From b79129d61d36f5b95e32732c0a2e68c1533f2af5 Mon Sep 17 00:00:00 2001
From: Steve Freegard <steve@stevefreegard.com>
Date: Mon, 19 Mar 2018 11:58:45 +0000
Subject: [PATCH] Improve URI_HIDDEN_PATH based on corpus testing

---
 rules/regexp/compromised_hosts.lua | 22 +++++++++++++++++-----
 1 file changed, 17 insertions(+), 5 deletions(-)

diff --git a/rules/regexp/compromised_hosts.lua b/rules/regexp/compromised_hosts.lua
index f6427a7cd..37fef0dd7 100644
--- a/rules/regexp/compromised_hosts.lua
+++ b/rules/regexp/compromised_hosts.lua
@@ -138,12 +138,24 @@ reconf['HIDDEN_SOURCE_OBJ'] = {
   group = "compromised_hosts"
 }
 
-reconf['URI_HIDDEN_PATH'] = {
-  re = "/\\/\\..+/U",
-  description = "URL contains a UNIX hidden file/directory",
+rspamd_config.URI_HIDDEN_PATH = {
+  callback = function (task)
+    local urls = task:get_urls(false)
+    if (urls) then
+        for _, url in ipairs(urls) do
+            if (not (url:is_subject() and url:is_html_displayed())) then
+                local path = url:get_path()
+                if (hidden_uri_re:match(path)) then
+                    -- TODO: need url:is_schemeless() to improve this
+                    return true, 1.0, url:get_text()
+                end
+            end
+        end
+    end
+  end,
+  description = 'Message contains URI with a hidden path',
   score = 1.0,
-  one_shot = true,
-  group = "compromised_hosts"
+  group = 'compromised_hosts',
 }
 
 reconf['MID_RHS_WWW'] = {
-- 
2.39.5