{http,smtp}/entities: Align header regexes with extract_filename_from_content_disposition()

2025-10-02 14:48:21 +00:00 · 2022-10-18 19:53:46 +02:00 · 2022-10-18 19:53:46 +02:00 · 8b04868de3
commit 8b04868de3
parent 6ef9423f3c
6 changed files with 43 additions and 3 deletions
--- a/34
+++ b/34
@ -1,3 +1,37 @@
 5.2.0-dev.209 | 2022-11-08 16:44:48 -0700
  * {http,smtp}/entities: Align header regexes with extract_filename_from_content_disposition() (Arne Welzel, Corelight)
  * analyzer/HTTP: Call TCP_ApplicationAnalyzer::Done() after RequestMade()/ReplyMade() (Arne Welzel, Corelight)
  * file_analysis/Analyzer: Limit maximum number of violations (Arne Welzel, Corelight)
    Just the same as for protocol analyzers, prevent from violation event overload.
  * test: Add btest verifying max_analyzer_violations functionality (Arne Welzel, Corelight)
    The pcap has been generated roughly based on the example found on wikipedia
    with some added garbled response after the STAT command from the client.
  * analyzer: Cap analyzer violations at 1000 per analyzer instance (Arne Welzel, Corelight)
  * Report an error if a key is too big for a DictEntry (Tim Wojtulewicz, Corelight)
  * Use larger size variable for DictEntry key_size to avoid overflows with big keys (Tim Wojtulewicz, Corelight)
  * ftp: Limit pending commands to FTP::max_pending_commands (default 20) (Arne Welzel, Corelight)
  * Update baselines after AnalyzePacket changes (Arne Welzel, Corelight)
    Mainly, for bad headers we do not (can not) put addresses into
    the log anymore. Some were rather obviously bogus previously
    already.
  * protocol/ip: Only attach IP_Hdr to Packet if valid (Arne Welzel, Corelight)
    Ensure packet->ip_hdr is not set (so no one can assume it's valid)
    when AnalyzePacket() found something weird with the header.
 5.2.0-dev.198 | 2022-11-07 11:47:53 +0100
  * Bump documentation.
--- a/2
+++ b/2
@ -1 +1 @@
-5.2.0-dev.198
+5.2.0-dev.209
--- a/scripts/base/protocols/http/entities.zeek
+++ b/scripts/base/protocols/http/entities.zeek
@ -98,7 +98,7 @@ event http_header(c: connection, is_orig: bool, name: string, value: string) &pr
 		}
 	if ( name == "CONTENT-DISPOSITION" &&
-	     /[fF][iI][lL][eE][nN][aA][mM][eE]/ in value )
+	     /[fF][iI][lL][eE][nN][aA][mM][eE][[:blank:]]*\*?=/ in value )
 		{
 		c$http$current_entity$filename = extract_filename_from_content_disposition(value);
 		}
--- a/scripts/base/protocols/smtp/entities.zeek
+++ b/scripts/base/protocols/smtp/entities.zeek
@ -63,7 +63,7 @@ event mime_one_header(c: connection, h: mime_header_rec) &priority=5
 		}
 	if ( h$name == "CONTENT-DISPOSITION" &&
-	     /[fF][iI][lL][eE][nN][aA][mM][eE]/ in h$value )
+	     /[fF][iI][lL][eE][nN][aA][mM][eE][[:blank:]]*\*?=/ in h$value )
 		c$smtp$entity$filename = extract_filename_from_content_disposition(h$value);
 	if ( h$name == "CONTENT-TYPE" &&
--- a/testing/btest/Baseline/scripts.base.utils.files/output
+++ b/testing/btest/Baseline/scripts.base.utils.files/output
@ -2,6 +2,9 @@
 Economy
 US-$ rates
 \xa3 rates
 filename.jpg
 fieldName
 fieldName
 test-prefix_141.142.220.118:48649-208.80.152.118:80_test-suffix
 test-prefix_141.142.220.118:48649-208.80.152.118:80
 141.142.220.118:48649-208.80.152.118:80_test-suffix
--- a/testing/btest/scripts/base/utils/files.test
+++ b/testing/btest/scripts/base/utils/files.test
@ -17,4 +17,7 @@ event zeek_init()
 	print extract_filename_from_content_disposition("attachment; filename=Economy");
 	print extract_filename_from_content_disposition("attachment; name=\"US-$ rates\"");
 	print extract_filename_from_content_disposition("attachment; filename*=iso-8859-1'en'%A3%20rates");
 	print extract_filename_from_content_disposition("form-data; name=\"fieldName\"; filename=\"filename.jpg\"");
 	print extract_filename_from_content_disposition("form-data; name=\"fieldName\"");
 	print extract_filename_from_content_disposition("form-data; filename=\"filename.jpg\"; name=\"fieldName\"");
 	}