From f6e7ea43c37cf6ed8215bc40f6c390e538c63281 Mon Sep 17 00:00:00 2001
From: Arne Welzel <arne.welzel@corelight.com>
Date: Mon, 28 Aug 2023 16:58:36 +0200
Subject: [PATCH] http/smtp: Fix wrong character class usage

A call to `extract_filename_from_content_disposition()` is only
efficient if the string is guaranteed to contain the pattern that
is removed by `sub()`. Due to missing brackets around the `[:blank:]`
character class, an overly long string (756kb) ending in
"Type:dtanameaa=" matched the wrong pattern causing `sub()` to
exhibit quadratic runtime. Besides that, we may have potentially
extracted wrong information from a crafted header value.

(cherry picked from commit 6d385b1ca724a10444865e4ad38a58b31a2e2288)
---
 scripts/base/protocols/http/entities.zeek | 2 +-
 scripts/base/protocols/smtp/entities.zeek | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/scripts/base/protocols/http/entities.zeek b/scripts/base/protocols/http/entities.zeek
index 4b4c8a8c67..2f21ea54e4 100644
--- a/scripts/base/protocols/http/entities.zeek
+++ b/scripts/base/protocols/http/entities.zeek
@@ -103,7 +103,7 @@ event http_header(c: connection, is_orig: bool, name: string, value: string) &pr
 		c$http$current_entity$filename = extract_filename_from_content_disposition(value);
 		}
 	else if ( name == "CONTENT-TYPE" &&
-	          /[nN][aA][mM][eE][:blank:]*=/ in value )
+	          /[nN][aA][mM][eE][[:blank:]]*=/ in value )
 		{
 		c$http$current_entity$filename = extract_filename_from_content_disposition(value);
 		}
diff --git a/scripts/base/protocols/smtp/entities.zeek b/scripts/base/protocols/smtp/entities.zeek
index 20fdfd816b..2dc4e6eac3 100644
--- a/scripts/base/protocols/smtp/entities.zeek
+++ b/scripts/base/protocols/smtp/entities.zeek
@@ -67,7 +67,7 @@ event mime_one_header(c: connection, h: mime_header_rec) &priority=5
 		c$smtp$entity$filename = extract_filename_from_content_disposition(h$value);
 
 	if ( h$name == "CONTENT-TYPE" &&
-	     /[nN][aA][mM][eE][:blank:]*=/ in h$value )
+	     /[nN][aA][mM][eE][[:blank:]]*=/ in h$value )
 		c$smtp$entity$filename = extract_filename_from_content_disposition(h$value);
 	}