You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@spamassassin.apache.org by gb...@apache.org on 2019/12/04 07:29:20 UTC
svn commit: r1870804 - in /spamassassin:
branches/3.4/lib/Mail/SpamAssassin/Plugin/OLEVBMacro.pm
trunk/lib/Mail/SpamAssassin/Plugin/OLEVBMacro.pm
Author: gbechis
Date: Wed Dec 4 07:29:19 2019
New Revision: 1870804
URL: http://svn.apache.org/viewvc?rev=1870804&view=rev
Log:
add more rtf markers to catch dangerous ole objects
in rtf files
Modified:
spamassassin/branches/3.4/lib/Mail/SpamAssassin/Plugin/OLEVBMacro.pm
spamassassin/trunk/lib/Mail/SpamAssassin/Plugin/OLEVBMacro.pm
Modified: spamassassin/branches/3.4/lib/Mail/SpamAssassin/Plugin/OLEVBMacro.pm
URL: http://svn.apache.org/viewvc/spamassassin/branches/3.4/lib/Mail/SpamAssassin/Plugin/OLEVBMacro.pm?rev=1870804&r1=1870803&r2=1870804&view=diff
==============================================================================
--- spamassassin/branches/3.4/lib/Mail/SpamAssassin/Plugin/OLEVBMacro.pm (original)
+++ spamassassin/branches/3.4/lib/Mail/SpamAssassin/Plugin/OLEVBMacro.pm Wed Dec 4 07:29:19 2019
@@ -89,10 +89,12 @@ our $VERSION = '0.52';
# https://www.openoffice.org/sc/compdocfileformat.pdf
# http://blog.rootshell.be/2015/01/08/searching-for-microsoft-office-files-containing-macro/
-# embedded object in rtf files (https://www.biblioscape.com/rtf15_spec.htm)
my $marker1 = "\xd0\xcf\x11\xe0";
my $marker2 = "\x00\x41\x74\x74\x72\x69\x62\x75\x74\x00";
+# embedded object in rtf files (https://www.biblioscape.com/rtf15_spec.htm)
my $marker3 = "\x5c\x6f\x62\x6a\x65\x6d\x62";
+my $marker4 = "\x5c\x6f\x62\x6a\x64\x61\x74";
+my $marker5 = "\x5c\x20\x6f\x62\x6a\x64\x61\x74";
# this code burps an ugly message if it fails, but that's redirected elsewhere
# AZ_OK is a constant exported by Archive::Zip
@@ -859,12 +861,22 @@ sub _check_markers {
my ($data) = @_;
if (index($data, $marker1) == 0 && index($data, $marker2) > -1) {
- dbg('Marker found');
+ dbg('Marker 1 & 2 found');
return 1;
}
if (index($data, $marker3) > -1) {
- dbg('Marker found');
+ dbg('Marker 3 found');
+ return 1;
+ }
+
+ if (index($data, $marker4) > -1) {
+ dbg('Marker 4 found');
+ return 1;
+ }
+
+ if (index($data, $marker5) > -1) {
+ dbg('Marker 5 found');
return 1;
}
Modified: spamassassin/trunk/lib/Mail/SpamAssassin/Plugin/OLEVBMacro.pm
URL: http://svn.apache.org/viewvc/spamassassin/trunk/lib/Mail/SpamAssassin/Plugin/OLEVBMacro.pm?rev=1870804&r1=1870803&r2=1870804&view=diff
==============================================================================
--- spamassassin/trunk/lib/Mail/SpamAssassin/Plugin/OLEVBMacro.pm (original)
+++ spamassassin/trunk/lib/Mail/SpamAssassin/Plugin/OLEVBMacro.pm Wed Dec 4 07:29:19 2019
@@ -89,10 +89,12 @@ our $VERSION = '0.52';
# https://www.openoffice.org/sc/compdocfileformat.pdf
# http://blog.rootshell.be/2015/01/08/searching-for-microsoft-office-files-containing-macro/
-# embedded object in rtf files (https://www.biblioscape.com/rtf15_spec.htm)
my $marker1 = "\xd0\xcf\x11\xe0";
my $marker2 = "\x00\x41\x74\x74\x72\x69\x62\x75\x74\x00";
+# embedded object in rtf files (https://www.biblioscape.com/rtf15_spec.htm)
my $marker3 = "\x5c\x6f\x62\x6a\x65\x6d\x62";
+my $marker4 = "\x5c\x6f\x62\x6a\x64\x61\x74";
+my $marker5 = "\x5c\x20\x6f\x62\x6a\x64\x61\x74";
# this code burps an ugly message if it fails, but that's redirected elsewhere
# AZ_OK is a constant exported by Archive::Zip
@@ -859,12 +861,22 @@ sub _check_markers {
my ($data) = @_;
if (index($data, $marker1) == 0 && index($data, $marker2) > -1) {
- dbg('Marker found');
+ dbg('Marker 1 & 2 found');
return 1;
}
if (index($data, $marker3) > -1) {
- dbg('Marker found');
+ dbg('Marker 3 found');
+ return 1;
+ }
+
+ if (index($data, $marker4) > -1) {
+ dbg('Marker 4 found');
+ return 1;
+ }
+
+ if (index($data, $marker5) > -1) {
+ dbg('Marker 5 found');
return 1;
}