Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

http/smtp: Fix wrong character class usage

Browse source 
A call to `extract_filename_from_content_disposition()` is only
efficient if the string is guaranteed to contain the pattern that
is removed by `sub()`. Due to missing brackets around the `[:blank:]`
character class, an overly long string (756kb) ending in
"Type:dtanameaa=" matched the wrong pattern causing `sub()` to
exhibit quadratic runtime. Besides that, we may have potentially
extracted wrong information from a crafted header value.

(cherry picked from commit 6d385b1ca724a10444865e4ad38a58b31a2e2288)
This commit is contained in:
Arne Welzel 2023-08-28 16:58:36 +02:00 committed by Tim Wojtulewicz
parent 9af7d830e7
commit f6e7ea43c3
2 changed files with 2 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

2
scripts/base/protocols/http/entities.zeek
View file

@ -103,7 +103,7 @@ event http_header(c: connection, is_orig: bool, name: string, value: string) &pr
c$http$current_entity$filename = extract_filename_from_content_disposition(value);
}
else if ( name == "CONTENT-TYPE" &&
/[nN][aA][mM][eE][:blank:]*=/ in value )
/[nN][aA][mM][eE][[:blank:]]*=/ in value )
{
c$http$current_entity$filename = extract_filename_from_content_disposition(value);
}

2
scripts/base/protocols/smtp/entities.zeek
View file

@ -67,7 +67,7 @@ event mime_one_header(c: connection, h: mime_header_rec) &priority=5
c$smtp$entity$filename = extract_filename_from_content_disposition(h$value);
if ( h$name == "CONTENT-TYPE" &&
/[nN][aA][mM][eE][:blank:]*=/ in h$value )
/[nN][aA][mM][eE][[:blank:]]*=/ in h$value )
c$smtp$entity$filename = extract_filename_from_content_disposition(h$value);
}