diff options
author | Vsevolod Stakhov <vsevolod@highsecure.ru> | 2021-01-11 12:52:28 +0000 |
---|---|---|
committer | Vsevolod Stakhov <vsevolod@highsecure.ru> | 2021-01-11 12:52:28 +0000 |
commit | 11084440ff7469df2ca63c7b4f831bba992f50e7 (patch) | |
tree | ddf5a2e0809a0017bde3dc6154f39f70835f7dd9 /lualib/lua_content | |
parent | 1a30d7d64a57731d86271ea6e7b7fcf8bc656cae (diff) | |
download | rspamd-11084440ff7469df2ca63c7b4f831bba992f50e7.tar.gz rspamd-11084440ff7469df2ca63c7b4f831bba992f50e7.zip |
[Minor] Pdf: Do not fire PDF_SUSPICIOUS on legit escapes
Diffstat (limited to 'lualib/lua_content')
-rw-r--r-- | lualib/lua_content/pdf.lua | 33 |
1 files changed, 25 insertions, 8 deletions
diff --git a/lualib/lua_content/pdf.lua b/lualib/lua_content/pdf.lua index 4e199b8b6..a5e23d11f 100644 --- a/lualib/lua_content/pdf.lua +++ b/lualib/lua_content/pdf.lua @@ -38,7 +38,7 @@ local pdf_patterns = { patterns = { [[netsh\s]], [[echo\s]], - [[\/[A-Za-z]*#\d\d(?:[#A-Za-z<>/\s])]], -- Hex encode obfuscation + [=[\/[A-Za-z]*#\d\d[#A-Za-z<>/\s]]=], -- Hex encode obfuscation } }, start_object = { @@ -1326,16 +1326,33 @@ processors.suspicious = function(input, task, positions, pdf_object, pdf_output) suspicious_factor = suspicious_factor + 0.5 elseif match[2] == 2 then nexec = nexec + 1 - else - nencoded = nencoded + 1 + elseif match[2] == 3 then + local enc_data = input:sub(match[1] - 2, match[1] - 1) + local legal_escape = false + + if enc_data then + enc_data = enc_data:strtoul() - if last_encoded then - if match[1] - last_encoded < 8 then - -- likely consecutive encoded chars, increase factor - close_encoded = close_encoded + 1 + if enc_data then + -- Legit encode cases are non printable characters (e.g. spaces) + if enc_data < 0x21 or enc_data >= 0x7f then + legal_escape = true + end end end - last_encoded = match[1] + + if not legal_escape then + nencoded = nencoded + 1 + + if last_encoded then + if match[1] - last_encoded < 8 then + -- likely consecutive encoded chars, increase factor + close_encoded = close_encoded + 1 + end + end + last_encoded = match[1] + + end end end |