You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@spamassassin.apache.org by gb...@apache.org on 2020/01/17 23:30:50 UTC

svn commit: r1872936 - in /spamassassin: branches/3.4/lib/Mail/SpamAssassin/Plugin/OLEVBMacro.pm trunk/lib/Mail/SpamAssassin/Plugin/OLEVBMacro.pm

Author: gbechis
Date: Fri Jan 17 23:30:50 2020
New Revision: 1872936

URL: http://svn.apache.org/viewvc?rev=1872936&view=rev
Log:
catch some more Microsoft Office encrypted documents

Modified:
    spamassassin/branches/3.4/lib/Mail/SpamAssassin/Plugin/OLEVBMacro.pm
    spamassassin/trunk/lib/Mail/SpamAssassin/Plugin/OLEVBMacro.pm

Modified: spamassassin/branches/3.4/lib/Mail/SpamAssassin/Plugin/OLEVBMacro.pm
URL: http://svn.apache.org/viewvc/spamassassin/branches/3.4/lib/Mail/SpamAssassin/Plugin/OLEVBMacro.pm?rev=1872936&r1=1872935&r2=1872936&view=diff
==============================================================================
--- spamassassin/branches/3.4/lib/Mail/SpamAssassin/Plugin/OLEVBMacro.pm (original)
+++ spamassassin/branches/3.4/lib/Mail/SpamAssassin/Plugin/OLEVBMacro.pm Fri Jan 17 23:30:50 2020
@@ -95,6 +95,8 @@ my $marker2 = "\x00\x41\x74\x74\x72\x69\
 my $marker3 = "\x5c\x6f\x62\x6a\x65\x6d\x62";
 my $marker4 = "\x5c\x6f\x62\x6a\x64\x61\x74";
 my $marker5 = "\x5c\x20\x6f\x62\x6a\x64\x61\x74";
+# Excel .xlsx encrypted package, thanks to Dan Bagwell for the sample
+my $encrypted_marker = "\x45\x00\x6e\x00\x63\x00\x72\x00\x79\x00\x70\x00\x74\x00\x65\x00\x64\x00\x50\x00\x61\x00\x63\x00\x6b\x00\x61\x00\x67\x00\x65";
 
 # this code burps an ugly message if it fails, but that's redirected elsewhere
 # AZ_OK is a constant exported by Archive::Zip
@@ -838,6 +840,9 @@ sub _is_encrypted_doc {
     if (index($tdata, "E n c r y p t e d P a c k a g e") > -1) {
       return 1;
     }
+    if (index($tdata, $encrypted_marker) > -1) {
+      return 1;
+    }
   }
 }
 

Modified: spamassassin/trunk/lib/Mail/SpamAssassin/Plugin/OLEVBMacro.pm
URL: http://svn.apache.org/viewvc/spamassassin/trunk/lib/Mail/SpamAssassin/Plugin/OLEVBMacro.pm?rev=1872936&r1=1872935&r2=1872936&view=diff
==============================================================================
--- spamassassin/trunk/lib/Mail/SpamAssassin/Plugin/OLEVBMacro.pm (original)
+++ spamassassin/trunk/lib/Mail/SpamAssassin/Plugin/OLEVBMacro.pm Fri Jan 17 23:30:50 2020
@@ -95,6 +95,8 @@ my $marker2 = "\x00\x41\x74\x74\x72\x69\
 my $marker3 = "\x5c\x6f\x62\x6a\x65\x6d\x62";
 my $marker4 = "\x5c\x6f\x62\x6a\x64\x61\x74";
 my $marker5 = "\x5c\x20\x6f\x62\x6a\x64\x61\x74";
+# Excel .xlsx encrypted package, thanks to Dan Bagwell for the sample
+my $encrypted_marker = "\x45\x00\x6e\x00\x63\x00\x72\x00\x79\x00\x70\x00\x74\x00\x65\x00\x64\x00\x50\x00\x61\x00\x63\x00\x6b\x00\x61\x00\x67\x00\x65";
 
 # this code burps an ugly message if it fails, but that's redirected elsewhere
 # AZ_OK is a constant exported by Archive::Zip
@@ -838,6 +840,9 @@ sub _is_encrypted_doc {
     if (index($tdata, "E n c r y p t e d P a c k a g e") > -1) {
       return 1;
     }
+    if (index($tdata, $encrypted_marker) > -1) {
+      return 1;
+    }
   }
 }