~ubuntu-branches/ubuntu/feisty/clamav/feisty

*Warning*: if flag *--phish-scan-alldomains* (or equivalent clamd/clamav-milter config option) isn't given, then phishing scanning is done only for domains listed in daily.pdb.

216

If your daily.pdb is empty, then by default NO PHISHING is DONE, UNLESS you give the *--phish-scan-alldomains*

217

This is just a side-effect, daily.pdb is empty, because it isn't yet officialy in daily.cvd.

218

219

phishingCheck() determines if @displayedLink is a legit representation of @realLink.

220

221

Steps:

222

1. if _realLink_ == _displayLink_ => CLEAN

223

1. if _realLink_ *==* _displayLink_ => *CLEAN*

224

225

2. url cleanup (normalization)

226

- whitespace elimination

strip all spaces, and leading and trailing garbage.

When matching we have to keep in account whether we stripped any spaces or not.

See str_fixup_spaces.

227

- html entity conversion

- handle hex-encoded characters

228

- convert hostname to lowercase

229

- normalize \ to /

230

If there is a dot after the last space, then all spaces are replaced with dots,

231

otherwise spaces are stripped.

232

So both: 'Go to yahoo.com', and 'Go to e b a y . c o m', and 'Go to ebay. com' will work.

233

234

235

3. Matched the urls against a _whitelist_:

236

a _realLink_, _displayedLink_ pair is matched against the _whitelist_.

237

the _whitelist_ is a list of pairs of realLink, displayedLink. Any of the elements of those pairs can be a _regex_.

238

if url *is found* in _whitelist_ --> *CLEAN*

239

4. URL is looked up in the _domainlist_

240

4. URL is looked up in the _domainlist_, unless disabled via flags (_--phish-scan-alldomains_).

241

The _domainlist_ is a list of pairs of realLink, displayedLink (any of which can be regex).

242

This is the list of domains we do phishing detection for (such as ebay,paypal,chase,....)

243

We can't decide to stop processing here or not, so we just set a flag.

115

263

116

264

10. Hostname of real URL is extracted.

117

265

266

11. Skip cid: displayedLink urls (images embedded in mails).

267

118

268

12. Numeric IP detection.

119

269

If url is a numeric IP, then -> phish.

120

270

Maybe we should do DNS lookup?

271

Maybe we should disable numericIP checks for --phish-scan-alldomains?

121

272

122

273

13. isURL(displayedLink).

123

274

Checks if displayedLink is really a url.

136

287

/* Constant strings and tables */

137

288

static char empty_string[]="";

138

289

290

#define ANY_CLOAK "(((0[xX])?[a-fA-F0-9])+\\.?)+"

291

#define CLOAK_REGEX_HEXURL "("ANY_CLOAK")?0[xX][a-fA-F0-9]+\\.?"ANY_CLOAK

292

#define OCTAL_CLOAK "("ANY_CLOAK")?000[0-9]+\\.?"ANY_CLOAK

293

#define DWORD_CLOAK "[0-9]{8,}"

294

295

static const char cloaked_host_regex[] = "^(("CLOAK_REGEX_HEXURL")|("OCTAL_CLOAK")|("DWORD_CLOAK"))$";

296

297

298

static const char tld_regex[] = "^"iana_tld"$";

299

static const char cctld_regex[] = "^"iana_cctld"$";

139

300

static const char dotnet[] = ".net";

140

301

static const char adonet[] = "ado.net";

141

302

static const char aspnet[] = "asp.net";

142

/* ; is replaced by ' ' so omit it here*/

143

static const char lt[]="&lt";

144

static const char gt[]="&gt";

303

static const char lt[]="<";

304

static const char gt[]=">";

305

static const char cid[] = "cid:";

145

306

static const char src_text[] = "src";

146

307

static const char href_text[] = "href";

147

static const char mailto[] = "mailto:";

148

static const char mailto_proto[] = "mailto://";

149

static const char https[]="https:";

150

static const char http[]="http:";

151

static const char ftp[] = "ftp:";

152

153

308

static const size_t href_text_len = sizeof(href_text);

154

309

static const size_t src_text_len = sizeof(src_text);

310

static const size_t cid_len = sizeof(cid)-1;

155

311

static const size_t dotnet_len = sizeof(dotnet)-1;

156

312

static const size_t adonet_len = sizeof(adonet)-1;

157

313

static const size_t aspnet_len = sizeof(aspnet)-1;

158

314

static const size_t lt_len = sizeof(lt)-1;

159

315

static const size_t gt_len = sizeof(gt)-1;

160

static const size_t mailto_len = sizeof(mailto)-1;

161

static const size_t mailto_proto_len = sizeof(mailto_proto)-1;

162

static const size_t https_len = sizeof(https)-1;

163

static const size_t http_len = sizeof(http)-1;

164

static const size_t ftp_len = sizeof(ftp)-1;

165

316

317

/*static const char* url_regex="^ *([[:alnum:]%_-]+:(//)?)?([[:alnum:]%_-]@)*[[:alnum:]%_-]+\\.([[:alnum:]%_-]+\\.)*[[:alnum:]_%-]+(/[[:alnum:];:@$=?&/.,%_-]+) *$";*/

166

318

/* for urls, including mailto: urls, and (broken) http:www... style urls*/

167

319

/* refer to: http://www.w3.org/Addressing/URL/5_URI_BNF.html

168

320

* Modifications: don't allow empty domains/subdomains, such as www..com <- that is no url

169

321

* So the 'safe' char class has been split up

170

322

* */

171

323

/* character classes */

324

#define URI_alpha "a-zA-Z"

172

325

#define URI_digit "0-9"

326

#define URI_safe_nodot "-$_@&"

327

#define URI_safe "-$_@.&"

328

#define URI_extra "!*\"'(),"

329

#define URI_reserved "=;/#?: "

330

#define URI_national "{}|[]\\^~"

331

#define URI_punctuation "<>"

332

333

#define URI_hex "[0-9a-fA-f]"

334

#define URI_escape "%"URI_hex"{2}"

335

#define URI_xalpha "([" URI_safe URI_alpha URI_digit URI_extra "]|"URI_escape")" /* URI_safe has to be first, because it contains - */

336

#define URI_xalpha_nodot "([" URI_safe_nodot URI_alpha URI_digit URI_extra "]|"URI_escape")"

337

338

#define URI_xalphas URI_xalpha"+"

339

#define URI_xalphas_nodot URI_xalpha_nodot"*"

340

341

#define URI_ialpha "["URI_alpha"]"URI_xalphas_nodot""

342

#define URI_xpalpha URI_xalpha"|\\+"

343

#define URI_xpalpha_nodot URI_xalpha_nodot"|\\+"

344

#define URI_xpalphas "("URI_xpalpha")+"

345

#define URI_xpalphas_nodot "("URI_xpalpha_nodot")+"

346

347

#define URI_scheme URI_ialpha

348

#define URI_tld iana_tld

349

#define URI_path1 URI_xpalphas_nodot"\\.("URI_xpalphas_nodot"\\.)*"

350

#define URI_path2 URI_tld

351

#define URI_path3 "(/("URI_xpalphas"/?)*)?"

352

353

#define URI_search "("URI_xalphas"\\+)*"

354

#define URI_fragmentid URI_xalphas

355

173

356

#define URI_IP_digits "["URI_digit"]{1,3}"

174

#define URI_path_start "[/?:]?"

175

#define URI_numeric_path URI_IP_digits"(\\."URI_IP_digits"){3}"URI_path_start

176

#define URI_numeric_URI "(http|https|ftp:(//)?)?"URI_numeric_path

177

#define URI_numeric_fragmentaddress URI_numeric_URI

178

357

#define URI_numeric_path URI_IP_digits"(\\."URI_IP_digits"){3}(:"URI_xpalphas_nodot")?(/("URI_xpalphas"/?)*)?"

358

#define URI_numeric_URI "("URI_scheme":(//)?)?"URI_numeric_path"(\\?" URI_search")?"

359

#define URI_numeric_fragmentaddress URI_numeric_URI"(#"URI_fragmentid")?"

360

361

#define URI_URI1 "("URI_scheme":(//)?)?"URI_path1

362

#define URI_URI2 URI_path2

363

#define URI_URI3 URI_path3"(\\?" URI_search")?"

364

365

#define URI_fragmentaddress1 URI_URI1

366

#define URI_fragmentaddress2 URI_URI2

367

#define URI_fragmentaddress3 URI_URI3"(#"URI_fragmentid")?"

368

369

#define URI_CHECK_PROTOCOLS "(http|https|ftp)://.+"

179

370

180

371

/*Warning: take care when modifying this regex, it has been tweaked, and tuned, just don't break it please.

181

372

* there is fragmentaddress1, and 2 to work around the ISO limitation of 509 bytes max length for string constants*/

183

374

184

375

/* generated by contrib/phishing/generate_tables.c */

185

376

static const short int hextable[256] = {

186