, '>', \$e);
- }
- my $out = qx($cmd);
- if ($main::SAVEOUT && $main::SAVEERR) {
- close STDOUT;
- close STDERR;
- }
- return $out;
- }
- sub mlog { # sub to main::mlog
- my ( $fh, $comment, $noprepend, $noipinfo ) = @_;
- &main::mlog( $fh, "$comment", $noprepend, $noipinfo );
- }
- sub d { # sub to main::d
- my $debugprint = shift;
- &main::d("$debugprint");
- }
- sub tocheck {
- my $self = shift;
- return $self->{tocheck};
- }
- sub result {
- my $self = shift;
- return $self->{result};
- }
- sub errstr {
- my $self = shift;
- return $self->{errstr};
- }
- sub howToDo {
- my $self = shift;
- return $self->{DoMe};
- }
- sub close {
- my $self = shift;
- # close your file/net handles here
- $main::o_EMM_pm = 0;
- return 1;
- }
- sub haveToScan {
- my $fh = shift;
- my $this=$main::Con{$fh};
- my $skipASSPscan = $main::DoASSP_AFC == 1 && ($main::ASSP_AFCSelect == 2 or $main::ASSP_AFCSelect == 3);
- my $UseAvClamd = $main::UseAvClamd; # copy the global to local - using local from this point
- $UseAvClamd = $this->{overwritedo} if ($this->{overwritedo}); # overwrite requ by Plugin
- return 0 if ($skipASSPscan && ! $this->{overwritedo} && ! $plScan); # was not called from a Plugin
- return 0 if ($this->{noscan} || $main::noScan && main::matchSL($this->{mailfrom},'noScan') );
- return 0 if $this->{clamscandone}==1;
- return 0 if !$UseAvClamd;
- return 0 if !$main::CanUseAvClamd;
- return 0 if $this->{whitelisted} && $main::ScanWL!=1;
- return 0 if ($this->{noprocessing} & 1) && $main::ScanNP!=1;
- return 0 if $this->{relayok} && $main::ScanLocal!=1;
- return 0 if $main::noScanIP && &main::matchIP($this->{ip},'noScanIP',$fh);
- return 0 if $main::NoScanRe && $this->{ip}=~('('.$main::NoScanReRE.')');
- return 0 if $main::NoScanRe && $this->{helo}=~('('.$main::NoScanReRE.')');
- return 0 if $main::NoScanRe && $this->{mailfrom}=~('('.$main::NoScanReRE.')');
- $this->{prepend}="";
- return 1;
- }
- sub haveToFileScan {
- my $fh = shift;
- my $this=$main::Con{$fh};
- my $skipASSPscan = $main::DoASSP_AFC == 1 && ($main::ASSP_AFCSelect == 2 or $main::ASSP_AFCSelect == 3);
- my $DoFileScan = $main::DoFileScan; # copy the global to local - using local from this point
- $DoFileScan = $this->{overwritedo} if ($this->{overwritedo}); # overwrite requ by Plugin
- return 0 if ($skipASSPscan && ! $this->{overwritedo} && ! $plScan); # was not called from a Plugin
- return 0 if ($this->{noscan} || $main::noScan && main::matchSL($this->{mailfrom},'noScan') );
- return 0 if $this->{filescandone}==1;
- return 0 if $this->{whitelisted} && $main::ScanWL!=1;
- return 0 if ($this->{noprocessing} & 1) && $main::ScanNP!=1;
- return 0 if $this->{relayok} && $main::ScanLocal!=1;
- return 0 if ! $DoFileScan;
- return 0 if $main::noScanIP && &main::matchIP($this->{ip},'noScanIP',$fh);
- return 0 if $main::NoScanRe && $this->{ip}=~('('.$main::NoScanReRE.')');
- return 0 if $main::NoScanRe && $this->{helo}=~('('.$main::NoScanReRE.')');
- return 0 if $main::NoScanRe && $this->{mailfrom}=~('('.$main::NoScanReRE.')');
- $this->{prepend}="";
- return 1;
- }
- sub CheckAttachments {
- my ( $fh, $block, $b, $attachlog, $done ) = @_;
- return 1 if ($main::DoASSP_AFC == 1 && ($main::ASSP_AFCSelect == 1 or $main::ASSP_AFCSelect == 3));
- return $old_CheckAttachments->( $fh, $block, $b, $attachlog, $done );
- }
- sub setSkipExe {
- my ($self,$what,$where) = @_;
- for my $re (qw(WIN MOS PEF ELF WSH MMC ARC CSC MSOM)) {
- $self->{$where} .= ":$re" if $self->{$what}->('.:'.$re);
- }
- }
- sub Get16u {
- $_[1] and return unpack("x$_[1] v", ${$_[0]});
- return unpack("v", ${$_[0]});
- }
- # Extract information from an EXE file
- # Inputs: scalar reference to the string or a filename
- # Returns: EXE type on success, undef if this wasn't a valid EXE file
- sub isAnEXE {
- my ($self, $raf) = @_;
- my ($size, $buff, $type, $count, $sk);
- $self->{detectBinEXE} or return;
- if (! ref($raf)) {
- my $ZH;
- if (! (-e $raf || $main::eF->($raf) || $main::eF->(&main::d8($raf))) || ! (open($ZH , '<' , $raf) || $main::open->($ZH , '<' , $raf) || $main::open->($ZH , '<' , &main::d8($raf)))) {
- mlog(0,"warning: possibly a virus infected file (can't read) '$raf' - $!");
- return 'possibly a virus infected file (can\'t read)';
- }
- binmode $ZH;
- $raf = \join('',<$ZH>);
- eval{$ZH->close;};
- }
- $buff = substr($$raf,0,0x40);
- $buff =~ s/^$main::UTFBOMRE//o;
- ($size = length($buff)) or return;
- $sk = $self->{skipBin};
- #
- # custom executable detection in sub AFC_EXE_DETECT of lib/CorrectASSPcfg.pm
- #
- if (defined(&{'CorrectASSPcfg::AFC_Executable_Detection'})) {
- $type = eval{&CorrectASSPcfg::AFC_Executable_Detection($self,$sk,\$buff,$raf);};
- mlog(0,"error: exception in sub 'CorrectASSPcfg::AFC_EXE_DETECT' - $@");
- return $type if $type;
- }
- #
- # DOS and Windows EXE
- #
- if ($sk !~ /:WIN/oi && $buff =~ /^MZ/o && $size == 0x40) {
- my ($cblp, $cp, $lfarlc, $lfanew) = unpack('x2v2x18vx34V', $buff);
- my $fileSize = ($cp - ($cblp ? 1 : 0)) * 512 + $cblp;
- return if $fileSize < 0x40;
- # read the Windows NE, PE or LE (virtual device driver) header
- if (($buff = substr($$raf, $lfanew, 0x40)) and $buff =~ /^(NE|PE|LE)/o) {
- $size = length($buff);
- if ($1 eq 'NE') {
- if ($size >= 0x40) { # NE header is 64 bytes
- # check for DLL
- my $appFlags = Get16u(\$buff, 0x0c);
- $type = 'Win16 ' . ($appFlags & 0x80 ? 'DLL' : 'EXE');
- }
- } elsif ($1 eq 'PE') {
- if ($size >= 24) { # PE header is 24 bytes (plus optional header)
- my $machine = Get16u(\$buff, 4) || '';
- my $winType = ($machine eq 0x0200 || $machine eq 0x8664) ? 'Win64' : 'Win32';
- my $flags = Get16u(\$buff, 22);
- $type = $winType . ' ' . ($flags & 0x2000 ? 'DLL' : 'EXE');
- }
- } else {
- $type = 'Virtual Device Driver';
- }
- } else {
- $type = 'DOS EXE';
- }
- #
- # Mach-O (Mac OS X)
- #
- } elsif ($sk !~ /:MOS/oi && $buff =~ /^(\xca\xfe\xba\xbe|\xfe\xed\xfa(\xce|\xcf)|(\xce|\xcf)\xfa\xed\xfe)/o && $size > 12) {
- if ($1 eq "\xca\xfe\xba\xbe") {
- $type = 'Mach-O fat binary executable';
- } elsif ($size >= 16) {
- $type = 'Mach-O executable';
- my $info = {
- "\xfe\xed\xfa\xce" => ' 32 bit Big endian',
- "\xce\xfa\xed\xfe" => ' 32 bit Little endian',
- "\xfe\xed\xfa\xcf" => ' 64 bit Big endian',
- "\xcf\xfa\xed\xfe" => ' 64 bit Little endian'
- };
- $type .= $info->{$1};
- }
- #
- # PEF (classic MacOS)
- #
- } elsif ($sk !~ /:PEF/oi && $buff =~ /^Joy!peff/o && $size > 12) {
- $type = 'Classic MacOS executable';
- #
- # ELF (Unix)
- #
- } elsif ($sk !~ /:ELF/oi && $buff =~ /^\x7fELF/o && $size >= 16) {
- $type = 'ELF executable';
- #
- # MS office macro
- #
- } elsif ($sk !~ /:MSOM/oi && index($$raf, "\xd0\xcf\x11\xe0") > -1 && index($$raf, "\x00\x41\x74\x74\x72\x69\x62\x75\x74\x00") > -1) {
- $type = 'MS office macro';
- #
- # various scripts (perl, sh, java, etc...)
- #
- } elsif ($sk !~ /:CSC/oi && $buff =~ /^#!\s*\/\S*bin\/(\w+)/io) {
- $type = "$1 script";
- } elsif ($sk !~ /:CSC/oi && $buff =~ /^#!\s*[A-Z]\:[\\\/]\S+[\\\/](\w+)/io) {
- $type = "$1 script";
- } elsif ($sk !~ /:CSC/oi && $buff =~ /^\s*\/[*\/].*?Mode:\s*(Java);/io) {
- $type = "$1 script";
- } elsif ($$raf =~ /\bstring\.prototype\.|\bcharAt\b/io) { # detect possibly lucky virus script
- $type = "Java script - possibly locky (ransomware) virus";
- } elsif ($sk !~ /:WSH/oi && $$raf =~ /W(?:shShell|script)\.|IWsh(?:Shell|Environment|Network)_Class/ios) {
- $type = "Windows-Scripting-Host script";
- } elsif ( $sk !~ /:CSC/oi && ($count = () = $$raf =~
- /^\s*(
- (?:(?:var|our|my)\s+)?[$%@]?[a-zA-Z0-9.\-_]+\s*=.+ |
- (?:public|privat)\s+(?:class|static)\s+ |
- import\s+java\.[a-zA-Z0-9.\-_]+ |
- (?:function|dim|const|option|sub
- |end\s+sub|select\s+case|end\s+select)
- \s+[()a-zA-Z0-9.\-_]+
- )
- /xiog
- ) && $count > 9)
- {
- $type = "not defined script language";
- #
- # .a libraries
- #
- } elsif ($sk !~ /:ARC/oi && $buff =~ /^!<arch>\x0a/) {
- $type = 'Static library',
- #
- # Windows MMC
- #
- } elsif ($sk !~ /:MMC/oi && $buff =~ /^\s*<\?xml version.+?<MMC_ConsoleFile/io) {
- $type = 'Windows MMC Console File',
- }
- return $type;
- }
- # compressed file processing and encryption detection
- sub isZipOK {
- my ($self, $this, $content, $file) = @_;
- return 1 unless $CanZIPCheck;
- $self->{attname} = $file;
- $self->{tmpdir} = "$main::base/tmp/zip_".$main::WorkerNumber.'_'.time;
- $self->{fileList} = {};
- @{$self->{isEncrypt}} = ();
- $self->{skipZipBinEXE} = undef;
- if (scalar keys %main::AttachZipRules) {
- my $rcpt = [split(/ /o,$this->{rcpt})]->[0];
- my $dir = ($this->{relayok}) ? 'out' : 'in';
- my $addr;
- $addr = &main::matchHashKey('main::AttachZipRules', &main::batv_remove_tag('',$this->{mailfrom},''), 1);
- $attZipre[0] = $main::AttachZipRules{$addr}->{'good'} . '|' . $main::AttachZipRules{$addr}->{'good-'.$dir} . '|' if $addr;
- $attZipre[1] = $main::AttachZipRules{$addr}->{'block'} . '|' . $main::AttachZipRules{$addr}->{'block-'.$dir} . '|' if $addr;
- $addr = &main::matchHashKey('main::AttachZipRules', &main::batv_remove_tag('',$rcpt,''), 1);
- $attZipre[0] .= $main::AttachZipRules{$addr}->{'good'} . '|' . $main::AttachZipRules{$addr}->{'good-'.$dir} . '|' if $addr;
- $attZipre[1] .= $main::AttachZipRules{$addr}->{'block'} . '|' . $main::AttachZipRules{$addr}->{'block-'.$dir} . '|' if $addr;
- $attZipre[0] =~ s/\|\|+/\|/go;
- $attZipre[1] =~ s/\|\|+/\|/go;
- $attZipre[0] =~ s/^\|//o;
- $attZipre[1] =~ s/^\|//o;
- $attZipre[0] =~ s/\|$//o;
- $attZipre[1] =~ s/\|$//o;
- if ($attZipre[0] || $attZipre[1]) {
- $attZipre[0] = qq[\\.(?:$attZipre[0])\$] if $attZipre[0];
- $attZipre[1] = qq[\\.(?:$attZipre[1])\$] if $attZipre[1];
- $self->{attZipRun} = sub { return
- ($attZipre[1] && $_[0] =~ /$attZipre[1]/i ) ||
- ($attZipre[0] && $_[0] !~ /$attZipre[0]/i );
- };
- mlog($this->{self},"info: using user based compressed attachment check for $self->{attname}") if $main::AttachmentLog;
- $userbased = 1;
- $self->{blockEncryptedZIP} = 1 if (! $self->{blockEncryptedZIP} && $attZipre[1] && '.crypt-zip' =~ /$attZipre[1]/i);
- $self->{blockEncryptedZIP} = 0 if ( $self->{blockEncryptedZIP} && $attZipre[0] && '.crypt-zip' =~ /$attZipre[0]/i);
- setSkipExe($self,'attZipRun','skipZipBinEXE');
- } elsif (! $self->{blockEncryptedZIP}) {
- return 1;
- }
- } elsif (! $self->{blockEncryptedZIP}) {
- return 1;
- }
- mkdir $self->{tmpdir}, 0777;
- ! $main::dF->( $self->{tmpdir} ) && mlog(0,"unable to create temporary folder $self->{tmpdir}") && return 1;
- mlog(0,"info: will detect encrypted compressed files") if $self->{blockEncryptedZIP} && $main::AttachmentLog > 1;
- my $detectBinEXE = $self->{detectBinEXE};
- $self->{detectBinEXE} = $self->{attZipRun}->('.exe-bin');
- $self->{skipBin} = $self->{skipZipBinEXE};
- mlog(0,"info: will detect executables in compressed files") if $self->{detectBinEXE} && $main::AttachmentLog > 1;
- my @files = analyzeZIP($self,$content,$file);
- $main::rmtree->($self->{tmpdir});
- $self->{detectBinEXE} = $detectBinEXE;
- $self->{skipBin} = $self->{skipBinEXE};
- return 0 if ($self->{exetype});
- if ($self->{blockEncryptedZIP} && @{$self->{isEncrypt}} ) {
- $self->{exetype} = "encrypted compressed file '$file'";
- $self->{exetype} .= " - content: @files" if @files && $main::AttachmentLog > 1;
- return 0;
- }
- if (@attZipre) {
- for my $f (@files) {
- if ($self->{attZipRun}->($f)) {
- $self->{exetype} = "compressed file '$file' - contains forbidden file $f";
- return 0;
- }
- }
- }
- if ($self->{typemismatch}) {
- for my $f (@{$self->{fileList}->{$self->{typemismatch}->{file}}}) {
- return 0 if ($self->{attZipRun}->($f));
- }
- delete $self->{typemismatch};
- }
- return 1;
- }
- sub analyzeZIP {
- my ($self,$content,$file) = @_;
- $file =~ s/^.*?([^\/\\]+)$/$1/o;
- $file =~ s/[^a-zA-Z0-9.]+/_/go;
- $file =~ s/_+/_/go;
- my ($ext) = $file =~ /(\.[^.]+)$/io;
- my $tfile = $self->{tmpdir}."/$file";
- $main::open->(my $F, '>', $tfile);
- binmode $F;
- print $F $$content;
- eval{$F->close;};
- if (! $main::eF->($tfile)) {
- mlog(0,"error: unable to create temporary file '$tfile' - $!");
- $self->{exetype} = 'possibly a virus infected file (can\'t write)';
- return;
- }
- my @ftype = detectFileType($self, $tfile);
- @ftype = () if "@ftype" =~ /^$/o;
- mlog(0,"warning: unable to detect the content base file type of '$tfile'") if $main::Attachmentlog > 1 && ! scalar(@ftype);
- if (scalar(@ftype) && $ext && ! grep(/\.(?:$formatsRe)$/io,@ftype) && ! grep(/\Q$ext\E$/i,@ftype) ) {
- $self->{typemismatch} = {};
- $self->{typemismatch}->{text} = " - the file extension: <$ext> does not match the content based detected file type <@ftype>";
- $self->{typemismatch}->{file} = $tfile;
- }
- return get_zip_filelist($self,$tfile);
- }
- sub isAttachment {
- my $part = shift;
- return 0 unless ref($part);
- return &main::isAttachment($part) if defined *{'main::isAttachment'};
- return 1 if $part->header("Content-Disposition") =~ /attachment|inline/io;
- return 1 if $part->header('Content-Type') =~ /(?:application|video|audio|image|chemical|x-conference|model|message)\//io;
- return 1 if $part->header('Content-Type') =~ /text\/(?!html|plain|xml|sgml|css|csv)/io;
- return 0;
- }
- sub Glob {
- &main::Glob(@_);
- }
- sub getDirContent {
- my $flr = shift;
- $flr =~ s/\/$//o;
- no warnings qw(recursion);
- my @files;
- for my $f (Glob($flr.'/*')) {
- if (-d $f || $main::dF->($f)) {
- push @files, getDirContent($f);
- } else {
- push @files, $f;
- }
- }
- return @files;
- }
- sub get_zip_filelist {
- my ($self,$file) = @_;
- no warnings qw(recursion);
- return if skipunzip($self,$file);
- mlog(0,"info: analyzing compressed file $file at zip-level ".($self->{MaxZIPLevel} - $ZIPLevel)) if $main::AttachmentLog > 1;
- if ($ZIPLevel < 1) {
- mlog(0,"info: attachment '$self->{attname}' reached max zip recusion level ASSP_AFCMaxZIPLevel ($self->{MaxZIPLevel})") if $main::AttachmentLog;
- return;
- }
- return if $self->{exetype} || (@{$self->{isEncrypt}} && $self->{blockEncryptedZIP}); # a failed content was already detected
- my $tmpdir;
- $tmpdir = $1 if $file =~ /^(.+[\/\\])[^\/\\]+$/o;
- return unless $tmpdir;
- $tmpdir .= ".$ZIPLevel";
- my @extension = @{$self->{fileList}->{$file}} ? @{$self->{fileList}->{$file}} : ($file);
- mlog(0,"info: looking for filetype in: @extension") if $main::AttachmentLog > 1;
- my $ok = X_decompress($self,\@extension,$tmpdir,$file);
- return if $ok < 0; # an error was detected
- return if $self->{exetype} || (@{$self->{isEncrypt}} && $self->{blockEncryptedZIP}); # a failed content was already detected
- if (! $ok) {
- $self->{exetype} ||= 'possibly virus infected file (can\'t extract archive)';
- return;
- }
- my @files = getDirContent($tmpdir); # we don't trust $ae->files because of unicode mistakes - we read the extracted folder content
- return unless scalar(@files);
- my $ftre = qr/\.(?:$formatsRe)$/i;
- d("ZIPLevel: $ZIPLevel $file");
- --$ZIPLevel;
- for my $f (@files) {
- next unless $f;
- if ($self->{exetype} = isAnEXE($self, $f)) {
- my ($fn) = $f =~ /^.+[\/\\]([^\/\\]+)$/o;
- $self->{exetype} = "compressed file '$self->{attname}' - contains forbidden executable file $fn - type: $self->{exetype}";
- last;
- }
- next if (! grep(/$ftre/,detectFileType($self, $f)));
- my @f = get_zip_filelist($self,$f);
- push(@files,@f) if @f;
- last if @{$self->{isEncrypt}} && $self->{blockEncryptedZIP};
- }
- ++$ZIPLevel;
- return @files;
- }
- sub skipunzip {
- my ($self,$file) = @_;
- return unless $main::eF->( $file );
- return 1 if $file =~ /\.emz$/oi;
- my $nofile = $main::base.'/Plugins/nodecompress.txt';
- my $F;
- local $/= "\n";
- return unless ($main::open->($F,'<',$nofile));
- my $nore;
- while (<$F>) {
- next if /^\s*#/;
- s/\s//go;
- $nore .= '|'.$_;
- }
- $nore =~ s/\|+/\|/go;
- $nore =~ s/^\|//o;
- $nore =~ s/\|$//o;
- return unless $nore;
- $nore = quotemeta($nore);
- eval {$nore = qr/$nore/;};
- if ($@) {
- mlog(0,"error: regular expression error in file $main::base/Plugins/nodecompress.txt - $@");
- return;
- }
- return $file =~ /\.(?:$nore)$/i;
- }
- sub detectFileType {
- my ($self,$file) = @_;
- my $mimetype = eval{my $ft = File::Type->new(); $ft->mime_type($file);};
- $mimetype ||= eval{my $ft = File::Type->new(); $ft->mime_type(&main::d8($file));};
- $mimetype = check_type($file) if !$mimetype || $mimetype eq 'application/octet-stream';
- return () if !$mimetype || $mimetype eq 'application/octet-stream';
- my $t = eval{MIME::Types->new()->type($mimetype);};
- return () unless $t;
- my @ext = map {my $t = '.'.$_;$t;} eval{$t->extensions;};
- if (! @ext && $mimetype eq 'application/x-gzip') {
- push(@ext,'.gz','.gzip','.emz');
- } elsif ($mimetype eq 'application/x-gzip') {
- push(@ext,'.emz');
- }
- if (! @ext && $mimetype eq 'application/encrypted') {
- push(@ext,'.encrypt');
- push(@{$self->{isEncrypt}},$file);
- }
- $self->{fileList}->{$file} = \@ext;
- return @ext;
- }
- # find the things File::Type does not
- sub check_type {
- my $filename = shift;
- my $fh;
- $main::open->($fh , '<', $filename) || $main::open->($fh , '<', &main::d8($filename)) || return undef;
- my $data;
- binmode $fh;
- $fh->read($data, 512);
- $fh->close;
- return undef unless $data;
- return check_type_contents(\$data);
- }
- sub check_type_contents {
- my $data = shift;
- if ($$data =~ m[^Salted__]) {
- return q{application/encrypted};
- }
- if ($$data =~ m[^7z\xBC\xAF\x27\x1C]) {
- return q{application/x-7z-compressed};
- }
- if ($$data =~ m[^\xFFLZMA\x00]) {
- return q{application/x-lzma};
- }
- if ($main::open->(my $F , '<' , "$main::base/Plugins/file_types.txt")) {
- while (<$F>) {
- s/\r|\n//go;
- s/^\s*#.*$//o;
- s/^\s+//o;
- s/\s+$//o;
- next unless $_;
- my ($re, $type) = split(/\s*=>\s*/o,$_,2);
- next unless ($re && $type);
- return $type if eval {$$data =~ /$re/;};
- }
- $F->close;
- }
- return q{application/octet-stream};
- }
- ########################################
- # decompression engine
- ########################################
- sub run_ext_cmd {
- my $obj = shift;
- return unless ref($obj);
- my ($o,$e);
- lock($main::lockOUT) if is_shared($main::lockOUT);
- &main::sigoffTry(__LINE__);
- if ($main::SAVEOUT && $main::SAVEERR) {
- open (STDOUT, '>', \$o);
- open (STDERR, '>', \$e);
- }
- my $ret = eval { $obj->run(@_); };
- if ($main::SAVEOUT && $main::SAVEERR) {
- STDOUT->close;
- STDERR->close;
- }
- &main::sigonTry(__LINE__);
- return $ret;
- }
- sub getExtMatch {
- my ($re,$extension) = @_;
- my $res;
- for (@$extension) {
- $res = $1 if /\.($re)$/i;
- last if $res;
- }
- return $res;
- }
- sub X_decompress {
- my ($self,$extension,$tmpdir,$file) = @_;
- my $type;
- my $ok;
- my $rar = 0;
- my $z7z = 0;
- my $la = 0;
- if ($CanLACheck && ($type = getExtMatch($LibArchRe,$extension))) {
- $la = 1;
- $type = "$type for libarchive";
- }
- if (! $type && $CanZIPCheck) {
- $type =
- grep(/\.(?:tar\.gz|tgz)$/io,@$extension) ? Archive::Extract::TGZ :
- grep(/\.gz(?:ip)?$/io,@$extension) ? Archive::Extract::GZ :
- grep(/\.tar$/io,@$extension) ? Archive::Extract::TAR :
- grep(/\.(zip|jar|ear|war|par)$/io,@$extension) ? Archive::Extract::ZIP :
- grep(/\.(?:tbz2?|tar\.bz2?)$/io,@$extension) ? Archive::Extract::TBZ :
- grep(/\.bz2$/io,@$extension) ? Archive::Extract::BZ2 :
- grep(/\.Z$/io,@$extension) ? Archive::Extract::Z :
- grep(/\.lzma$/io,@$extension) ? Archive::Extract::LZMA :
- grep(/\.(?:txz|tar\.xz)$/io,@$extension) ? Archive::Extract::TXZ :
- grep(/\.xz$/oi,@$extension) ? Archive::Extract::XZ :
- '';
- }
- if (! $type && $CanRARCheck && ($type = getExtMatch('rar',$extension))) {
- $type = 'RAR';
- $rar = 1;
- }
- if (! $type && $Can7zCheck && ($type = getExtMatch($z7zRe,$extension))) {
- $type = "$type for 7z";
- $z7z = 1;
- }
- mlog(0,"info: found compressed file with type: '$type'") if $main::AttachmentLog > 1 && $type;
- if (! $type) {
- mlog(0,"info: $file seems not to be a compressed file") if $main::AttachmentLog > 1;
- return -1;
- }
- if ($CanZIPCheck && grep(/\.zip$/io,@$extension)) {
- if (my $z = eval{Archive::Zip->new($file)}) {
- for my $m( eval{$z->members} ) {
- if (eval{$m->isEncrypted}) {
- my $f = $file;
- $f =~ s/^.*?([^\/\\]+)$/$1/o;
- push(@{$self->{isEncrypt}},$f);
- last;
- }
- }
- }
- }
- return 0 if (@{$self->{isEncrypt}} && $self->{blockEncryptedZIP}); # a failed content was already detected
- d("file: $file");
- my $loop = 1;
- while ($loop) {
- my $ae;
- $loop = undef; # normaly we will only need one loop
- if ($la) {
- $ae = eval{archive_read_new();};
- if (! $ae) {
- mlog(0,"warning: possibly virus infected file (can't open archive) '$file' - $! - $@");
- $self->{exetype} = 'possibly virus infected file (can\'t open archive)';
- return -1;
- }
- mlog(0,"info: using libarchive $LibArchVer to extract '$file'") if $main::AttachmentLog > 1;
- } elsif ($rar) {
- $ae = eval{Archive::Rar::Passthrough->new( rar => $CanRARCheck);};
- mlog(0,"info: using rar to extract '$file'") if $main::AttachmentLog > 1 && ref($ae);
- } elsif ($z7z) {
- $ae = eval{Archive::Rar::Passthrough->new( rar => $Can7zCheck);};
- mlog(0,"info: using 7z to extract '$file'") if $main::AttachmentLog > 1 && ref($ae);
- } else {
- $ae = eval{Archive::Extract->new( archive => $file , type => $type);};
- mlog(0,"info: using Archive::Extract to extract '$file'") if $main::AttachmentLog > 1 && ref($ae);
- }
- if (! $la && ! ref($ae)) {
- mlog(0,"warning: possibly virus infected file (can't open archive) '$file' - $! - $@");
- $self->{exetype} = 'possibly virus infected file (can\'t open archive)';
- return -1;
- }
- if ($la) {
- $ok = eval{getarc($self,$ae,$tmpdir,$file);};
- my $error = delete $self->{$ae};
- if (defined $ok) {
- if ($ok == ARCHIVE_OK) {
- $ok = 1;
- } elsif ($ok < ARCHIVE_WARN) {
- mlog(0,"warning: fatal - libarchive extract '$file' - <$ok> - $error");
- if ($ok == -30 && $Can7zCheck && $error =~ /Unrecognized archive format/oi) {
- $ok = undef; # force a retry with 7z for this compression format
- $ae = undef;
- $la = undef;
- $z7z = 1;
- $loop = 1;
- } else {
- my $f = $file;
- $f =~ s/^.*?([^\/\\]+)$/$1/o;
- push(@{$self->{isEncrypt}},$f);
- $ok = $self->{blockEncryptedZIP} ? 0 : -1;
- }
- } else {
- mlog(0,"warning: warn - libarchive extract '$file' - <$ok> - $error");
- $ok = $self->{blockEncryptedZIP} ? 0 : -1;
- }
- } else {
- mlog(0,"warning: can't extract '$file' using libarchive - $@");
- return -1;
- }
- } elsif ($rar) {
- $ok = run_ext_cmd($ae,
- 'command' => 'x',
- 'archive' => $file,
- 'switches' => ['-y', '-o+', '-ol' , '-p-', '--'],
- 'path' => $tmpdir
- );
- if (defined $ok) {
- $ok =~ /(\d+)$/o && ($ok = $1);
- my $err = $ok;
- $ok = $ok ? 0 : 1; # ->run returns zero on success or an error number
- if ($err != 3 && $err != 10) { # 3 = CRC error or encryption in member - 10 in file
- mlog(0,"warning: possibly virus infected file (can't extract archive in rar) '$file' - $! - ".$ae->explain_error($err)) unless $ok;
- } else {
- my $stderr = $ae->{stderr};
- if ($stderr =~ /encrypted file [^\r\n]+?\. Corrupt file or wrong password\./oi) {
- my $f = $file;
- $f =~ s/^.*?([^\/\\]+)$/$1/o;
- push(@{$self->{isEncrypt}},$f);
- } elsif ($stderr =~ /Cannot open/io) {
- mlog(0,"warning: can't open '$file' using rar - $stderr");
- return -1;
- }
- }
- } else {
- mlog(0,"warning: can't extract '$file' using rar - $@");
- return -1;
- }
- } elsif ($z7z) {
- $ok = run_ext_cmd($ae,
- 'command' => 'x',
- 'archive' => $file,
- 'switches' => ['-y', "-o$tmpdir", '-bd', '-snh', '-snl', '-p', '-aoa' , '--']
- );
- if (defined $ok) {
- $ok =~ /(\d+)$/o && ($ok = $1);
- my $err = $ok;
- $ok = $ok ? 0 : 1; # ->run returns zero on success or an error number
- if (! $ok) {
- if ($err != 2) { # 2 = CRC error or encryption in member or file
- mlog(0,"warning: possibly virus infected file (can't extract archive in 7z) '$file' - $! - ".$ae->{stderr}) unless $ok;
- } else {
- my $stderr = $ae->{stderr};
- my @ret = $stderr =~ /ERROR: Data Error in encrypted file. Wrong password\? :\s*([^\r\n]+)/goi;
- if ($stderr =~ /ERROR: Data Error in encrypted file. Wrong password\? :\s*[^\r\n]+/oi) {
- my $f = $file;
- $f =~ s/^.*?([^\/\\]+)$/$1/o;
- push(@{$self->{isEncrypt}},$f);
- $ok = $self->{blockEncryptedZIP} ? 0 : -1;
- } elsif ($stderr =~ /Cannot open/io) {
- mlog(0,"warning: can't open '$file' in 7z - $stderr");
- return -1;
- }
- }
- }
- } else {
- mlog(0,"warning: can't extract '$file' using 7z - $@");
- return -1;
- }
- } else {
- my ($o,$e);
- lock($main::lockOUT) if is_shared($main::lockOUT);
- &main::sigoffTry(__LINE__);
- if ($main::SAVEOUT && $main::SAVEERR) { # Archive::Extract->extract may use IPC::RUN
- open (STDOUT, '>', \$o);
- open (STDERR, '>', \$e);
- }
- $ok = eval{$ae->extract( to => $tmpdir );};
- $ok ||= $self->{blockEncryptedZIP} ? 0 : -1;
- if ($main::SAVEOUT && $main::SAVEERR) {
- STDOUT->close;
- STDERR->close;
- }
- &main::sigonTry(__LINE__);
- mlog(0,"warning: possibly virus infected file (can't extract archive) '$file' - $! - ".$ae->error) unless $ok;
- mlog(0,"warning: Archive::Extract detected an error for '$file' - ".$ae->error) if $ae->error && $ok && $ae->error !~ /not chdir back to start/oi;
- }
- }
- return $ok;
- }
- sub getarc {
- my ($self,$ae,$tmpdir,$filename) = @_;
- my $ok;
- return $ok unless $CanLACheck;
- my $r;
- my $path = $tmpdir.'/';
- my $flags = ARCHIVE_EXTRACT_TIME
- # | ARCHIVE_EXTRACT_PERM
- # | ARCHIVE_EXTRACT_ACL
- # | ARCHIVE_EXTRACT_FFLAGS
- # | ARCHIVE_EXTRACT_NO_OVERWRITE
- # | ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS
- | ARCHIVE_EXTRACT_SECURE_NODOTDOT
- | ARCHIVE_EXTRACT_SECURE_SYMLINKS
- ;
- archive_read_support_filter_all($ae);
- archive_read_support_format_all($ae);
- my $ext = archive_write_disk_new();
- archive_write_disk_set_options($ext, $flags);
- archive_write_disk_set_standard_lookup($ext);
- $r = archive_read_open_filename($ae, $filename, 10240);
- if($r != ARCHIVE_OK)
- {
- mlog(0,"warning: possibly virus infected file (can't open archive) '$filename' - ". archive_error_string($ae));
- $self->{$ae} = archive_error_string($ae);
- archive_read_close($ae);
- archive_read_free($ae);
- archive_write_close($ext);
- archive_write_free($ext);
- return $r;
- }
- while(1)
- {
- $r = archive_read_next_header($ae, my $entry);
- if($r == ARCHIVE_EOF)
- {
- $ok = ARCHIVE_OK;
- last;
- }
- if($r < ARCHIVE_WARN)
- {
- mlog(0,"warning: possibly virus infected file (fatal error in archive header) '$filename' - <$r> - ". archive_error_string($ae));
- $ok = $r;
- last;
- }
- if($r != ARCHIVE_OK)
- {
- mlog(0,"warning: possibly virus infected file (can't read entry in archive header) '$filename' - <$r> - ". archive_error_string($ae));
- $ok = $r;
- last;
- }
- my $entryname = archive_entry_pathname($entry);
- $entryname =~ s/[^\x20-\x7F]/0x30 + int(rand(10))/goe;
- archive_entry_set_pathname($entry, $path.$entryname);
- $r = archive_write_header($ext, $entry);
- if($r != ARCHIVE_OK)
- {
- mlog(0,"warning: possibly virus infected file (can't set extraction path for entry '$entryname' to '$path$entryname' in archive) '$filename' - <$r> - ". archive_error_string($ae));
- $ok = $r;
- last;
- }
- elsif(archive_entry_size($entry) > 0)
- {
- $r = copy_data($ae, $ext);
- if (defined($r)) {
- mlog(0,"warning: possibly virus infected file (can't extract archive data in '$entryname') '$filename' - <$r> - ". archive_error_string($ae));
- $ok = $r;
- last;
- }
- }
- }
- $self->{$ae} = archive_error_string($ae);
- archive_read_close($ae);
- archive_read_free($ae);
- archive_write_close($ext);
- archive_write_free($ext);
- return $ok;
- }
- sub copy_data {
- my($ar, $aw) = @_;
- my $r;
- while(1)
- {
- $r = archive_read_data_block($ar, my $buff, my $offset);
- if($r == ARCHIVE_EOF)
- {
- last;
- }
- if($r != ARCHIVE_OK)
- {
- return $r;
- }
- $r = archive_write_data_block($aw, $buff, $offset);
- if($r != ARCHIVE_OK)
- {
- return $r;
- }
- }
- return;
- }
- 1;
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
