summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAlexander Moisseev <moiseev@mezonplus.ru>2017-10-02 14:44:31 +0300
committerAlexander Moisseev <moiseev@mezonplus.ru>2017-10-02 19:29:10 +0300
commitd3379678a72189dce8a8de5e62d7ebbfb9fc824b (patch)
tree808dba886904f303a9285ee02d940b090d013fea
parenta2342f217d549f06ceeabcf260ead8e9f88d6f7e (diff)
downloadrspamd-d3379678a72189dce8a8de5e62d7ebbfb9fc824b.tar.gz
rspamd-d3379678a72189dce8a8de5e62d7ebbfb9fc824b.zip
[Feature] Catch next-to-last bad extension
e.g. .scr.xz This technique is commonly used by spammers as xz and bzip2 strip out extension on decompression. Also it catches xz and bzip2 compressed files with faked extensions like .scr.gz .scr.lzh .scr.uue.
-rw-r--r--src/plugins/lua/mime_types.lua41
1 files changed, 26 insertions, 15 deletions
diff --git a/src/plugins/lua/mime_types.lua b/src/plugins/lua/mime_types.lua
index b90bcad01..ad5f569f6 100644
--- a/src/plugins/lua/mime_types.lua
+++ b/src/plugins/lua/mime_types.lua
@@ -92,39 +92,50 @@ local function check_mime_type(task)
local function gen_extension(fname)
local parts = rspamd_str_split(fname, '.')
- local ext
- if #parts > 1 then
- ext = string.lower(parts[#parts])
- else
- ext = nil
+ local ext = {}
+ for n = 1, 2 do
+ ext[n] = #parts > n and string.lower(parts[#parts + 1 - n]) or nil
end
- return ext,parts
+ return ext[1],ext[2],parts
end
+
local function check_filename(fname, ct, is_archive)
- local ext,parts = gen_extension(fname)
+ local ext,ext2,parts = gen_extension(fname)
- local function check_extension(badness_mult)
- if badness_mult then
- if #parts > 2
+ local function check_extension(badness_mult, badness_mult2)
+ if #parts > 2 then
+ if ( badness_mult
-- We need to ensure that it is an extension, so we check for its length
and #parts[#parts - 1] <= 4
-- Check if next-to-last extension is not a number
- and not string.match(parts[#parts - 1], '^%d+$') then
+ and not string.match(ext2, '^%d+$') )
+ -- Check length of the last extension if next-to-last extension is bad
+ or ( badness_mult2 and #parts[#parts] <= 4 ) then
+
+ -- Use the greatest badness multiplier
+ if not badness_mult or badness_mult2 and badness_mult < badness_mult2 then
+ badness_mult = badness_mult2
+ end
+
-- Double extension + bad extension == VERY bad
task:insert_result(settings['symbol_double_extension'], badness_mult, {
- '.' .. parts[#parts - 1] .. '.' .. ext
+ '.' .. ext2 .. '.' .. ext
})
- else
+ end
+ else
+ if badness_mult then
-- Just bad extension
task:insert_result(settings['symbol_bad_extension'], badness_mult, ext)
end
end
-
end
if ext then
- check_extension(settings['bad_extensions'][ext:lower()])
+ check_extension(
+ settings['bad_extensions'][ext:lower()],
+ ext2 and settings['bad_extensions'][ext2:lower()] or nil
+ )
-- Also check for archive bad extension
if is_archive then