You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@spamassassin.apache.org by gb...@apache.org on 2019/07/05 17:01:00 UTC
svn commit: r1862623 -
/spamassassin/trunk/lib/Mail/SpamAssassin/Plugin/OLEMacro.pm
Author: gbechis
Date: Fri Jul 5 17:01:00 2019
New Revision: 1862623
URL: http://svn.apache.org/viewvc?rev=1862623&view=rev
Log:
detect embedded ole object inside doc/rtf files
Modified:
spamassassin/trunk/lib/Mail/SpamAssassin/Plugin/OLEMacro.pm
Modified: spamassassin/trunk/lib/Mail/SpamAssassin/Plugin/OLEMacro.pm
URL: http://svn.apache.org/viewvc/spamassassin/trunk/lib/Mail/SpamAssassin/Plugin/OLEMacro.pm?rev=1862623&r1=1862622&r2=1862623&view=diff
==============================================================================
--- spamassassin/trunk/lib/Mail/SpamAssassin/Plugin/OLEMacro.pm (original)
+++ spamassassin/trunk/lib/Mail/SpamAssassin/Plugin/OLEMacro.pm Fri Jul 5 17:01:00 2019
@@ -84,8 +84,10 @@ our $VERSION = '0.52';
# https://www.openoffice.org/sc/compdocfileformat.pdf
# http://blog.rootshell.be/2015/01/08/searching-for-microsoft-office-files-containing-macro/
+# embedded object in rtf files (https://www.biblioscape.com/rtf15_spec.htm)
my $marker1 = "\xd0\xcf\x11\xe0";
my $marker2 = "\x00\x41\x74\x74\x72\x69\x62\x75\x74\x00";
+my $marker3 = "\x5c\x6f\x62\x6a\x65\x6d\x62";
# constructor: register the eval rule
sub new {
@@ -832,6 +834,11 @@ sub _check_markers {
dbg('Marker found');
return 1;
}
+
+ if (index($data, $marker3) > -1) {
+ dbg('Marker found');
+ return 1;
+ }
if (index($data, 'w:macrosPresent="yes"') > -1) {
dbg('XML macros marker found');